VPS is an abbreviation of Virtual Private Server. When we buy a Linux VPS, the provider usually gives you the root account. The root account has the administrator’s privileges, the misuse can easily cause the security issues.
Here I share some tips about initializing the VPS. All the examples are based on the Debian 10 system.
1. Add a non-root user with sudo permission
The code here is run as root. In terminal, the line begins with #.
-
Install some packages
1
apt install -y sudo nano
-
Add a user group, for example “benutzer”
1
groupadd benutzer
-
Add a user and add it to group “benutzer”, for example “mike”
1
useradd -g benutzer -d /home/mike -s /bin/bash -m mike
-
Set the password for mike, input the password twice
1
passwd mike
-
Give mike the sudo permission
1
visudo
-
Find a line
1
root ALL=(ALL:ALL) ALL
and add the code in the following line, and save the file
1
mike ALL=(ALL) ALL
2. Change the SSH port
Now we are login as mike. The code begins with $ in terminal.
|
|
Find the line:
|
|
And change it to another port, for example 22200:
|
|
Then save and restart the service:
|
|
Remember to use a new port next time when connecting to the VPS.
3. Login with the Public Key
Login with public key is much safer than a password. An common algorithm is RSA, but when compared with ED25519, it takes more time to encrypt and decrypt.
A ED25519-key can be generated by the ssh-keygen in terminal:
|
|
You will get two files in ~/.ssh
, one is id_ed25519, the private key, and the other one is id_ed25519.pub, the public key. Now we need to change the name of the public key and download the private key. The file is very small, so we can just download it with lrzsz.
|
|
Then change the /etc/ssh/sshd_config
:
|
|
Before we disconnect the VPS, we need to check first if we can connect the VPS with our private key.
4. Install Fail2ban
Fail2ban scans log files like /var/log/auth.log
and bans IP addresses conducting too many failed login attempts.
sudo apt-get install -y fail2ban
5. Install ufw
ufw is the uncomplicated firewall and is aimed to ease the iptables firewall configration.
|
|
22200 is the ssh port
If you use the http and https service, remember to allow the ports.
Don’t forget to check the ports again!!!