Initialize VPS

 technik  524  3 mins  

VPS is an abbreviation of Virtual Private Server. When we buy a Linux VPS, the provider usually gives you the root account. The root account has the administrator’s privileges, the misuse can easily cause the security issues.

Here I share some tips about initializing the VPS. All the examples are based on the Debian 10 system.

1. Add a non-root user with sudo permission

The code here is run as root. In terminal, the line begins with #.

  • Install some packages

    1

    apt install -y sudo nano

  • Add a user group, for example “benutzer”

    1

    groupadd benutzer

  • Add a user and add it to group “benutzer”, for example “mike”

    1

    useradd -g benutzer -d /home/mike -s /bin/bash -m mike

  • Set the password for mike, input the password twice

    1

    passwd mike

  • Give mike the sudo permission

    1

    visudo

  • Find a line

    1

    root ALL=(ALL:ALL) ALL

    and add the code in the following line, and save the file

    1

    mike ALL=(ALL) ALL

2. Change the SSH port

Now we are login as mike. The code begins with $ in terminal.

1

sudo nano /etc/ssh/sshd_config

Find the line:

1

#Port 22

And change it to another port, for example 22200:

1

Port 22200

Then save and restart the service:

1

sudo service sshd restart

Remember to use a new port next time when connecting to the VPS.

3. Login with the Public Key

Login with public key is much safer than a password. An common algorithm is RSA, but when compared with ED25519, it takes more time to encrypt and decrypt.

A ED25519-key can be generated by the ssh-keygen in terminal:

1

ssh-keygen -t ed25519

You will get two files in ~/.ssh, one is id_ed25519, the private key, and the other one is id_ed25519.pub, the public key. Now we need to change the name of the public key and download the private key. The file is very small, so we can just download it with lrzsz.

1
2
3
4

mkdir -p ~/.ssh										# you may need to create the folder first
cp ~/.ssh/id_e25519.pub ~/.ssh/authorized_keys		# copy the public key
sudo apt-get install lrzsz							# install lrzsz
sz ~/.ssh/id_ed25519								# save the private key

Then change the /etc/ssh/sshd_config :

1
2
3
4
5
6

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
sudo nano /etc/ssh/sshd_config
sudo perl -pi -e 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/g' /etc/ssh/sshd_config
sudo perl -pi -e 's/PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config
sudo perl -pi -e 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config
sudo service sshd restart

Before we disconnect the VPS, we need to check first if we can connect the VPS with our private key.

4. Install Fail2ban

Fail2ban scans log files like /var/log/auth.log and bans IP addresses conducting too many failed login attempts.

sudo apt-get install -y fail2ban

5. Install ufw

ufw is the uncomplicated firewall and is aimed to ease the iptables firewall configration.

1
2

sudo apt-get install -y ufw
sudo ufw disable && sudo ufw allow 22200 && sudo ufw allow http && sudo ufw allow https && sudo ufw enable

22200 is the ssh port

If you use the http and https service, remember to allow the ports.

Don’t forget to check the ports again!!!

Enjoy!!

updatedupdated2020-08-282020-08-28

See Also: