|
| 1 | +# VPS Setup |
| 2 | + |
| 3 | +If you want to set up a production ready VPS, there are a few steps you should take. |
| 4 | + |
| 5 | +This document goes through the list of steps that I personally take. |
| 6 | + |
| 7 | + |
| 8 | +## 1. Create a New User with Sudo Permissions |
| 9 | +``` |
| 10 | +# Log in as root |
| 11 | +ssh root@your-server-ip |
| 12 | +
|
| 13 | +# Create a new user |
| 14 | +adduser newuser |
| 15 | +
|
| 16 | +# Add the user to the sudo group |
| 17 | +usermod -aG sudo newuser |
| 18 | +
|
| 19 | +# Test the new user |
| 20 | +su - newuser |
| 21 | +sudo apt update |
| 22 | +``` |
| 23 | + |
| 24 | + |
| 25 | +## 2. Set Up SSH Key Authentication |
| 26 | +``` |
| 27 | +# On your local machine, generate an SSH key pair if you don’t already have one |
| 28 | +ssh-keygen -t ed25519 -C "your_email@example.com" |
| 29 | +
|
| 30 | +# Copy the SSH key to the new user on the server |
| 31 | +ssh-copy-id -i ~/.ssh/id_ed25519.pub newuser@your-server-ip |
| 32 | +
|
| 33 | +# Test key-based login |
| 34 | +ssh newuser@your-server-ip |
| 35 | +``` |
| 36 | + |
| 37 | +## 2. Harden SSH |
| 38 | + |
| 39 | +``` |
| 40 | +# Open SSH configuration file |
| 41 | +sudo nano /etc/ssh/sshd_config |
| 42 | +
|
| 43 | +# Modify the following in the file: |
| 44 | +# PermitRootLogin no # Disable root login |
| 45 | +# PasswordAuthentication no # Disable key based auth |
| 46 | +
|
| 47 | +# Restart SSH service |
| 48 | +sudo systemctl restart ssh |
| 49 | +
|
| 50 | +# Test SSH with new settings before logging out |
| 51 | +ssh newuser@your-server-ip |
| 52 | +``` |
| 53 | + |
| 54 | +## 3. Set Up a Firewall (UFW) |
| 55 | +``` |
| 56 | +# Install UFW if not already installed |
| 57 | +sudo apt install ufw |
| 58 | +
|
| 59 | +# Allow necessary ports |
| 60 | +sudo ufw allow OpenSSH # SSH |
| 61 | +sudo ufw allow 80/tcp # HTTP |
| 62 | +sudo ufw allow 443/tcp # HTTPS |
| 63 | +
|
| 64 | +# Enable UFW |
| 65 | +sudo ufw enable |
| 66 | +
|
| 67 | +# Check UFW status |
| 68 | +sudo ufw status |
| 69 | +``` |
| 70 | + |
| 71 | +## 4. (Optional) Install and Configure Fail2Ban |
| 72 | + |
| 73 | +``` |
| 74 | +# Install Fail2Ban |
| 75 | +sudo apt install fail2ban |
| 76 | +
|
| 77 | +# Create a local configuration file |
| 78 | +sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local |
| 79 | +
|
| 80 | +# Edit Fail2Ban configuration for SSH |
| 81 | +sudo nano /etc/fail2ban/jail.local |
| 82 | +# Ensure the following lines are set: |
| 83 | +# [sshd] |
| 84 | +# enabled = true |
| 85 | +# port = 22 # Change this if you've modified your SSH port. |
| 86 | +# maxretry = 5 |
| 87 | +# bantime = 3600 |
| 88 | +
|
| 89 | +# Restart Fail2Ban service |
| 90 | +sudo systemctl restart fail2ban |
| 91 | +
|
| 92 | +# Check Fail2Ban status |
| 93 | +sudo fail2ban-client status |
| 94 | +sudo fail2ban-client status sshd |
| 95 | +``` |
0 commit comments