Server Setup
Some suggestions on how to setup a VPS properly. They assume an Ubuntu server or Debian.
1. Basic setup
1.1. Update packages
After the first login, usually you want to update and upgrade the installed packages:
apt update
apt upgrade --yes
apt install vim tmux git
# do also a reboot, in case the kernel is updated
reboot
1.2. Set a better prompt
The default prompt is usually dull and boring, and a nice prompt makes your work easier. So let’s try to improve it:
# customize ~/.bashrc
sed -i ~/.bashrc \
-e '/bashrc_custom/d'
echo 'source ~/.bashrc_custom' >> ~/.bashrc
cat <<'EOF' > ~/.bashrc_custom
# set a better prompt
PS1='${debian_chroot:+($debian_chroot)}\[\033[01;31m\]\u\[\033[01;33m\]@\[\033[01;36m\]\h \[\033[01;33m\]\w \[\033[01;35m\]\$ \[\033[00m\]'
EOF
We have created the file ~/.bashrc_custom
, which we source
(include) at the end of ~/.bashrc
.
1.3. Enable colorized ls
In Debian we should enable colorized ls output (on Ubuntu it is
enabled by default). Edit ~/.bashrc
and uncomment ls
aliases.
sed -i ~/.bashrc \
-e 's/^# export LS_OPTIONS/export LS_OPTIONS/' \
-e '/dircolors/ s/^# eval/eval/' \
-e 's/^# alias ls=/alias ls=/' \
-e 's/^# alias ll=/alias ll=/' \
-e 's/^# alias l=/alias l=/'
1.4. Enable bash-completion
Strange, but on an Ubuntu server it is not enabled by default (in Debian it is already enabled).
# make sure that bash-completion is installed
apt install --yes bash-completion
cat <<'EOF' >> ~/.bashrc_custom
# enable programmable completion features
if [ -f /etc/bash_completion ] && ! shopt -oq posix; then
source /etc/bash_completion
fi
EOF
1.5. Change the hostname
Edit /etc/hostname
, change the hostname, and reboot
.
Instead of rebooting you can also run hostname newhostname
, then
exit
and re-login.
1.6. Fix configuration
In Linux everything is a file, and if you install lots of containers and applications, the number of files that need to be opened increases. Make sure that the limit of open files is not small:
cat /proc/sys/fs/file-max
echo 9223372036854775807 > /proc/sys/fs/file-max
To make this change permanent, edit the file /etc/sysctl.conf
and append a line like this:
fs.file-max = 9223372036854775807
Then enable it with sysctl -p
.
2. Secure the server
2.1. Install firewalld and fail2ban
Let’s try to protect the server from the attacks.
# install firewalld
apt install --yes firewalld
firewall-cmd --list-all
firewall-cmd --permanent --zone=public --set-target=DROP
firewall-cmd --reload
# install fail2ban
apt install --yes fail2ban
fail2ban-client status
fail2ban-client status sshd
Their default configuration is usually fine, so for the time being we don’t need to change anything.
2.2. Disable password login
If you are using a password to login to the server, it is strongly recommended to enable key-based login and to disable password login.
Generate SSH key
Generate e SSH key pair on the server, like this:
ssh-keygen --help
ssh-keygen -t ecdsa -q -N '' -f server-admin
It will create the files server-admin
(the private key) and
server-admin.pub
(the public key). The option -N ''
tells to the command ssh-keygen
to generate a key pair without
password.
We want to append the public key to ~/.ssh/authorized_keys
, but
first let’s make sure that the directory exists and has propper
permissions:
mkdir -p ~/.ssh
chmod 700 ~/.ssh
touch ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
cat server-admin.pub >> ~/.ssh/authorized_keys
rm server-admin.pub
Login with private key
We want to transfer the private key to our local machine (laptop). We
can just copy/paste its content or we can use scp
like this:
scp root@10.11.12.13:~/server-admin .
chmod 600 server-admin
ssh root@10.11.12.14 rm server-admin
Now let’s try to login using this private key:
ssh -i server-admin root@10.11.12.13
You should be able to login without a password.
To make things easier, let’s create a configuration file on
~/.ssh
(on the local machine):
touch ~/.ssh/config
chmod 600 ~/.ssh/config
cat >> ~/.ssh/config <<EOF
Host server1
HostName 10.11.12.13
Port 22
User root
IdentityFile ~/.ssh/server1.key
IdentitiesOnly yes
EOF
mv server-admin ~/.ssh/server1.key
chmod 600 ~/.ssh/server1.key
Now you should be able to login to the server just by giving ssh
server1
. You don’t need to remember the IP of the server, the port,
the identity file (private key), etc. It’s so convenient!
Disable password login
Now that we can login with an identity file (private key), we can disable the password login on the server, to make it more secure. Someone may guess a password, or may find it by a brute force attack (trying lots of passwords), but it is almost impossible to guess or find a private key.
Edit the file /etc/ssh/sshd_config
on the server and make sure
to change the setting PasswordAuthentication
from yes to no:
#PasswordAuthentication yes PasswordAuthentication no
Save the file and restart the sshd service:
systemctl restart sshd
Make sure that you can still login with the private key.
Test also that you cannot login with a password anymore.
2.3. Change the SSH port
This is another step for making the server a bit more secure.
-
Edit
/etc/ssh/sshd_config
on the server and change the port from 22 to something else (for example with 4 or 5 digits), like this:#Port 22 Port 1234
-
Open the new port in the firewall:
firewall-cmd --zone=public --add-port=1234/tcp
-
Restart the SSH service
systemctl restart sshd
-
Change the port in
~/.ssh/config
on the local machine and test that you can still login to the server. -
Make the firewall change permanent:
firewall-cmd --permanent --zone=public --add-port=1234/tcp firewall-cmd --permanent --zone=public --remove-service=ssh
2.4. Use a script to login
The configuration file ~/.ssh/config
is convenient, but if you
want to login to the server from anywhere, you need something more
portable. In this case you can use a script like this:
#!/bin/bash
server=10.11.12.13
port=1234
keyfile=$(mktemp)
sed -n -e '/^----/,/^-----/p' $0 > $keyfile
ssh -i $keyfile -p $port root@$server
rm -f $keyfile
exit 0
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS
1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQRIRkXtvwyUiLDSLSqV0V0RClTakKDt
SkP/4besU++elsvtZaaY97GSdn0kTqF+0LiBCTOaEROgRHB7aKU8YjwjAAAAqJKniRSSp4
kUAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEhGRe2/DJSIsNIt
KpXRXREKVNqQoO1KQ//ht6xT756Wy+1lppj3sZJ2fSROoX7QuIEJM5oRE6BEcHtopTxiPC
MAAAAhAJXThzR7EhbYn9fykJaG5hUA4h+RCfIkpwo83yl+r/5qAAAADmRhc2hvQGRhc2hh
bWlyAQ==
-----END OPENSSH PRIVATE KEY-----
It includes the IP and the port along with the private key (identity
file), so that you don’t have to remember them. If this script is
called server1.sh
, make sure to give it the right permissions,
like this:
chmod 700 server1.sh
You may also consider using something like these scripts: https://gitlab.com/dashohoxha/server-scripts