Whenever I set up a new VPS (Virtual Private Server), I follow a standard process to ensure it’s secure, optimized, and ready for deployment. Here, I’m documenting the steps I typically take, which cover everything from updating the system to configuring security essentials like UFW and Fail2Ban.
Just FYI, this is my own checklist, and it is by no means exhaustive. These steps are just to helpp you start with a well-configured server.
I usually install Ubuntu Linux distro so the commands in this post will reflect that.
1. Update the Server
The first step is to ensure the server is running the latest software. Updating the system is essential to patch security vulnerabilities, install the latest versions of packages, and ensure stability.
Run the following command to update package lists and upgrade all installed packages:
apt update && apt upgrade -y
The -y
flag automatically accepts all prompts, saving time during the process. It’s a good practice to run updates frequently to keep the server secure.
2. Create a New User and Add to Sudo Group
It’s always a good idea to avoid using the root user for daily tasks, as it poses a security risk. Instead, create a new user with sudo privileges.
adduser peter
usermod -aG sudo peter
Replace peter
with your desired username. This user will be used for regular server tasks while still having the ability to execute administrative commands with sudo
.
3. Install Essential Packages
Next, I install a few essential packages that I regularly use for system management:
apt install git vim htop curl ufw fail2ban -y
- Git: Version control for managing code repositories.
- Vim: A powerful text editor for modifying configuration files.
- Htop: An interactive process viewer, useful for monitoring system resources.
- Curl: A command-line tool for transferring data, useful for testing APIs or downloading files.
- UFW (Uncomplicated Firewall): A simple interface for managing firewall rules.
- Fail2Ban: An intrusion prevention software that protects against brute-force attacks by banning IPs.
These tools will be useful throughout the server’s lifecycle.
4. Change Key SSH Configurations
SSH (Secure Shell) is the protocol used to remotely connect to the server, so securing it is crucial. Here are three changes I make to the SSH configuration for enhanced security:
- Change the default SSH port: This makes it harder for attackers to find the port to target.
- Disable root login: This prevents the root user from logging in directly.
- Disable password authentication: This forces key-based authentication, which is more secure.
You can find these settings in /etc/ssh/sshd_config
. Open the file with your favorite text editor:
vim /etc/ssh/sshd_config
Look for these lines and modify them as needed:
Port 2222 # Change to your desired port
PermitRootLogin no # Disable root login
PasswordAuthentication no # Disable password login
After making changes, restart the SSH service to apply the new configurations:
systemctl restart sshd
5. Set Up UFW (Uncomplicated Firewall)
UFW is a firewall management tool that simplifies the process of configuring firewall rules. By default, I prefer to block all incoming traffic except for specific ports that are required (e.g., SSH, HTTP, HTTPS).
Here’s how I configure UFW:
ufw default deny incoming
ufw default allow outgoing
ufw allow 2222/tcp # Allow SSH on the custom port
ufw allow 80/tcp # Allow HTTP
ufw allow 443/tcp # Allow HTTPS
ufw allow 5432/tcp # Allow PostgreSQL (if needed)
ufw enable
This blocks all incoming connections by default and only allows access through specified ports. Remember to replace 2222
with the port you configured for SSH in step 4.
6. Set Up Fail2Ban
Fail2Ban is a crucial layer of protection against brute-force attacks. It works by scanning log files (like SSH logs) and banning IP addresses that show malicious signs, such as repeated failed login attempts.
Here’s how to install and configure Fail2Ban:
apt install fail2ban -y
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
By copying jail.conf
to jail.local
, you create a custom configuration file that overrides the defaults. Now, open jail.local
to adjust settings like bantime
, findtime
, and maxretry
:
vim /etc/fail2ban/jail.local
- Bantime: How long the IP is banned.
- Findtime: The window of time in which
maxretry
is counted. - Maxretry: The number of failed attempts before banning an IP.
Finally, enable Fail2Ban:
systemctl enable fail2ban
systemctl start fail2ban
7. Set Up SSH Key Authentication for the New User
SSH key authentication is a secure way to log into your server without using a password. Here’s how to generate an SSH key pair and configure it for your new user:
- Generate a new SSH key on your local machine:
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
Follow the prompts to save the key to the default location. - Copy the public key to the server:
ssh-copy-id peter@server_ip
Replacepeter
with your new user andserver_ip
with your server’s IP address. - Set the correct permissions:On the server, ensure the
.ssh
directory andauthorized_keys
file have the correct permissions:chmod 700 ~/.ssh chmod 600 ~/.ssh/authorized_keys
These permissions ensure that only the owner can access the SSH keys, adding an extra layer of security.
8. Install Unattended-Upgrades
To keep the system secure without manual intervention, I enable unattended upgrades, which automatically installs security updates.
apt install unattended-upgrades -y
dpkg-reconfigure --priority=low unattended-upgrades
This will help ensure your server stays up to date with the latest security patches, reducing the risk of vulnerabilities being exploited.
That’s all… These steps ensure that your server is secure and you are ready to keep deploy your apps. In my next post I will extend this to cover setting it up as a web server.
Have any questions, want to share your thoughts or just say Hi? I’m always excited to connect! Follow me on Twitter or LinkedIn for more insights and discussions. If you’ve found this valuable, please consider sharing it on your social media. Your support through shares and follows means a lot to me!