self-host-101/setup-vps.md

# First Steps on a New VPS

## 1: Connect to Your Server

Open terminal and run the following command using the IP address of your VPS.

```bash
ssh root@192.168.1.1
```
When prompted for password, enter the password and you will logged into your VPS.

## 2: Update Your Server

```bash
apt update && apt upgrade
```

* `apt update` - Downloads a list of available updates (doesn't install them yet)
* `apt upgrade` - Actually installs the updates

## 3: Change the Root Password

You might want to change the root password to something more secure than the password from the VPS provider's dashboard.

```bash
passwd
```
Enter the new password and you are good to go.


## 4: Create a New User (Don't Use Root!)

Root user has the permissions to perform any operation. This could be a security risk.
Therefore it is always recommended to create a normal user for daily usage.

```bash
adduser new_user
```

The user we just created can not perform priviliged operation.
We'll add it to the `sudo` group, which lets them run commands as priviliged user using `sudo`.

```bash
usermod -aG sudo new_user 
```

* `sudo` stands for `super user do`

## 5: Switch to Your New User

Now log out and log back in as your new user instead of root.

```bash
ssh new_user@192.168.1.1
```

Use the password of `new_user` that you set while creating it.
From now on, we'll use this user instead of root!

---

# Secure Your VPS

Now that your server is set up, let's make it much more secure. We'll:
1. Set up a domain name 
2. Use SSH keys instead of passwords
3. Disable password login
4. Set up a firewall

## Get a Domain Name for Your VPS

Buy a domain from any registrar (Namecheap, Google Domains, Cloudflare, etc.)

In your domain's DNS settings, create an **A Record**:
* **Name**: `@` (or leave blank for root domain)
* **Value**: Your server's IP address (like `192.168.1.1`)
* **TTL**: Leave default

Wait a few minutes for DNS to update.

Test if it's working

```bash
dig domain.com A
```

You should see your IP address in the output. If not, wait a bit longer - DNS changes take time to propagate.

You can access your server using `ssh new_user@domain.com`. It's a lot more convenient.

## Set Up SSH Keys (Passwordless Login)

1. Generate an SSH key pair on your computer

```bash
ssh-keygen -t ed25519 -f ~/.ssh/id_vps -N ""
```

This creates two files
* `~/.ssh/id_vps` - **private key** keep this secret! Never share it!
* `~/.ssh/id_ed25519.pub` - **public key**, safe to share

2. Copy your public key to the server:

```bash
ssh-copy-id new_user@yourdomain.com
```

It automatically adds your public key to the server's `~/.ssh/authorized_keys` file, so your computer can log in without a password.

## Disable Password Authentication

Now that passwordless login works, disable password authentication entirely.
This prevents bots from trying to guess your password.

> WARN: Make sure SSH login works first! If you disable passwords and your key doesn't work, you'll be locked out.

On your server, edit the SSH configuration

```bash
sudo vim /etc/ssh/sshd_config
```

Make sure you have following settings in your ssh config

```text
PermitRootLogin no          # Prevents logging in as root
PubKeyAuthentication yes    # Allows SSH key authentication 
PasswordAuthentication no   # Disable password login
```

Some VPS providers have an additional config file. Check if this file exists

```bash
sudo cat /etc/ssh/sshd_config.d/50-cloudimg-settings.conf
```

If it exists and has `PasswordAuthentication yes`, change it to `no` or just delete this file.

```bash
sudo rm /etc/ssh/sshd_config.d/50-cloudimg-settings.conf
```

After making all these changes restart SSH

```bash
sudo service ssh restart
```

## Set Up a Firewall

Firewall monitors and controls the incoming and outgoing network traffic based upon predefined security rules.
To protect against unauthorized access and potential threats, you should disable incoming traffic on all ports except:
* `22`: SSH
* `80`: HTTP
* `443`: HTTPS

> NOTE: Don't expose any other port unless you know what you're doing. Each open port is a potential entry point for attackers.

To achieve this you can navigate to the dashboard of your VPS provider.
You can add ports 22, 80, and 443 for inbound traffic.
Allow outbound connections open on all ports. You can additionally restrict outbound connections too if needed.
improve vps setup guide 2025-11-02 11:17:04 +05:30			`# First Steps on a New VPS`

			`## 1: Connect to Your Server`

			`Open terminal and run the following command using the IP address of your VPS.`
setup a new VPS 2025-10-09 02:59:20 +05:30
			```bash
			`ssh root@192.168.1.1`
			```
improve vps setup guide 2025-11-02 11:17:04 +05:30			`When prompted for password, enter the password and you will logged into your VPS.`

			`## 2: Update Your Server`
setup a new VPS 2025-10-09 02:59:20 +05:30
			```bash
			`apt update && apt upgrade`
			```

improve vps setup guide 2025-11-02 11:17:04 +05:30			* `apt update` - Downloads a list of available updates (doesn't install them yet)
			* `apt upgrade` - Actually installs the updates

			`## 3: Change the Root Password`

			`You might want to change the root password to something more secure than the password from the VPS provider's dashboard.`

setup a new VPS 2025-10-09 02:59:20 +05:30			```bash
			`passwd`
			```
improve vps setup guide 2025-11-02 11:17:04 +05:30			`Enter the new password and you are good to go.`


			`## 4: Create a New User (Don't Use Root!)`

			`Root user has the permissions to perform any operation. This could be a security risk.`
			`Therefore it is always recommended to create a normal user for daily usage.`

			```bash
			`adduser new_user`
			```

			`The user we just created can not perform priviliged operation.`
			We'll add it to the `sudo` group, which lets them run commands as priviliged user using `sudo`.
setup a new VPS 2025-10-09 02:59:20 +05:30
			```bash
improve vps setup guide 2025-11-02 11:17:04 +05:30			`usermod -aG sudo new_user`
setup a new VPS 2025-10-09 02:59:20 +05:30			```

improve vps setup guide 2025-11-02 11:17:04 +05:30			* `sudo` stands for `super user do`

			`## 5: Switch to Your New User`

			`Now log out and log back in as your new user instead of root.`

setup a new VPS 2025-10-09 02:59:20 +05:30			```bash
improve vps setup guide 2025-11-02 11:17:04 +05:30			`ssh new_user@192.168.1.1`
setup a new VPS 2025-10-09 02:59:20 +05:30			```
improve vps setup guide 2025-11-02 11:17:04 +05:30
			Use the password of `new_user` that you set while creating it.
			`From now on, we'll use this user instead of root!`

			`---`

			`# Secure Your VPS`

			`Now that your server is set up, let's make it much more secure. We'll:`
			`1. Set up a domain name`
			`2. Use SSH keys instead of passwords`
			`3. Disable password login`
			`4. Set up a firewall`

			`## Get a Domain Name for Your VPS`

			`Buy a domain from any registrar (Namecheap, Google Domains, Cloudflare, etc.)`

			`In your domain's DNS settings, create an A Record:`
			* Name: `@` (or leave blank for root domain)
			* Value: Your server's IP address (like `192.168.1.1`)
			`* TTL: Leave default`

			`Wait a few minutes for DNS to update.`

			`Test if it's working`

setup a new VPS 2025-10-09 02:59:20 +05:30			```bash
improve vps setup guide 2025-11-02 11:17:04 +05:30			`dig domain.com A`
setup a new VPS 2025-10-09 02:59:20 +05:30			```

improve vps setup guide 2025-11-02 11:17:04 +05:30			`You should see your IP address in the output. If not, wait a bit longer - DNS changes take time to propagate.`

			You can access your server using `ssh new_user@domain.com`. It's a lot more convenient.

			`## Set Up SSH Keys (Passwordless Login)`
setup a new VPS 2025-10-09 02:59:20 +05:30
improve vps setup guide 2025-11-02 11:17:04 +05:30			`1. Generate an SSH key pair on your computer`
setup a new VPS 2025-10-09 02:59:20 +05:30
			```bash
improve vps setup guide 2025-11-02 11:17:04 +05:30			`ssh-keygen -t ed25519 -f ~/.ssh/id_vps -N ""`
setup a new VPS 2025-10-09 02:59:20 +05:30			```

improve vps setup guide 2025-11-02 11:17:04 +05:30			`This creates two files`
			* `~/.ssh/id_vps` - private key keep this secret! Never share it!
			* `~/.ssh/id_ed25519.pub` - public key, safe to share

			`2. Copy your public key to the server:`
setup a new VPS 2025-10-09 02:59:20 +05:30
			```bash
improve vps setup guide 2025-11-02 11:17:04 +05:30			`ssh-copy-id new_user@yourdomain.com`
setup a new VPS 2025-10-09 02:59:20 +05:30			```
improve vps setup guide 2025-11-02 11:17:04 +05:30
			It automatically adds your public key to the server's `~/.ssh/authorized_keys` file, so your computer can log in without a password.

			`## Disable Password Authentication`

			`Now that passwordless login works, disable password authentication entirely.`
			`This prevents bots from trying to guess your password.`

			`> WARN: Make sure SSH login works first! If you disable passwords and your key doesn't work, you'll be locked out.`

			`On your server, edit the SSH configuration`

setup a new VPS 2025-10-09 02:59:20 +05:30			```bash
improve vps setup guide 2025-11-02 11:17:04 +05:30			`sudo vim /etc/ssh/sshd_config`
setup a new VPS 2025-10-09 02:59:20 +05:30			```

improve vps setup guide 2025-11-02 11:17:04 +05:30			`Make sure you have following settings in your ssh config`
setup a new VPS 2025-10-09 02:59:20 +05:30
			```text
improve vps setup guide 2025-11-02 11:17:04 +05:30			`PermitRootLogin no # Prevents logging in as root`
			`PubKeyAuthentication yes # Allows SSH key authentication`
			`PasswordAuthentication no # Disable password login`
			```
setup a new VPS 2025-10-09 02:59:20 +05:30
improve vps setup guide 2025-11-02 11:17:04 +05:30			`Some VPS providers have an additional config file. Check if this file exists`
setup a new VPS 2025-10-09 02:59:20 +05:30
improve vps setup guide 2025-11-02 11:17:04 +05:30			```bash
			`sudo cat /etc/ssh/sshd_config.d/50-cloudimg-settings.conf`
setup a new VPS 2025-10-09 02:59:20 +05:30			```

improve vps setup guide 2025-11-02 11:17:04 +05:30			If it exists and has `PasswordAuthentication yes`, change it to `no` or just delete this file.

setup a new VPS 2025-10-09 02:59:20 +05:30			```bash
improve vps setup guide 2025-11-02 11:17:04 +05:30			`sudo rm /etc/ssh/sshd_config.d/50-cloudimg-settings.conf`
setup a new VPS 2025-10-09 02:59:20 +05:30			```

improve vps setup guide 2025-11-02 11:17:04 +05:30			`After making all these changes restart SSH`
setup a new VPS 2025-10-09 02:59:20 +05:30
improve vps setup guide 2025-11-02 11:17:04 +05:30			```bash
			`sudo service ssh restart`
setup a new VPS 2025-10-09 02:59:20 +05:30			```
improve vps setup guide 2025-11-02 11:17:04 +05:30
			`## Set Up a Firewall`

			`Firewall monitors and controls the incoming and outgoing network traffic based upon predefined security rules.`
			`To protect against unauthorized access and potential threats, you should disable incoming traffic on all ports except:`
			* `22`: SSH
			* `80`: HTTP
			* `443`: HTTPS

			`> NOTE: Don't expose any other port unless you know what you're doing. Each open port is a potential entry point for attackers.`

			`To achieve this you can navigate to the dashboard of your VPS provider.`
			`You can add ports 22, 80, and 443 for inbound traffic.`
			`Allow outbound connections open on all ports. You can additionally restrict outbound connections too if needed.`