lilJ/self-host-101
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

improve vps setup guide

Browse Source
This commit is contained in:
Kulvir Singh
2025-11-02 11:17:04 +05:30
parent 82a3451267
commit d22f33469e
2 changed files with 132 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
readme.md
View File

@@ -1,6 +1,9 @@
# Self Host 101
1. [Setup VPS](./setup-vps.md)
Welcome! This is guide to set up self-hosted services.
2. [Setting up a caddy web server](./caddy/readme.md)
3. [Gitea in Docker (with SSH shimming)](./gitea/readme.md)
1. **[Setup VPS](./setup-vps.md)** - Set up and secure your server
2. **[Caddy Web Server](./caddy/readme.md)** - Configure a web server and reverse proxy
3. **[Gitea](./gitea/readme.md)** - GitHub like git server

175
setup-vps.md
View File

@@ -1,85 +1,162 @@
# First steps on a new VPS
# First Steps on a New VPS
## 1: Connect to Your Server
Open terminal and run the following command using the IP address of your VPS.
1. SSH into your server
```bash
ssh root@192.168.1.1
```
When prompted for password, enter the password and you will logged into your VPS.
## 2: Update Your Server
2. Update packages
```bash
apt update && apt upgrade
```
`apt update` will fetch the changes from package repository but wouldn't update them. `apt upgrade` will actually update the packages.
3. Change the root password from the password provided in the dashboard of VPS.
* `apt update` - Downloads a list of available updates (doesn't install them yet)
* `apt upgrade` - Actually installs the updates
## 3: Change the Root Password
You might want to change the root password to something more secure than the password from the VPS provider's dashboard.
```bash
passwd
```
Enter the new password and you are good to go.
4. Create non root user. Always follow least priviliged permissions principle.
```bash
adduser <name>
```
It will ask few questions answer them and it will create a new user.
5. `adduser` created a normal user without elevated permissions. This user cannot perform priviliged operations.
We can add them to **super user (sudo)** group so that it can perform priviliged operations using `sudo`.
## 4: Create a New User (Don't Use Root!)
Root user has the permissions to perform any operation. This could be a security risk.
Therefore it is always recommended to create a normal user for daily usage.
```bash
usermod -aG sudo <name>
```
6. Logout from root user and ssh again to newly created user. You should never login to root user (wise ppl said so).
```bash
ssh <name>@192.168.1.1
adduser new_user
```
# Secure the VPS
The user we just created can not perform priviliged operation.
We'll add it to the `sudo` group, which lets them run commands as priviliged user using `sudo`.
## Get a domain for the VPS
Get a Domain from wherever and set `A Record` to the server's IP address. It might take some time to update the A record for you Domain.
Now you can directly access VPS using domain name and don't have to remember IP address.
You can test if `A Record` has been updated for your domain or not using the following command.
```bash
dig domain-name.com A
usermod -aG sudo new_user
```
## Setup SSH keys
* `sudo` stands for `super user do`
## 5: Switch to Your New User
Now log out and log back in as your new user instead of root.
Generate SSH key pair to login to VPS.
```bash
ssh-keygen -t ed25519
ssh new_user@192.168.1.1
```
After generating keys, copy the `public` key to VPS and add it to `~/.ssh/authorized_keys` file.
Use the password of `new_user` that you set while creating it.
From now on, we'll use this user instead of root!
---
# Secure Your VPS
Now that your server is set up, let's make it much more secure. We'll:
1. Set up a domain name
2. Use SSH keys instead of passwords
3. Disable password login
4. Set up a firewall
## Get a Domain Name for Your VPS
Buy a domain from any registrar (Namecheap, Google Domains, Cloudflare, etc.)
In your domain's DNS settings, create an **A Record**:
* **Name**: `@` (or leave blank for root domain)
* **Value**: Your server's IP address (like `192.168.1.1`)
* **TTL**: Leave default
Wait a few minutes for DNS to update.
Test if it's working
```bash
ssh-copy-id -i ~/.ssh/vps_key.pub <user-name>@<domain-name>
dig domain.com A
```
Running the above command might prompt you for the password for you account on VPS.
This command will automatically setup the `public` key inside `authorized_keys` file of the specified user.
Password-less authentication is setup.
## Disable password authentication
You should see your IP address in the output. If not, wait a bit longer - DNS changes take time to propagate.
You can access your server using `ssh new_user@domain.com`. It's a lot more convenient.
## Set Up SSH Keys (Passwordless Login)
1. Generate an SSH key pair on your computer
```bash
ssh-keygen -t ed25519 -f ~/.ssh/id_vps -N ""
```
This creates two files
* `~/.ssh/id_vps` - **private key** keep this secret! Never share it!
* `~/.ssh/id_ed25519.pub` - **public key**, safe to share
2. Copy your public key to the server:
```bash
ssh-copy-id new_user@yourdomain.com
```
It automatically adds your public key to the server's `~/.ssh/authorized_keys` file, so your computer can log in without a password.
## Disable Password Authentication
Now that passwordless login works, disable password authentication entirely.
This prevents bots from trying to guess your password.
> WARN: Make sure SSH login works first! If you disable passwords and your key doesn't work, you'll be locked out.
On your server, edit the SSH configuration
```bash
sudo vim /etc/ssh/sshd_config
```
Make sure you have following settings in your ssh config
Set the following items in your ssh config located usually at `/etc/ssh/sshd_config` to make it more secure.
```text
PermitRootLogin no # Disable login to Root account
PubKeyAuthentication yes # Authentication using public keys
PasswordAuthentication no # Disable password authentication to secure from bot attacks
PermitRootLogin no # Prevents logging in as root
PubKeyAuthentication yes # Allows SSH key authentication
PasswordAuthentication no # Disable password login
```
Your VPS might contain a file named `/etc/ssh/sshd_config.d/50-cloudimg-settings.conf` where `PasswordAuthentication` is set to yes. Either delete that file or just set it to no.
After all these changes restart the `ssh daemon`
Some VPS providers have an additional config file. Check if this file exists
```bash
sudo service ssh restart
sudo cat /etc/ssh/sshd_config.d/50-cloudimg-settings.conf
```
## Firewall
If it exists and has `PasswordAuthentication yes`, change it to `no` or just delete this file.
Setup firewall rules from the dashboard of your VPS or you can use **uncomplicated firewall (ufw)** and setup `Inbound` rule to only following ports:
```text
SSH: 22
HTTP: 80
HTTPS: 443
```bash
sudo rm /etc/ssh/sshd_config.d/50-cloudimg-settings.conf
```
**Do not expose any port other than the above unless needed.**
After making all these changes restart SSH
```bash
sudo service ssh restart
```
## Set Up a Firewall
Firewall monitors and controls the incoming and outgoing network traffic based upon predefined security rules.
To protect against unauthorized access and potential threats, you should disable incoming traffic on all ports except:
* `22`: SSH
* `80`: HTTP
* `443`: HTTPS
> NOTE: Don't expose any other port unless you know what you're doing. Each open port is a potential entry point for attackers.
To achieve this you can navigate to the dashboard of your VPS provider.
You can add ports 22, 80, and 443 for inbound traffic.
Allow outbound connections open on all ports. You can additionally restrict outbound connections too if needed.