From d22f33469e502557b40026984451773d291ad635 Mon Sep 17 00:00:00 2001 From: Kulvir Singh Date: Sun, 2 Nov 2025 11:17:04 +0530 Subject: [PATCH] improve vps setup guide --- readme.md | 9 ++- setup-vps.md | 175 ++++++++++++++++++++++++++++++++++++--------------- 2 files changed, 132 insertions(+), 52 deletions(-) diff --git a/readme.md b/readme.md index a0c3f4e..8bda875 100644 --- a/readme.md +++ b/readme.md @@ -1,6 +1,9 @@ # Self Host 101 -1. [Setup VPS](./setup-vps.md) +Welcome! This is guide to set up self-hosted services. -2. [Setting up a caddy web server](./caddy/readme.md) -3. [Gitea in Docker (with SSH shimming)](./gitea/readme.md) +1. **[Setup VPS](./setup-vps.md)** - Set up and secure your server + +2. **[Caddy Web Server](./caddy/readme.md)** - Configure a web server and reverse proxy + +3. **[Gitea](./gitea/readme.md)** - GitHub like git server diff --git a/setup-vps.md b/setup-vps.md index 10bcfab..9913fa4 100644 --- a/setup-vps.md +++ b/setup-vps.md @@ -1,85 +1,162 @@ -# First steps on a new VPS +# First Steps on a New VPS + +## 1: Connect to Your Server + +Open terminal and run the following command using the IP address of your VPS. -1. SSH into your server ```bash ssh root@192.168.1.1 ``` +When prompted for password, enter the password and you will logged into your VPS. + +## 2: Update Your Server -2. Update packages ```bash apt update && apt upgrade ``` -`apt update` will fetch the changes from package repository but wouldn't update them. `apt upgrade` will actually update the packages. -3. Change the root password from the password provided in the dashboard of VPS. +* `apt update` - Downloads a list of available updates (doesn't install them yet) +* `apt upgrade` - Actually installs the updates + +## 3: Change the Root Password + +You might want to change the root password to something more secure than the password from the VPS provider's dashboard. + ```bash passwd ``` +Enter the new password and you are good to go. -4. Create non root user. Always follow least priviliged permissions principle. -```bash -adduser -``` -It will ask few questions answer them and it will create a new user. -5. `adduser` created a normal user without elevated permissions. This user cannot perform priviliged operations. -We can add them to **super user (sudo)** group so that it can perform priviliged operations using `sudo`. +## 4: Create a New User (Don't Use Root!) + +Root user has the permissions to perform any operation. This could be a security risk. +Therefore it is always recommended to create a normal user for daily usage. + ```bash -usermod -aG sudo -``` -6. Logout from root user and ssh again to newly created user. You should never login to root user (wise ppl said so). -```bash -ssh @192.168.1.1 +adduser new_user ``` -# Secure the VPS +The user we just created can not perform priviliged operation. +We'll add it to the `sudo` group, which lets them run commands as priviliged user using `sudo`. -## Get a domain for the VPS - -Get a Domain from wherever and set `A Record` to the server's IP address. It might take some time to update the A record for you Domain. -Now you can directly access VPS using domain name and don't have to remember IP address. -You can test if `A Record` has been updated for your domain or not using the following command. ```bash -dig domain-name.com A +usermod -aG sudo new_user ``` -## Setup SSH keys +* `sudo` stands for `super user do` + +## 5: Switch to Your New User + +Now log out and log back in as your new user instead of root. -Generate SSH key pair to login to VPS. ```bash -ssh-keygen -t ed25519 +ssh new_user@192.168.1.1 ``` -After generating keys, copy the `public` key to VPS and add it to `~/.ssh/authorized_keys` file. + +Use the password of `new_user` that you set while creating it. +From now on, we'll use this user instead of root! + +--- + +# Secure Your VPS + +Now that your server is set up, let's make it much more secure. We'll: +1. Set up a domain name +2. Use SSH keys instead of passwords +3. Disable password login +4. Set up a firewall + +## Get a Domain Name for Your VPS + +Buy a domain from any registrar (Namecheap, Google Domains, Cloudflare, etc.) + +In your domain's DNS settings, create an **A Record**: +* **Name**: `@` (or leave blank for root domain) +* **Value**: Your server's IP address (like `192.168.1.1`) +* **TTL**: Leave default + +Wait a few minutes for DNS to update. + +Test if it's working + ```bash -ssh-copy-id -i ~/.ssh/vps_key.pub @ +dig domain.com A ``` -Running the above command might prompt you for the password for you account on VPS. -This command will automatically setup the `public` key inside `authorized_keys` file of the specified user. -Password-less authentication is setup. -## Disable password authentication +You should see your IP address in the output. If not, wait a bit longer - DNS changes take time to propagate. + +You can access your server using `ssh new_user@domain.com`. It's a lot more convenient. + +## Set Up SSH Keys (Passwordless Login) + +1. Generate an SSH key pair on your computer + +```bash +ssh-keygen -t ed25519 -f ~/.ssh/id_vps -N "" +``` + +This creates two files +* `~/.ssh/id_vps` - **private key** keep this secret! Never share it! +* `~/.ssh/id_ed25519.pub` - **public key**, safe to share + +2. Copy your public key to the server: + +```bash +ssh-copy-id new_user@yourdomain.com +``` + +It automatically adds your public key to the server's `~/.ssh/authorized_keys` file, so your computer can log in without a password. + +## Disable Password Authentication + +Now that passwordless login works, disable password authentication entirely. +This prevents bots from trying to guess your password. + +> WARN: Make sure SSH login works first! If you disable passwords and your key doesn't work, you'll be locked out. + +On your server, edit the SSH configuration + +```bash +sudo vim /etc/ssh/sshd_config +``` + +Make sure you have following settings in your ssh config -Set the following items in your ssh config located usually at `/etc/ssh/sshd_config` to make it more secure. ```text -PermitRootLogin no # Disable login to Root account - -PubKeyAuthentication yes # Authentication using public keys - -PasswordAuthentication no # Disable password authentication to secure from bot attacks +PermitRootLogin no # Prevents logging in as root +PubKeyAuthentication yes # Allows SSH key authentication +PasswordAuthentication no # Disable password login ``` -Your VPS might contain a file named `/etc/ssh/sshd_config.d/50-cloudimg-settings.conf` where `PasswordAuthentication` is set to yes. Either delete that file or just set it to no. -After all these changes restart the `ssh daemon` +Some VPS providers have an additional config file. Check if this file exists + ```bash -sudo service ssh restart +sudo cat /etc/ssh/sshd_config.d/50-cloudimg-settings.conf ``` -## Firewall +If it exists and has `PasswordAuthentication yes`, change it to `no` or just delete this file. -Setup firewall rules from the dashboard of your VPS or you can use **uncomplicated firewall (ufw)** and setup `Inbound` rule to only following ports: -```text -SSH: 22 -HTTP: 80 -HTTPS: 443 +```bash +sudo rm /etc/ssh/sshd_config.d/50-cloudimg-settings.conf ``` -**Do not expose any port other than the above unless needed.** + +After making all these changes restart SSH + +```bash +sudo service ssh restart +``` + +## Set Up a Firewall + +Firewall monitors and controls the incoming and outgoing network traffic based upon predefined security rules. +To protect against unauthorized access and potential threats, you should disable incoming traffic on all ports except: +* `22`: SSH +* `80`: HTTP +* `443`: HTTPS + +> NOTE: Don't expose any other port unless you know what you're doing. Each open port is a potential entry point for attackers. + +To achieve this you can navigate to the dashboard of your VPS provider. +You can add ports 22, 80, and 443 for inbound traffic. +Allow outbound connections open on all ports. You can additionally restrict outbound connections too if needed.