From d42712222251cc0185ce9ad9c3ed75fb48b66cdb Mon Sep 17 00:00:00 2001 From: Kulvir Singh Date: Thu, 9 Oct 2025 02:59:20 +0530 Subject: [PATCH] setup a new VPS --- readme.md | 3 ++ setup-vps.md | 85 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 88 insertions(+) create mode 100644 readme.md create mode 100644 setup-vps.md diff --git a/readme.md b/readme.md new file mode 100644 index 0000000..14835c6 --- /dev/null +++ b/readme.md @@ -0,0 +1,3 @@ +# Self Host 101 + +1. [Setup VPS](./setup-vps.md) diff --git a/setup-vps.md b/setup-vps.md new file mode 100644 index 0000000..10bcfab --- /dev/null +++ b/setup-vps.md @@ -0,0 +1,85 @@ +# First steps on a new VPS + +1. SSH into your server +```bash +ssh root@192.168.1.1 +``` + +2. Update packages +```bash +apt update && apt upgrade +``` +`apt update` will fetch the changes from package repository but wouldn't update them. `apt upgrade` will actually update the packages. + +3. Change the root password from the password provided in the dashboard of VPS. +```bash +passwd +``` + +4. Create non root user. Always follow least priviliged permissions principle. +```bash +adduser +``` +It will ask few questions answer them and it will create a new user. + +5. `adduser` created a normal user without elevated permissions. This user cannot perform priviliged operations. +We can add them to **super user (sudo)** group so that it can perform priviliged operations using `sudo`. +```bash +usermod -aG sudo +``` +6. Logout from root user and ssh again to newly created user. You should never login to root user (wise ppl said so). +```bash +ssh @192.168.1.1 +``` + +# Secure the VPS + +## Get a domain for the VPS + +Get a Domain from wherever and set `A Record` to the server's IP address. It might take some time to update the A record for you Domain. +Now you can directly access VPS using domain name and don't have to remember IP address. +You can test if `A Record` has been updated for your domain or not using the following command. +```bash +dig domain-name.com A +``` + +## Setup SSH keys + +Generate SSH key pair to login to VPS. +```bash +ssh-keygen -t ed25519 +``` +After generating keys, copy the `public` key to VPS and add it to `~/.ssh/authorized_keys` file. +```bash +ssh-copy-id -i ~/.ssh/vps_key.pub @ +``` +Running the above command might prompt you for the password for you account on VPS. +This command will automatically setup the `public` key inside `authorized_keys` file of the specified user. +Password-less authentication is setup. + +## Disable password authentication + +Set the following items in your ssh config located usually at `/etc/ssh/sshd_config` to make it more secure. +```text +PermitRootLogin no # Disable login to Root account + +PubKeyAuthentication yes # Authentication using public keys + +PasswordAuthentication no # Disable password authentication to secure from bot attacks +``` +Your VPS might contain a file named `/etc/ssh/sshd_config.d/50-cloudimg-settings.conf` where `PasswordAuthentication` is set to yes. Either delete that file or just set it to no. + +After all these changes restart the `ssh daemon` +```bash +sudo service ssh restart +``` + +## Firewall + +Setup firewall rules from the dashboard of your VPS or you can use **uncomplicated firewall (ufw)** and setup `Inbound` rule to only following ports: +```text +SSH: 22 +HTTP: 80 +HTTPS: 443 +``` +**Do not expose any port other than the above unless needed.**