# First Steps on a New VPS ## 1: Connect to Your Server Open terminal and run the following command using the IP address of your VPS. ```bash ssh root@192.168.1.1 ``` When prompted for password, enter the password and you will logged into your VPS. ## 2: Update Your Server ```bash apt update && apt upgrade ``` * `apt update` - Downloads a list of available updates (doesn't install them yet) * `apt upgrade` - Actually installs the updates ## 3: Change the Root Password You might want to change the root password to something more secure than the password from the VPS provider's dashboard. ```bash passwd ``` Enter the new password and you are good to go. ## 4: Create a New User (Don't Use Root!) Root user has the permissions to perform any operation. This could be a security risk. Therefore it is always recommended to create a normal user for daily usage. ```bash adduser new_user ``` The user we just created can not perform priviliged operation. We'll add it to the `sudo` group, which lets them run commands as priviliged user using `sudo`. ```bash usermod -aG sudo new_user ``` * `sudo` stands for `super user do` ## 5: Switch to Your New User Now log out and log back in as your new user instead of root. ```bash ssh new_user@192.168.1.1 ``` Use the password of `new_user` that you set while creating it. From now on, we'll use this user instead of root! --- # Secure Your VPS Now that your server is set up, let's make it much more secure. We'll: 1. Set up a domain name 2. Use SSH keys instead of passwords 3. Disable password login 4. Set up a firewall ## Get a Domain Name for Your VPS Buy a domain from any registrar (Namecheap, Google Domains, Cloudflare, etc.) In your domain's DNS settings, create an **A Record**: * **Name**: `@` (or leave blank for root domain) * **Value**: Your server's IP address (like `192.168.1.1`) * **TTL**: Leave default Wait a few minutes for DNS to update. Test if it's working ```bash dig domain.com A ``` You should see your IP address in the output. If not, wait a bit longer - DNS changes take time to propagate. You can access your server using `ssh new_user@domain.com`. It's a lot more convenient. ## Set Up SSH Keys (Passwordless Login) 1. Generate an SSH key pair on your computer ```bash ssh-keygen -t ed25519 -f ~/.ssh/id_vps -N "" ``` This creates two files * `~/.ssh/id_vps` - **private key** keep this secret! Never share it! * `~/.ssh/id_ed25519.pub` - **public key**, safe to share 2. Copy your public key to the server: ```bash ssh-copy-id new_user@yourdomain.com ``` It automatically adds your public key to the server's `~/.ssh/authorized_keys` file, so your computer can log in without a password. ## Disable Password Authentication Now that passwordless login works, disable password authentication entirely. This prevents bots from trying to guess your password. > WARN: Make sure SSH login works first! If you disable passwords and your key doesn't work, you'll be locked out. On your server, edit the SSH configuration ```bash sudo vim /etc/ssh/sshd_config ``` Make sure you have following settings in your ssh config ```text PermitRootLogin no # Prevents logging in as root PubKeyAuthentication yes # Allows SSH key authentication PasswordAuthentication no # Disable password login ``` Some VPS providers have an additional config file. Check if this file exists ```bash sudo cat /etc/ssh/sshd_config.d/50-cloudimg-settings.conf ``` If it exists and has `PasswordAuthentication yes`, change it to `no` or just delete this file. ```bash sudo rm /etc/ssh/sshd_config.d/50-cloudimg-settings.conf ``` After making all these changes restart SSH ```bash sudo service ssh restart ``` ## Set Up a Firewall Firewall monitors and controls the incoming and outgoing network traffic based upon predefined security rules. To protect against unauthorized access and potential threats, you should disable incoming traffic on all ports except: * `22`: SSH * `80`: HTTP * `443`: HTTPS > NOTE: Don't expose any other port unless you know what you're doing. Each open port is a potential entry point for attackers. To achieve this you can navigate to the dashboard of your VPS provider. You can add ports 22, 80, and 443 for inbound traffic. Allow outbound connections open on all ports. You can additionally restrict outbound connections too if needed.