# First steps on a new VPS

1. SSH into your server
```bash
ssh root@192.168.1.1
```

2. Update packages
```bash
apt update && apt upgrade
```
`apt update` will fetch the changes from package repository but wouldn't update them. `apt upgrade` will actually update the packages.

3. Change the root password from the password provided in the dashboard of VPS.
```bash
passwd
```

4. Create non root user. Always follow least priviliged permissions principle.
```bash
adduser <name>
```
It will ask few questions answer them and it will create a new user.

5. `adduser` created a normal user without elevated permissions. This user cannot perform priviliged operations.
We can add them to **super user (sudo)** group so that it can perform priviliged operations using `sudo`.
```bash
usermod -aG sudo <name>
```
6. Logout from root user and ssh again to newly created user. You should never login to root user (wise ppl said so).
```bash
ssh <name>@192.168.1.1
```

# Secure the VPS

## Get a domain for the VPS

Get a Domain from wherever and set `A Record` to the server's IP address. It might take some time to update the A record for you Domain.
Now you can directly access VPS using domain name and don't have to remember IP address.
You can test  if `A Record` has been updated for your domain or not using the following command.
```bash
dig domain-name.com A
```

## Setup SSH keys

Generate SSH key pair to login to VPS.
```bash
ssh-keygen -t ed25519
```
After generating keys, copy the `public` key to VPS and add it to `~/.ssh/authorized_keys` file.
```bash
ssh-copy-id -i ~/.ssh/vps_key.pub <user-name>@<domain-name>
```
Running the above command might prompt you for the password for you account on VPS.
This command will automatically setup the `public` key inside `authorized_keys` file of the specified user.
Password-less authentication is setup.

## Disable password authentication

Set the following items in your ssh config located usually at `/etc/ssh/sshd_config` to make it more secure.
```text
PermitRootLogin no          # Disable login to Root account

PubKeyAuthentication yes    # Authentication using public keys

PasswordAuthentication no   # Disable password authentication to secure from bot attacks
```
Your VPS might contain a file named `/etc/ssh/sshd_config.d/50-cloudimg-settings.conf` where `PasswordAuthentication` is set to yes. Either delete that file or just set it to no.

After all these changes restart the `ssh daemon`
```bash
sudo service ssh restart 
```

## Firewall

Setup firewall rules from the dashboard of your VPS or you can use **uncomplicated firewall (ufw)** and setup `Inbound` rule to only following ports:
```text
SSH: 22
HTTP: 80
HTTPS: 443
```
**Do not expose any port other than the above unless needed.**