Recently, I developed an interest in hosting my own servers, which led me to explore virtual private servers (VPS).
This is the first part of my journey into hosting a Linux server.
To experiment with hosting my own Linux VPS, I opted for the cheapest DigitalOcean Droplet, priced as 4$ per month. I chose this primarily for its ease of use and affordability. It suits my needs, there are maybe other providers that offer similar services (at lower costs), but I’m fine with that.
Connect to VPS with SSH.
Your VPS provider will either guide you through setting up or automatically configure an SSH key or password, a (root) user, and an IP address, enabling you to connect to your VPS via SSH.
You can use this setup to establish your initial connection to the VPS. In my case the <user> was root.
ssh <user>@<ip>
Updates
The first step is to update the packages on your VPS, as they may be outdated and could pose security vulnerabilities.
To update packages on an Ubuntu machine, run the following commands:
sudo apt update
sudo apt upgrade -y
All packages should now be up to date. If any packages remain outdated, you may need to update them manually using the following command:
sudo apt install <package-name>
After updating the packages, you may need to reboot the machine. Use the following command to check if a reboot is required:
ls /var/run/reboot-required
if this file exists, a reboot is required, restart your VPS.
reboot
Automatic Updates
To ensure packages are automatically kept up to date, install the unattended-upgrades package.
# install unattended upgrades
sudo apt install unattended-upgrades
# start unattended upgrades
sudo dpkg-reconfigure unattended-upgrades
You will likely be prompted to enable automatic package upgrades. If the prompt does not appear, you can configure it manually.
To configure unattended-upgrades, open the following file:
sudo vim /etc/apt.conf.d/50unattended-upgradesand un-comment the following line
"${distro_id}:${distro_codename}-updates"
To check if unattended-upgrades is running, use the systemctl command.
sudo systemctl status unattended-upgrades
Root and Users
Your VPS provider will set you up with a user (likely root) and a password. It’s good practice to change this password if it was generated by the provider.
To change the root password, use the passwd command while logged in as root.
passwd
It’s also good practice not to use the root user for everyday tasks. Instead, create a non-root user using the adduser command.
adduser <username>
You’ll be prompted to enter a password and some additional information for the new user.
To grant this user sudo (superuser) privileges, add them to the sudo group.
usermod -aG sudo <username>
To verify if the user has been successfully added to the sudo group:
groups <username>
This command should confirm that <username> is part of the sudo group:
<username> : <username> sudo users
You can now exit and attempt to log in as <username>:
ssh <username>@<ip>
You will be prompted to enter the password you just provided.
Login with SSH
Passwords can be less secure, so its recommend to use a SSH key for logging into your server.
First, generate an SSH key on your local machine if you don’t already have one:
ssh-keygen -t ed25519 -C "<your_email@example.com>"
Look for the .pub file in your ~/.ssh/ directory, such as ~/.ssh/id_ed25519.pub. This public key needs to be copied and added to your VPS.
On your VPS, create the ~/.ssh/ directory if it doesn’t already exist:
mkdir -p ~/.ssh
Create an ~/.ssh/authorized_keys file and add the public key (.pub) you generated on your local machine to this file. Save the changes.
ssh-copy-id <username>@<ip>
exit the ssh session on your vps and try to login again.
ssh <user>@<ip>
If everything is configured correctly, you should not be prompted for a password.
Disable Passwords and Root Login
For improved security, it’s best to disable both password authentication and root login.
Disable Password Authentication
Open the sshd_config file:
sudo vim /etc/ssh/sshd_config
Ensure the following settings are present or otherwise change them:
PubkeyAuthentication yes
PasswordAuthentication no
Depending on your VPS provider, there may be additional files that enable password authentication, such as
/etc/ssh/sshd_config.d/50-cloud-init.conf. Make sure to update these files as well.
Restart the SSH service for the changes to take effect:
sudo service ssh restart
To verify that password authentication is disabled, try logging in as the root user:
ssh root@<ip>
You should receive a permission denied error if the configuration is correct.
Disable Root Login
Open the same sshd_config file:
sudo vim /etc/ssh/sshd_config
Locate and update the following line:
PermitRootLogin no
Restart the SSH service again:
sudo service ssh restart
Network and Firewall
The firewall’s purpose is to only allow the ports on your VPS that you actually use. Commonly used ports include:
22for SSH80for HTTP443for HTTPS
Some VPS providers allow you to manage ports through their dashboard or UI. However, you can also use ufw (Uncomplicated Firewall), which is simple to use and typically installed by default on Ubuntu.
Run the following commands to configure ufw:
# Disable all incoming connections by default
sudo ufw default deny incoming
# Allow all outgoing connections by default
sudo ufw default allow outgoing
# IMPORTANT: Allow incoming connections for SSH before enabling the firewall
sudo ufw allow OpenSSH
# Check the current rules to ensure they are correct
sudo ufw show added
# Enable the firewall
sudo ufw enable
With these settings, all ports will be blocked except port 22 for SSH.
Note: Exposing a port with Docker may overwrite IP rules set by
ufw. Instead of defining ports in a Docker Compose file, consider setting up a reverse proxy to manage access to ports80and/or443.
Links
[[vps]] [[ssh]] [[linux]] [[security]]