These are the first steps you should perform on your shiny, brand new VPS to set out on a safe journey on the internets. You don’t actually have to understand each of the steps here, but this post is intented for people who have some clue of what they’re doing. If there is such a thing as a «VPSes for dummies», it should not be read. VPSes are not intended for dummies.
Get a VPS with Ubuntu preinstalled (the provider should ask you for OS during order). If you don’t know whether you should go for 12.04 or 12.10, go for 12.04. It’s an LTS release. If you have no clue on what provider to use, try Digital Ocean. They give lotsa bang per buck.
[bjornad]
SSH into your box as root.
Get rid of the annoying Ubuntu locale errors:
$ echo "LC_ALL=\"en_US.UTF-8\"" | cat - /etc/default/locale > /tmp/locale.tmp && mv /tmp/locale.tmp /etc/default/locale && export LC_ALL="en_US.UTF-8"
Now, make sure your system is up to date:
$ apt-get update && apt-get -y dist-upgrade
Install the things you probably want/need:
$ apt-get -y install htop screen vim curl ntp fail2ban ufw
Set your hostname if it’s not correct:
$ export HOSTNAME="example.com" && echo $HOSTNAME > /etc/hostname && hostname $HOSTNAME
Set your timezone if it’s not correct:
$ dpkg-reconfigure tzdata
Secure SSH
You should not allow password logins for your VPS. No excuses. Use key based authentication.
If you don’t already have a SSH key pair, create one. If you’re on Mac OS X or Linux follow these steps:
-
Make sure you are home
$ cd ~ -
Create the key pair. Make sure you protect your secret key with a strong passphrase (yes: phrase, not word)
$ ssh-keygen -t rsa -
Display your public key:
$ cat ~/.ssh/id_rsa.pub
If you’re on Windows, follow this guide for PuTTY.
Create the .ssh folder if it doesn’t exists:
$ mkdir -p /root/.ssh && chmod 700 /root/.ssh
Copy your public key into the /root/.ssh/authorized_keys file
Make sure it has the correct permissions:
$ chmod 600 /root/.ssh/authorized_keys
Disallow password logins:
$ sed -i -e 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config && service ssh restart
Test logging into your box before you log out.
Automate security upgrades
Some people cringe when I tell them to do automated upgrades, but the risk of something going wrong during the upgrade is less than the risk of having a vulnerable system live on the Internet.
$ apt-get -y install unattended-upgrades
$ echo "APT::Periodic::Update-Package-Lists \"1\";
APT::Periodic::Unattended-Upgrade \"1\";
" > /etc/apt/apt.conf.d/20auto-upgrades
$ echo "Unattended-Upgrade::Allowed-Origins {
\"\${distro_id}:\${distro_codename}-security\";
};
Unattended-Upgrade::Mail \"[email protected]\";
Unattended-Upgrade::MailOnlyOnError \"true\";
Unattended-Upgrade::Remove-Unused-Dependencies \"true\";
Unattended-Upgrade::Automatic-Reboot \"false\";
" > /etc/apt/apt.conf.d/50unattended-upgrades
Setup the firewall
UFW (Uncomplicated FireWall) is a very friendly iptables configuration tool for Ubuntu.
Enable SSH logins:
$ ufw allow ssh
If you plan running a web server, open ports for http and https as well:
$ ufw allow http
$ ufw allow https
Enable the firewall:
$ ufw enable
Again: Check that you can login to your server before you close the current session.
For more info, check the Ubuntu Community Help Wiki page on UFW
Ready
Now, go do some cool stuff!
– Why don’t you …
… disallow root logins?
– IMHO it’s not worth the hassle of going through a regular user and sudo as long as I’m using key based authentication. You can do it if you want to.