Since buying the first server last year, I have bought several servers up to now. Because they are exposed to the internet, some necessary configurations in terms of firewall, ssh, etc., are required for security issues. This article records how I setup a server from scratch. I generally use Debian/Ubuntu, and Debian is used as an example server in this article. Some commands may differ for other distributions, but the overall process is similar.

Register a new user

It is strongly recommended to operate Linux as a regular user, because you can do anything (e.g., mistaken operations) in root.

First of all, login VPS as root by ssh and create a user.

# add a group
addgroup admin
# add a user and create its dir.
# change [username] here to your username
useradd -d /home/usrname -s /bin/bash -m usrname
# make a password for this user
passwd usrname
# add this user to the admin group
usermod -a -G admin usrname

Then, grant individual (or group) permissions to new user.

# install sudo
apt install sudo
# edit

Find root ALL=(ALL:ALL) ALL and add content as follows.

root    ALL=(ALL:ALL) ALL
# under there
usrname ALL=(ALL:ALL) ALL

If you want to use sudo without password, edit /etc/sudoers as follows.

%admin  ALL=(ALL) ALL
%sudo   ALL=(ALL:ALL) ALL
# under there

Now, you can login with this new user to see if it works.

SSH configuration

Password-less login for ssh.

ssh-copy-id -i ~/.ssh/ [email protected]

In particular, if this VPS was logged before and its system is reinstalled, the previous records need to be removed first, as follows.

ssh-keygen -R 123.456.789
# or, with a specific port 22222
ssh-keygen -R "[123.456.789]:22222"

Then, make some ssh setting.

# login
ssh [email protected]
# backup
sudo cp /etc/ssh/sshd_config ~
# edit sshd_config
sudo vim /etc/ssh/sshd_config

It is recommended to modify the following parameters. Delete the # in front of the parameter to uncomment a line. A description of these parameters and the reasons for setting them can be found in the Appendix section at the end of this article.

Port 12345
PermitRootLogin no
PermitEmptyPasswords no
PasswordAuthentication no
PubkeyAuthentication yes
UseDNS no
SyslogFacility AUTHPRIV
Protocol 2

Note that PasswordAuthentication no means the server does not support password authentication and you have to connect it by password-less login. Make sure that you have uploaded your public key to this server before setting this parameter as no.

Then, change the permissions and restart ssh.

sudo chmod 600 ~/.ssh/authorized_keys && chmod 700 ~/.ssh/
sudo service ssh restart

Set locale

Add following content to ~/.profile.

export LANGUAGE=en_US.UTF-8
export LC_ALL=en_US.UTF-8
export LANG=en_US.UTF-8
export LC_CTYPE=en_US.UTF-8


source ~/.profile
sudo locale-gen en_US en_US.UTF-8 en_CA.UTF-8
sudo dpkg-reconfigure locales

Update and Reboot

Update and reboot the server after configuration.

# update
sudo apt update
sudo apt upgrade -y
# reboot
sudo reboot

Firewall configuration (UFW)

I generally use ufw to manage the server's firewall.

Install ufw if command not found.

sudo apt install ufw

Enable ufw.

sudo ufw enable

Open ports.

sudo ufw allow 80
sudo ufw allow 443
sudo ufw allow [SSH_PORT]

Set firewall to deny access by default. Make sure that the ssh port you set before has been opened.

sudo ufw default deny

Disable a port.

sudo ufw delete allow 80

List the opened ports.

sudo ufw status

Some apps (self-use)

sudo apt install net-tools build-essential vim neofetch lolcat curl git vnstat nload zip unzip

Appendix: Description of SSH Parameter Settings

This section provides a brief description of the SSH parameter settings mentioned in the article.

Name and valueDescription
Port 12345Changes the listening port for the SSH service to 12345 instead of the default port 22, increasing security against automated attacks.
PermitRootLogin noDisallows SSH login as the root user, improving security by preventing potential attackers from gaining full system access after cracking the password.
PermitEmptyPasswords noProhibits SSH login with empty passwords, enhancing security by preventing abuse of accounts without a configured password.
PasswordAuthentication no (Optional)Disables SSH login using passwords, requiring users to authenticate with a public/private key pair, which is more secure due to the increased difficulty in cracking key pairs.
PubkeyAuthentication yesAllows SSH login using public/private key pairs, offering a more secure authentication method that doesn't rely on easily crackable passwords.
UseDNS noDisables reverse DNS lookup for client IP addresses in the SSH service, reducing connection latency and avoiding connection issues due to failed DNS queries.
SyslogFacility AUTHPRIVDirects SSH service logs to the AUTHPRIV syslog facility, which typically handles security-related information that requires privacy protection, ensuring log files are accessible only to specific users like system administrators.
Protocol 2Specifies the exclusive use of SSH protocol version 2, which is more secure than the vulnerable version 1, ensuring a safer connection.
PubkeyAcceptedKeyTypes=+ssh-rsaDefines the allowed public key types, with +ssh-rsa indicating the acceptance of RSA type public keys in addition to default key types, ensuring compatibility with a wider range of clients by supporting the widely used RSA asymmetric encryption algorithm.