Since buying the first server last year, I have bought several servers up to now. Because they are exposed to the internet, some necessary configurations in terms of firewall, ssh, etc., are required for security issues. This article records how I setup a server from scratch. I generally use Debian/Ubuntu, and Debian is used as an example server in this article. Some commands may differ for other distributions, but the overall process is similar.
It is strongly recommended to operate Linux as a regular user, because you can do anything (e.g., mistaken operations) in root.
First of all, login VPS as root by
ssh and create a user.
# add a group addgroup admin # add a user and create its dir. # change [username] here to your username useradd -d /home/usrname -s /bin/bash -m usrname # make a password for this user passwd usrname # add this user to the admin group usermod -a -G admin usrname
Then, grant individual (or group) permissions to new user.
# install sudo apt install sudo # edit visudo
root ALL=(ALL:ALL) ALL and add content as follows.
root ALL=(ALL:ALL) ALL # under there usrname ALL=(ALL:ALL) ALL
If you want to use sudo without password, edit
/etc/sudoers as follows.
%admin ALL=(ALL) ALL %sudo ALL=(ALL:ALL) ALL # under there usrname ALL=(ALL) NOPASSWD:ALL
Now, you can login with this new user to see if it works.
Password-less login for
ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]
In particular, if this VPS was logged before and its system is reinstalled, the previous records need to be removed first, as follows.
ssh-keygen -R 123.456.789 # or, with a specific port 22222 ssh-keygen -R "[123.456.789]:22222"
Then, make some ssh setting.
# login ssh [email protected] # backup sudo cp /etc/ssh/sshd_config ~ # edit sshd_config sudo vim /etc/ssh/sshd_config
It is recommended to modify the following parameters. Delete the # in front of the parameter to uncomment a line. A description of these parameters and the reasons for setting them can be found in the Appendix section at the end of this article.
Port 12345 PermitRootLogin no PermitEmptyPasswords no PasswordAuthentication no PubkeyAuthentication yes UseDNS no SyslogFacility AUTHPRIV Protocol 2 PubkeyAcceptedKeyTypes=+ssh-rsa
PasswordAuthentication no means the server does not support password authentication and you have to connect it by password-less login. Make sure that you have uploaded your public key to this server before setting this parameter as no.
Then, change the permissions and restart ssh.
sudo chmod 600 ~/.ssh/authorized_keys && chmod 700 ~/.ssh/ sudo service ssh restart
Add following content to
export LANGUAGE=en_US.UTF-8 export LC_ALL=en_US.UTF-8 export LANG=en_US.UTF-8 export LC_CTYPE=en_US.UTF-8
source ~/.profile sudo locale-gen en_US en_US.UTF-8 en_CA.UTF-8 sudo dpkg-reconfigure locales
Update and reboot the server after configuration.
# update sudo apt update sudo apt upgrade -y # reboot sudo reboot
I generally use
ufw to manage the server's firewall.
ufw if command not found.
sudo apt install ufw
sudo ufw enable
sudo ufw allow 80 sudo ufw allow 443 sudo ufw allow [SSH_PORT]
Set firewall to deny access by default. Make sure that the ssh port you set before has been opened.
sudo ufw default deny
Disable a port.
sudo ufw delete allow 80
List the opened ports.
sudo ufw status
sudo apt install build-essential vim neofetch lolcat curl git vnstat nload zip unzip
This section provides a brief description of the SSH parameter settings mentioned in the article.
|Name and value||Description|
|Port 12345||Changes the listening port for the SSH service to 12345 instead of the default port 22, increasing security against automated attacks.|
|PermitRootLogin no||Disallows SSH login as the root user, improving security by preventing potential attackers from gaining full system access after cracking the password.|
|PermitEmptyPasswords no||Prohibits SSH login with empty passwords, enhancing security by preventing abuse of accounts without a configured password.|
|PasswordAuthentication no (Optional)||Disables SSH login using passwords, requiring users to authenticate with a public/private key pair, which is more secure due to the increased difficulty in cracking key pairs.|
|PubkeyAuthentication yes||Allows SSH login using public/private key pairs, offering a more secure authentication method that doesn't rely on easily crackable passwords.|
|UseDNS no||Disables reverse DNS lookup for client IP addresses in the SSH service, reducing connection latency and avoiding connection issues due to failed DNS queries.|
|SyslogFacility AUTHPRIV||Directs SSH service logs to the AUTHPRIV syslog facility, which typically handles security-related information that requires privacy protection, ensuring log files are accessible only to specific users like system administrators.|
|Protocol 2||Specifies the exclusive use of SSH protocol version 2, which is more secure than the vulnerable version 1, ensuring a safer connection.|
|PubkeyAcceptedKeyTypes=+ssh-rsa||Defines the allowed public key types, with |