Your First Steps with Your Brand New VPS Server

on

This tutorial is a brief description of the standard procedure that I follow each time I have to set up a new Ubuntu VPS server.

Change root password

This is a no-brainer. Change the root password from the default supplied by your hosting company:

passwd
Enter new UNIX password:
Retype new UNIX password:

Secure SSH login

One thing every server admin finds out sooner or later is that their server gets hundreds of failed login/break-in attempts each day. Just have a look at /var/log/auth.log and you’ll see what I’m talking about. Unfortunately, this is quite normal in today’s internet.

Most of those attacks originate from botnets, trying to SSH on every single IP address that belongs to your hosting company, using dictionary attacks on well-known accounts (e.g. root). The simplest action you can take for peace of mind, is to disable SSH login as root, and assign that role to another user with a non-trivial username.

  1. Create a new user:
    adduser YOUR_USER
    
  2. Edit your SSH configuration:
    nano /etc/ssh/sshd_config
    
    PermitRootLogin no
    AllowUsers YOUR_USER
    MaxStartups 3:50:10
    LoginGraceTime 30
    MaxAuthTries 3
    
  3. Restart SSH:
    service ssh restart
    

Before closing your SSH session, open another terminal window, and try to login as the new user you have just created. If everything works as expected, you can exit the previous SSH session.

Login using Public Key Authentication

Ideally you should disable password logins altogether and login exclusively using Public Key Authentication.

  1. On your local machine generate a set of RSA keys to use for authentication:
    ssh-keygen
    
  2. Then, copy your public key to the VPS server:
    ssh-copy-id YOUR_USER@YOUR_SERVER
    
  3. On your VPS server, edit the SSH daemon configuration to enable Public Key Authentication:
    nano /etc/ssh/sshd_config
    
    PubkeyAuthentication yes
    UsePAM no
    ChallengeResponseAuthentication no
    
  4. Restart SSH.
    service ssh restart
    
  5. Now test if you can login from your local machine to your server without a password.
    ssh YOUR_USER@YOUR_SERVER
    
  6. If the above step works, you can disable password logins:
    nano /etc/ssh/sshd_config
    
    PasswordAuthentication no
    
  7. And one final restart.
    service ssh restart
    

Setup Fail2Ban

Fail2Ban is an intrusion prevention software framework, which scans your log files and bans IPs that try to brute force into your server.

apt install fail2ban

Copy the default configuration file.

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

We have to modify it:

nano /etc/fail2ban/jail.local
[DEFAULT]
ignoreip = 127.0.0.1/8 ::1
bantime  = 3h
findtime = 1h
maxretry = 3
destemail = YOUR_EMAIL
mta = mail
action = %(action_)s

[sshd]
enabled = true

Make sure to replace YOUR_EMAIL with your actual email address. If you want to receive an email each time an IP is banned replace %(action_)s with %(action_mw).

You might also want to customize some of the parameters. maxretry is the number of failed attempts after which the ban action on that IP will trigger. findtime is the period during which maxretry applies. bantime is the duration of the ban.

Restart service for the changes to take effect:

service fail2ban restart

Setup UFW

UFW is the default firewall configuration tool for Ubuntu. However, it is disabled by default, so let’s enable it:

ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
ufw enable
ufw status

Pay special attention to the ufw allow ssh line. Without it, UFW would block port 22 preventing you to SSH to your server. Obviously, you don’t want that to happen.

If you want to open more ports in the future, e.g. 80 (http), you can easily do that with ufw allow http.

Enable Unattended Upgrades

In recent Ubuntu versions, unattended-upgrades is enabled by default, which means your system will always download and install the latest security patches automatically. One thing that new users complain about, is that when a new Kernel is installed, Ubuntu does not remove the old ones. However, there are good reasons why Ubuntu works like that. Of course, not everyone has the same needs, so if you want to save some space by removing old Kernels, edit the unattended-upgrades configuration and make sure the following line exists and is not commented out:

nano /etc/apt/apt.conf.d/50unattended-upgrades
Unattended-Upgrade::Remove-Unused-Dependencies "true";

Update hostname and hosts

This step only applies if you want to change the hostname of your VPS server from the default supplied by your hosting provider.

Assuming that your server’s FQDN is HOSTNAME.DOMAIN.TLD and the IP address X.X.X.X:

  1. Edit /etc/hostname:
    nano /etc/hostname
    
    HOSTNAME
    
  2. Edit /etc/hosts (that’s the primitive of DNS with an interesting story):
    nano /etc/hosts
    
    X.X.X.X HOSTNAME.DOMAIN.TLD HOSTNAME
    

Install GNU Screen

Each time your SSH connection gets terminated (e.g. timeout, error), all running processes will typically terminate as well. This can leave your server in an undefined state, depending on what you were doing before disconnecting. That’s why, when opening a SSH connection to a remote server, it’s always good practice to work on a Screen session. Screen provides a virtual terminal, that continues to run, even if your SSH connection gets terminated.

  1. Install Screen.
    apt install screen
    
  2. Disable the annoying startup message.
    nano /etc/screenrc
    
    startup_message off
    

You can start a new screen session with screen, and exit the session with exit. If your SSH connection gets terminated unexpectedly, you can continue what you were doing by simply running screen -dr the next time you login.