/ Website Development

First Things To Do After Setting Up a VPS

The first things i have to do after setting up my VPS is to harden it. We are live in the public cloud that do not know what will happen to your website, it is better to prevent before to late later. This is what i usually do when i first timer setting up my new VPS.

My VPS rigs:

  1. VPS at UpCloud
  2. Ubuntu 16.04 LTS
  3. Running Nginx and Ghost blog

First things to do after setting up vps:

  1. Harden your vps
  • Change root password
    Do not leave anything default. Change your root password with this command after login to your ssh console.
$ passwd
  • Add new user
    Configure anything with new user account beside root. It is bad practice if you configure or make change always using your root login.
    I create new user named: newuser
$ adduser newuser
$ groups newuser
$ groups newuser sudo

Now our newuser is in sudo group, you can know configure and make changes to your server using this account.

  • Install fail2ban
    I have enough experience with leaving servers connected to the Internet to know that any IP address on the Internet will be found and scanned by hackers. They will often try to use a brute-force SSH attack to gain the password to the server. Fail2ban will block these attacks from happening.
  • Change default ssh port
$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
$ sudo service fail2ban restart
$ sudo vi /etc/ssh/sshd_config 
port: 12345
$ sudo service ssh restart
[ ok ] Restarting OpenBSD Secure Shell server: sshd.
  • Disable Root SSH access

While we are on the subject of editing /etc/ssh/sshd_config, this is also where you would disable root SSH access. Find the line PermitRootLogin yes and change it to say PermitRootLogin no, save the file and restart SSH

  • Install and Setup UFW

UFW is an easy to use Linux firewall. This will secure unused ports on your server. First, install it:

$ sudo apt-get install ufw

We can setup our firewall rules before actually activating the firewall. I always disable all ports by default and then add the ports I will need later.

$ sudo ufw default deny incoming
$ sudo ufw default deny outgoing

To check application that recognize by ufw:

Available applications:
  Nginx Full
  Nginx HTTP
  Nginx HTTPS
  OpenSSH

This will allow port 12345 that we change to login using ssh

$ sudo ufw allow 12345/tcp

Make sure to always allow your SSH port first, it is not so fun if we cannot enter our VPS after we enable ufw.

Also, i want to allow port 80 for http access later for my website.

$ sudo ufw allow 80/tcp

And I want to allow some outgoing ports. Those include ports which the server might need for things like DNS and git. If you do not unblock certain outgoing ports then apt-get updates or installs might not work for example.

$ sudo ufw allow out 53,80,443/tcp
$ sudo ufw allow out 53,80,443/udp

If your already allow any port rule that you need later, then you have to enable UFW

$ sudo ufw enable

You can checking over your UFW rules by typing sudo ufw status verbose.
My log looks like this:

$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), deny (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
80/tcp (Nginx HTTP)        ALLOW IN    Anywhere
2288/tcp                   ALLOW IN    Anywhere
80,443/tcp (Nginx Full)    ALLOW IN    Anywhere
80                         ALLOW IN    Anywhere
443                        ALLOW IN    Anywhere
80/tcp (Nginx HTTP (v6))   ALLOW IN    Anywhere (v6)
2288/tcp (v6)              ALLOW IN    Anywhere (v6)
80,443/tcp (Nginx Full (v6)) ALLOW IN    Anywhere (v6)
80 (v6)                    ALLOW IN    Anywhere (v6)
443 (v6)                   ALLOW IN    Anywhere (v6)

53,80,443/tcp              ALLOW OUT   Anywhere
53,80,443/udp              ALLOW OUT   Anywhere
53,80,443/tcp (v6)         ALLOW OUT   Anywhere (v6)
53,80,443/udp (v6)         ALLOW OUT   Anywhere (v6)

Things seem to be working fine so far, but remember, if you ever come across a weird issue where some program is not working or having trouble connecting to the Internet, it might be a port that needs to be enabled in your firewall.

  1. Automatic security updates
    This process will automatically check and updates your security patch regarding your server:
$ sudo apt-get install unattended-upgrades apt-listchanges

To activate the updates I simply type, and follow the popup to proceed the configuration.

$ sudo dpkg-reconfigure -plow unattended-upgrades

That's it, if you any question do not hesitate to ask me.