Base server configuration

@server @linux @mtnpak @ssh @host @remote

This guide lays out how to do the basic setup for a Ubuntu VPS. This can be used on any server running Ubuntu 18.04 or 20.04--other versions may work but not tested.

This configuration is appropriate for:

  • Hosting a Django site with Dokku (remember that this configuration changes the default SSH port). An example here.

NOTE: local machine command prompt is > and remote machine prompt is $

Changing root password and setting up user account

  1. Spin up server on Vultr or any other VPS platform
  2. Log in to the server as root: > ssh root@<serverip>
  3. Change the root password: $ sudo passwd root
  4. Add a user: $ sudo adduser faaiz
  5. Add the new user to sudo: $ sudo adduser faaiz sudo
  6. Now log out, and log back in under the new user: > ssh faaiz@<serverip>

Set up key based authentication

  1. Should already have a public SSH key on your local machine. If not, set this up.
  2. On local machine open the public key in gedit and copy the key to clipboard: > gedit ~/.ssh/id_rsa.pub
  3. Then on remote machine, paste this into: ~/.ssh/authorized_keys
  4. Now give permissions:

$ chown -R faaiz:faaiz /home/faaiz/.ssh
$ chmod 600 /home/faaiz/.ssh/authorized_keys

  1. Now logout and log back in, you should log in without a password for faaiz

Secure your SSH - change port, remove password auth

  1. On remote machine, do: $ nano /etc/ssh/sshd_config
  2. Make the following edits (Add new line, or if line exists, uncomment and change)

Port 333 # this is to change the default port from 22
PermitRootLogin no # don't allow root to ssh directly
PasswordAuthentication no # Disable password authentication--only keys can login
ChallengeResponseAuthentication no
UsePAM no
X11Forwarding no # this server is headless, so no need for X11
AllowUsers faaiz # only allow the 'faaiz' user to login

  1. Now restart the SSH service by doing: sudo systemctl restart sshd.service
  2. You can now log in with your new port by doing: > ssh faaiz@<serverip> -p 333

Set up firewall

  1. First install ufw by $ sudo apt install ufw
  2. Then do $ sudo nano /etc/default/ufw and make sure that this line is there: IPV6=yes
  3. Then reset to defaults just in case:

$ sudo ufw default deny incoming
$ sudo ufw default allow outgoing

  1. Now you need to allow SSH using the port you specified above: $ sudo ufw allow 333
  2. Enable the firewall: sudo ufw enable
  3. Allow HTTP and HTTPS:

$ sudo ufw allow http
$ sudo ufw allow https

  1. Your firewall is now set up.

Set up SSH host on local (client) machine

Now you need an easier way to SSH instead of typing the whole command. Instead of an alias, do this

  1. Create the config file: > touch ~/.ssh/config
  2. Assign permissions to the config file: > chmod 600 ~/.ssh/config
  3. Add the following to the config file:

Host fa1 # This is the short name that you will use
	HostName <remote_ip> # e.g. HostName 192.42.167.89
	User <user> # e.g. User faaiz
	Port <ssh_port> # This is the port for SSH you set above
	
# Now you can ssh by doing: > ssh fa1
# Equivalent command is: > ssh <user>@<remote_ip> -p <ssh_port>

Add swapfile (if VPS doesnt have enough RAM)

Swapfile is useful if using a cheap VPS with not enough RAM.

  1. Allocate a new 2GB file: $ sudo fallocate -l 2G /swapfile
  2. Modify permissions: $ sudo chmod 600 /swapfile
  3. Make it swap: $ sudo mkswap /swapfile
  4. Now turn on swap: $ sudo swapon /swapfile
  5. Finally, edit your fstab by: $ sudo nano /etc/fstab and add the following line:

/swapfile none swap sw 0 0