Securing a New VPS: The Initial Steps After Purchase and the Best Practices

Wednesday, 09 Aug 2023 4 minutes read
devops system administration

After acquiring a VPS from any provider, we typically gain shell access to the root user. At this point, our first steps should include installing essential libraries and implementing basic security measures before proceeding with any deployment tasks. These tasks are also relevant for other servers with freshly installed operating systems. I executed these commands on an Ubuntu 22.04 machine. However, there isn't a significant difference in the commands if the distribution varies. In most cases, merely switching the package manager will be sufficient. For instance, in the case of CentOS, you would use dnf/yum instead of apt.

Update and Upgrade Packages

SSH into the server and update the package lists and upgrade the installed packages to their latest versions.

sudo apt update
sudo apt upgrade
Install Essential Packages

These packages are often necessary for server management and administration.

sudo apt install curl wget vim net-tools git
Configure Timezone

Set the correct timezone for the server. Using UTC as the system's timezone is a common practice for servers because it provides consistency and avoids potential issues with time discrepancies when dealing with multiple systems in different time zones.

sudo timedatectl set-timezone utc
Secure SSH login

To enhance security it is good to apply the follwing changes.

  • Disallow root login.
  • Configure public key authentication and disallow password based login .

We need to create a user first.

sudo adduser <username>

After confirming the informations, a new user account is will be created on the Ubuntu system. The user will have its home directory located at /home/<username>, and the user can log in using the password we set during the creation process. Optionally, we can add the user in sudo group.

usermod -aG sudo <username>

Use another terminal and check the login of the new user. If the user can login successfully we will proceed disabling root login and configuring public key authentication.

sudo vim /etc/ssh/sshd_config

Find and set PermitRootLogin to no and set PasswordAuthentication to no. Save the file and exit the editor. Do not log out from the ssh session yet.

Open another terminal from the local machine and execute this command. This command will copy our public key to the authorized_keys file of the server. It will create directories if not already there. Use the new <username> we just created in the place of USER.

cat ~/.ssh/id_rsa.pub | ssh USER@HOST "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

There is a chance that a newly created authorized_keys file or .ssh folder will not have the correct file permissions. For this we need to issue the follwing command from the logged in terminal of the server.

chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys

Now restart the ssh service.

sudo systemctl restart sshd
Firewall Configuration

By default, Ubuntu Server comes with the ufw (Uncomplicated Firewall) tool. If not installed, it can be installed by this command

sudo apt install ufw
sudo ufw enable

Enable the firewall and allow necessary connections and ports. We will allow ssh connections, http and https connections.

sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
sudo ufw reload

We can verify the ufw rules by the following command.

sudo ufw status

Our basic setup is finished. We can further secure our server by installing fail2ban and enabling automatic updates.