Latest Stories

Featured Stories

Filter By Categories
Ramesh Vishveshwar
By
November 16, 2018

The First Hour with Your VPS

  VPS

I don’t have hundreds of VPSes, but I have installed & re-installed enough boxes to reach a point of almost mechanical steps once the OS installation is complete. This article is an informational guide to a series of steps that I do in the first hour with my VPS. There will be some steps on security and server hardening.

Updates & Upgrades

Irrespective of the distro I install, I run an update of the packages once I log in. This is usually because the ISO image used to create the VPS could be an older one without the latest patches.

For Debian/Ubuntu systems

# apt update && apt upgrade -y

For Fedora/CentOS systems

# yum upgrade

Note that I use the yum upgrade instead of the yum update command as this is the very beginning of using the VPS, no other packages have been installed so we can remove obsoletes during the update.

The VPS is now updated and all patches including security have been applied. However, your node is not safe yet. This still allows to root to login, over the default SSH port. Let’s fix that

User Security

We need to prevent remote root logins and create another regular user and give that id superuser powers. On CentOS/Fedora

# useradd thenewguy

# passwd thenewguy

Next connect the user to the group wheel which allows it to invoke administrative commands such as yum

# usermod -aG when thenewguy

On Ubuntu/Debian, the following adds the new user and also grants sudo access.

# adduser thenewguy

# adduser thenewguy sudo

Now, before we lock out remote access for root, let’s see if thenewguy has the right privileges.

# su thenewguy

will log you in as the session for thenewguy. To see if you have sufficient privileges, try installing a package (I usually install nano as the default CentOS images I use don’t have nano pre-installed). You will have to enter the password when using the sudo yum/sudo apt-get command

Here is a nice trick that I employ to avoid having to enter my password every time I issue a sudo command. However, the downside is if you leave your terminal unattended in a public place and someone has a chance to use your active session, they do not need to know your password to issue superuser commands. If you are sure you don’t not fall in this category, enter the command sudo visudo

In the editor that opens, add the line

thenewguy ALL=(ALL) NOPASSWD:ALL

Make sure to change the username (thenewguy) to your own user id.

Now, we will edit the ssh configuration to prevent remote root login and change the default SSH port. The configuration file for ssh is located at /etc/ssh/sshd_config

Find the text PermitRootLogin and change the line to

PermitRootLogin no

Change the port number on the line which would currently read Port 22. Choose a port that is obscure and does not clash with other services you may run on your node. For e.g., don’t change the port to 80 which would later clash with your web server. Safe alternate port numbers are between 49152 and 65536.

I almost never use IPv6, in which case I add this line AddressFamily inet in case it doesn’t already exist. If it already exists, it would usually be AddressFamily any. Changing this prevents the SSH daemon from listening on the IPv6 interface.

Save and restart the SSH daemon through the

systemctl restart sshd

or

service sshd restart

command based on which version & flavor of Linux is installed. The important thing is to NOT disconnect. Don’t logoff until you are sure the changes are working.

In a separate terminal, connect to your VPS with the root ID on the new port number. Your should get an access denied message. Now connect with the new user ID, in my case thenewguy to the new port. You should be able to login. Try a few commands, especially ones that require sudo permission. If you are satisfied, you can close the initial SSH connection with the root user.

In some cases, I add Google 2Factor Authentication

Removing Unwanted Services

In many cases, the OS image comes with an activated Apache server. I personally prefer Nginx, so I end up uninstalling apache/httpd. I am sure you have identified such packages that are pre-installed but are not needed. Remove all such packages with the command

$ sudo yum remove {unwanted-pkg}

Or

$ sudo apt purge {unwanted-pkg}

You may have observed that I am now prefixing all my commands with sudo. This is because I assume you have closed the SSH connection with root and are in the system with the new user ID created.

Blocking Unwanted Ports

Like unwanted packages, there are often unwanted listeners attaching themselves to ports. For me it is often the SMTP service listening on Port 25. An experienced sysadmin would launch into a series of iptables commands. As I am not one, I will advise to use either firewalld (CentOS/Fedora) or ufw (Ubuntu/Debian) to control the firewall.

Please note that both ufw and firewalld have alternate ways to enable particular ports. For e.g., ufw allow ssh, enables SSH connections, but this is to the default port 22. If you have followed this guide, you should explicitly enable the port setup in the sshd_config file.

$ sudo ufw allow 55022

Or

$ sudo firewall-cmd --permanent --zone=public --add-port=55022/tcp

 

Finally, I install a monitoring tool such as monit or a third party service like hetrixtools so I can keep a closer watch on uptime and server performance.

 

Featured image credits - Vectorpocket @ Freepik.com

Subscribe Email