Step by Step: Setting Up a New VPS (18/8/18)
I've bought a new VPS from Vultr for my own data server. This post is documentation of the steps that I took on setting up my new VPS. The OS that used in VPS is Ubuntu 18.04 64-bit, while OS in my local machine is Manjaro 64-bit.
Make sure SSH is installed in the local machine. If it's not, install it by running :
sudo pacman -S openssh
After installation finished, create a new SSH keys by running :
ssh-keygen
Suppose the name of user in local machine is localuser
. The command above will show message like this :
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/localuser/.ssh/id_rsa):
Click enter to save SSH keys in the default location. After that, we will be asked to input a password to secure the generated keys. You are free to submit the password or not, but in this tutorial I don't use any password. Once the process finished, in $HOME/.ssh
directory will be generated private key id_rsa
and public key id_rsa.pub
.
SSH keys are important because it's provide a more secure way of logging into a server with SSH than using a password alone. While a password can eventually be cracked with a brute force attack, SSH keys are nearly impossible to decipher by brute force alone. Not to mention it makes login process easier because you don't have to input the password every time. If you're unsure whether you already have an SSH key or not, you can check if directory $HOME/.ssh
is exists.
Open the terminal, then input this command :
ssh root@<ip-vps>
After that, SSH will show a warning message and ask you to confirm the authenticity of the host. Answer yes
to the warning message, then input password for the root user. If the password is correct, we will given access to VPS as root user.
Once in, update the system by running apt update
followed by apt upgrade
. If necessary, reboot the VPS by running reboot
.
When we buy a new VPS on Vultr, we will given a default SSH password to access VPS as root. For safety reason, you should change the default password to a new one. You can do it by running passwd
, then input your new password.
For the next steps, we need to create a new user. For example, here we create a new user with the name radhi
:
adduser radhi
After that, system wil ask us to input data and password for new user :
Adding user `radhi' ...
Adding new group `radhi' (1000) ...
Adding new user `radhi' (1000) with group `radhi' ...
Creating home directory `/home/radhi' ...
Copying files from `/etc/skel' ...
New password:
Retype new password:
passwd: password updated successfully
Changing the user information for radhi
Enter the new value, or press ENTER for the default
Full Name []: Radhi Fadlillah
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] y
To let the new user performs administrative commands (e.g. installing new application), the new user must be included in sudo
group (which is the "administrators" group in Linux). To do that, run :
usermod -aG sudo radhi
Once it finished, user radhi
can run administrative commands by using sudo
command.
As mentioned before, public key authentication provides SSH users with the convenience of logging in to their VPS without entering their passwords. Not to mention it is a lot more safer than using password.
To enable it, we have to upload public key in the local machine to the VPS. To do that, log out from VPS, then run :
ssh-copy-id radhi@<ip-vps>
While sending the public key, we will asked to input the password of user in VPS (in this case is radhi
) . Once finished, system will show success message like this :
Number of key(s) added: 1
Now try logging into the machine, with: "ssh radhi@<ip-vps>"
and check to make sure that only the key(s) you wanted were added.
Now log in back to server by running ssh radhi@<ip-vps>
, and you should be able to do it without submitting the password.
To prevent brute force attack, it's recommended to disable password authentication for log in. For same reason, login as root user should be disabled as well because almost certainly brute force attack will try to use it. To do it, log in to VPS as our new user (in this tutorial is radhi
), then edit SSH configuration by running nano
(or your preferred text editor) :
sudo nano /etc/ssh/sshd_config
Find the line for PasswordAuthentication
:
#PasswordAuthentication yes
Remove the hash symbol, then set the value to no
:
PasswordAuthentication no
After that, to make only radhi
that can log in to the VPS, add this line to the end of file :
AllowUsers radhi
Save the file, then reload SSH daemon by running :
sudo service ssh restart
Now nobody can't log in to the VPS by using password or as root user. Instead, only radhi
using Public Key Authentication that can access the VPS from SSH.
Firewall is a must for a server. There are several firewall available for Linux, e.g. iptables
, csf
and ufw
. I will use ufw
because IMO it's the simplest one between those three.
UFW (Uncomplicated Firewall) is an interface to iptables
that is geared towards simplifying the process of configuring a firewall, which make it suitable for beginner. To use it, install it by running :
sudo apt install ufw
Since modern VPS supports IPv6, we have to make sure UFW able to support it. To do this, open the UFW configuration using nano
(or your preferred editor) :
sudo nano /etc/default/ufw
Then find line IPV6
and set its value to yes
:
IPV6=yes
Save, then close the file. Now, when UFW is enabled, it will protecting all network traffic both from IPv4 and IPv6.
Next, we need to set default policies for all network traffics. Here, we want the VPS to allow all outgoing connection, but deny all incoming transmission. This way, server can send data to any connection, but doesn't let any connection to connect to server. To do this, run :
sudo ufw default allow outgoing
sudo ufw default deny incoming
Next, we need permission to allow several type of connection to server. Usually, there are three types of connection that must be allowed, i.e. SSH, HTTP and HTTPs :
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
To see all added rules, run :
sudo ufw show added
To remove one of firewall rules, you can use ufw delete
. For example, here we want to revoke permission for HTTP access :
sudo ufw delete allow http
Before activating UFW, we have to make sure that UFW can be used in our VPS. You might need to install other packages like python
or iptables
. To check it, you can run :
sudo /usr/share/ufw/check-requirements
If the check finished successfully, it means we can activate the firewall. Before activating it, make sure you already allow SSH connection in the firewall. If you don't activate it, you won't be able to log in to the VPS anymore, so make sure it's allowed. To activate it, run :
sudo ufw enable
Now, UFW has been activated. You can check the status of UFW by running :
sudo ufw status verbose
If you decide you don't want to use UFW, you can disable it with this command :
sudo ufw disable
If you want to reset all UFW rules that has been made, run :
sudo ufw reset
MariaDB is one of the most popular database management system. It's easy, popular, and used by many application. That's why I'm including it in this tutorial.
Ubuntu includes MariaDB 10.1 in its main repositories. However, the lates stable version of MariaDB is 10.3, so I will use that one. To do it, we need to add MariaDB repositories to our system. To do this, open download page of MariaDB, then choose OS, version and your preferred mirror location. For example, here we choose :
To add the MariaDB repositories, run :
sudo apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0xF1656F24C74CD1D8
sudo add-apt-repository 'deb [arch=amd64,arm64,ppc64el] http://sgp1.mirrors.digitalocean.com/mariadb/repo/10.3/ubuntu bionic main'
If add-apt-repository
is not available in your VPS, install it by running :
sudo apt install software-properties-common
Once the key is imported and the repository added, you can install MariaDB 10.3 by running :
sudo apt update
sudo apt install mariadb-server -y
While installing, we might be asked to input the password for root. If not, root will be given empty password. Once finished, we have to secure MariaDB by running :
sudo mysql_secure_installation
Here we will be asked about several point, e.g. about root password, etc :
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.
You already have a root password set, so you can safely answer 'n'.
Change the root password? [Y/n] n
... skipping.
By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] y
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] y
... Success!
By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] y
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB!
Now we can use MariaDB by running :
sudo mysql -p