Get your Ubuntu VPS up and running

UbuntuThese are the first steps you should perform on your shiny, brand new VPS to set out on a safe journey on the internets. You don’t actually have to understand each of the steps here, but this post is intented for people who have some clue of what they’re doing. If there is such a thing as a «VPSes for dummies», it should not be read. VPSes are not intended for dummies.

Get a VPS with Ubuntu preinstalled (the provider should ask you for OS during order). If you don’t know whether you should go for 12.04 or 12.10, go for 12.04. It’s an LTS release. If you have no clue on what provider to use, try Digital Ocean. They give lotsa bang per buck.

SSH into your box as root.

Get rid of the annoying Ubuntu locale errors:

$ echo "LC_ALL=\"en_US.UTF-8\"" | cat - /etc/default/locale > /tmp/locale.tmp && mv /tmp/locale.tmp /etc/default/locale && export LC_ALL="en_US.UTF-8"

Now, make sure your system is up to date:

$ apt-get update && apt-get -y dist-upgrade

Install the things you probably want/need:

$ apt-get -y install htop screen vim curl ntp fail2ban ufw

Set your hostname if it’s not correct:

$ export HOSTNAME="example.com" && echo $HOSTNAME > /etc/hostname && hostname $HOSTNAME

Set your timezone if it’s not correct:

$ dpkg-reconfigure tzdata

Secure SSH

You should not allow password logins for your VPS. No excuses. Use key based authentication.

If you don’t already have a SSH key pair, create one. If you’re on Mac OS X or Linux follow these steps:

  1. Make sure you are home
    $ cd ~
  2. Create the key pair. Make sure you protect your secret key with a strong passphrase (yes: phrase, not word)
    $ ssh-keygen -t rsa
  3. Display your public key:
    $ cat ~/.ssh/id_rsa.pub
    

If you’re on Windows, follow this guide for PuTTY.

Create the .ssh folder if it doesn’t exists:

$ mkdir -p /root/.ssh && chmod 700 /root/.ssh

Copy your public key into the /root/.ssh/authorized_keys file

Make sure it has the correct permissions:

$ chmod 600 /root/.ssh/authorized_keys

Disallow password logins:

$ sed -i -e 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config && service ssh restart

Test logging into your box before you log out.

Automate security upgrades

Some people cringe when I tell them to do automated upgrades, but the risk of something going wrong during the upgrade is less than the risk of having a vulnerable system live on the Internet.

$ apt-get -y install unattended-upgrades
$ echo "APT::Periodic::Update-Package-Lists \"1\";
APT::Periodic::Unattended-Upgrade \"1\";
" > /etc/apt/apt.conf.d/20auto-upgrades
$ echo "Unattended-Upgrade::Allowed-Origins {
        \"\${distro_id}:\${distro_codename}-security\";
};

Unattended-Upgrade::Mail \"[email protected]\";
Unattended-Upgrade::MailOnlyOnError \"true\";
Unattended-Upgrade::Remove-Unused-Dependencies \"true\";
Unattended-Upgrade::Automatic-Reboot \"false\";
" > /etc/apt/apt.conf.d/50unattended-upgrades

Setup the firewall

UFW (Uncomplicated FireWall) is a very friendly iptables configuration tool for Ubuntu.

Enable SSH logins:

$ ufw allow ssh

If you plan running a web server, open ports for http and https as well:

$ ufw allow http
$ ufw allow https

Enable the firewall:

$ ufw enable

Again: Check that you can login to your server before you close the current session.

For more info, check the Ubuntu Community Help Wiki page on UFW

Ready

Now, go do some cool stuff!

– Why don’t you …

… disallow root logins?

– IMHO it’s not worth the hassle of going through a regular user and sudo as long as I’m using key based authentication. You can do it if you want to.