How I setup my ChunkHosts
For the TL;DR version, see Securing your VPS for the Semi Paranoid it also has a screencast.
Over the years I've used many different VPS providers. https://chunkhost.com/r/coolaj86 has been one of them. Lately, I've mostly been using Digital Ocean, but I'm running a service for which I want redundancy not only in different data centers, but also through different service providers so I decided to check them out again.
I was pleasantly surprised to find that their rates are comparable to Digital Ocean with the bonus of giving you double RAM and Bandwidth when you pay the full year up front.
Also they give a 5% discount for using bitcoin.
Since I first signed up for ChunkHost many years ago when they were just starting out and did the whole share with friends on facebook thing, I also have a permanent 50% off discount on my account, which makes paying a full year in advance a very easy pill to swallow.
$28.40 later, I'm a proud owner of a 1GB Chunk. Yay!
Every VPS provider gives you a base image that's a little bit different. Here's what I suggest for Chunks.
Sign up at https://chunkhost.com/r/coolaj86. Click Chunks. Click add Chunk.
Here we go.
1. use ssh key, not a password
ssh keys are uber important.
Test to see if you already have ssh keys. If you don't, generate them.
If that gives you a block of garbage looking text that ends in something like
email@example.com, you're golden. Copy the whole block.
Otherwise, generate some ssh keys
ssh-keygen cat ~/.ssh/id_rsa.pub
You can accept all the defaults. You don't need a passphrase. If you're not going to remember it, don't use one. If you want the extra security, please do.
For my more secure systems I have specific ssh keypairs for each system individually and I use a strong, but memerable passphrase.
It's a bad idea to use passwords rather than ssh keys, so please don't use passwords. If you do, you'll essentially just be adding your VPS to some Chinese botnet.
Don't do it.
2. add a non-root user
Running as the root user is generally considered unsafe.
First, you'll want to ssh into your brand new shiny VPS.
Your Chunk's IP address will be a real one, so use that instead of this fake one:
Go ahead and add a non-root user (I'm calling mine 'chunk') with sudo privileges.
adduser chunk adduser chunk sudo
3. secure ssh
log back in
First you need to add your ssh key to your new user
(if you don't have
ssh-copy-id already, you may need to install it with
brew install ssh-copy-id on OS X)
ssh-copy-id -i ~/.ssh/id_rsa.pub firstname.lastname@example.org
To make things easier for myself I like to put my ssh configuration for each VPS
Host 127.0.0.1 Port 22 User chunk IdentityFile ~/.ssh/id_rsa
Then you can login without specifying the name
enable fail2ban and ufw
fail2ban simply bans botnots that are trying to gain access to your server.
And guess what!? ChunkHost's Ubuntu 14.04 LTS already has it installed.
However, if it wasn't installed you would do it like this:
sudo apt-get install -y fail2ban
And you do need to enable the firewall:
sudo ufw allow ssh sudo ufw enable
disable password (and root) access
The only reason I can think to ever allow root access to a machine is for backups, but I don't run my services as root, so that's not an issue for me.
In any case, you shouldn't use passwords, at all, ever, for any reason. No passwords on VPSes.
Now you'll need login to edit your ssh config to disallow passwords.
# at this point I *need* vim, but you might prefer nano sudo apt-get install vim sudo nano /etc/ssh/sshd_config
Find and change these lines (individually)
PasswordAuthentication no PermitRootLogin no
If you will be doing backups via rsync, you may prefer
You might also like to change the port such as
If you do, make sure you also
sudo ufw allow 2222/tcp.
Then restart ssh
sudo service ssh restart
Just to be safe, also check that sshd is the only server listening on the network:
sudo netstat -peanut
4. Other Nice Things
Whether your prefer fish or you prefer zsh, you should prefer something to bash as a day-to-day shell:
sudo apt-get install fish sudo chsh -s $(which fish) $(whoami)
echo "v1.5.1" > /tmp/IOJS_VER curl -fsSL bit.ly/iojs-dev -o /tmp/iojs-dev.sh; bash /tmp/iojs-dev.sh
By AJ ONeal
Did I make your day?
Buy me a coffee