Hey! I'm available for hire (and I appreciate tips)  



For the TL;DR version, see Securing your VPS for the Semi Paranoid it also has a screencast.

Over the years I've used many different VPS providers. https://chunkhost.com/r/coolaj86 has been one of them. Lately, I've mostly been using Digital Ocean, but I'm running a service for which I want redundancy not only in different data centers, but also through different service providers so I decided to check them out again.

I was pleasantly surprised to find that their rates are comparable to Digital Ocean with the bonus of giving you double RAM and Bandwidth when you pay the full year up front.

Also they give a 5% discount for using bitcoin.

Since I first signed up for ChunkHost many years ago when they were just starting out and did the whole share with friends on facebook thing, I also have a permanent 50% off discount on my account, which makes paying a full year in advance a very easy pill to swallow.

$28.40 later, I'm a proud owner of a 1GB Chunk. Yay!

Setup

Every VPS provider gives you a base image that's a little bit different. Here's what I suggest for Chunks.

Sign up at https://chunkhost.com/r/coolaj86. Click Chunks. Click add Chunk.

Here we go.

1. use ssh key, not a password

ssh keys are uber important.

Test to see if you already have ssh keys. If you don't, generate them.

cat ~/.ssh/id_rsa.pub

If that gives you a block of garbage looking text that ends in something like myusername@mycomputer.local, you're golden. Copy the whole block.

Otherwise, generate some ssh keys

ssh-keygen
cat ~/.ssh/id_rsa.pub

You can accept all the defaults. You don't need a passphrase. If you're not going to remember it, don't use one. If you want the extra security, please do.

For my more secure systems I have specific ssh keypairs for each system individually and I use a strong, but memerable passphrase.

It's a bad idea to use passwords rather than ssh keys, so please don't use passwords. If you do, you'll essentially just be adding your VPS to some Chinese botnet.

Don't do it.

2. add a non-root user

Running as the root user is generally considered unsafe.

First, you'll want to ssh into your brand new shiny VPS.

Your Chunk's IP address will be a real one, so use that instead of this fake one:

ssh 127.0.0.1

Go ahead and add a non-root user (I'm calling mine 'chunk') with sudo privileges.

adduser chunk
adduser chunk sudo 

Now logout

exit

3. secure ssh

log back in

First you need to add your ssh key to your new user

(if you don't have ssh-copy-id already, you may need to install it with brew install ssh-copy-id on OS X)

ssh-copy-id -i ~/.ssh/id_rsa.pub chunk@127.0.0.1

To make things easier for myself I like to put my ssh configuration for each VPS in ~/.ssh/config:

nano ~/.ssh/config
Host 127.0.0.1
Port 22
User chunk
IdentityFile ~/.ssh/id_rsa

Then you can login without specifying the name

ssh 127.0.0.1

enable fail2ban and ufw

fail2ban simply bans botnots that are trying to gain access to your server.

And guess what!? ChunkHost's Ubuntu 14.04 LTS already has it installed.

However, if it wasn't installed you would do it like this:

sudo apt-get install -y fail2ban

And you do need to enable the firewall:

sudo ufw allow ssh
sudo ufw enable

disable password (and root) access

The only reason I can think to ever allow root access to a machine is for backups, but I don't run my services as root, so that's not an issue for me.

In any case, you shouldn't use passwords, at all, ever, for any reason. No passwords on VPSes.

Now you'll need login to edit your ssh config to disallow passwords.

# at this point I *need* vim, but you might prefer nano
sudo apt-get install vim
sudo nano /etc/ssh/sshd_config

Find and change these lines (individually)

PasswordAuthentication no
PermitRootLogin no

If you will be doing backups via rsync, you may prefer PermitRootLogin without-password.

You might also like to change the port such as Port 2222. If you do, make sure you also sudo ufw allow 2222/tcp.

Then restart ssh

sudo service ssh restart

Just to be safe, also check that sshd is the only server listening on the network:

sudo netstat -peanut

4. Other Nice Things

Whether your prefer fish or you prefer zsh, you should prefer something to bash as a day-to-day shell:

sudo apt-get install fish
sudo chsh -s $(which fish) $(whoami)

And, of course, I'm a JavaScript developer so...

echo "v1.5.1" > /tmp/IOJS_VER
curl -fsSL bit.ly/iojs-dev -o /tmp/iojs-dev.sh; bash /tmp/iojs-dev.sh

By AJ ONeal

Was this useful to you? Share it!

Also, you can give me a tip or hire me.


Published

2015-3-15

Categories


Tags