I bought a VPS on a sale on WeLoveServers.net for a crazy 48$ a year with 2GB of RAM. If you know a cheaper one, please share it in the comments. Anyways, since this is a barebones setup, I had to set it up myself and this is how I did it.

I followed a great tutorial from DigitalOcean: https://www.digitalocean.com/community/tutorials/initial-server-setup-with-centos-7

Login

• login as root
• change root’s password with passwd command
• add new user – useradd myuser
• change user’s password – passwd myuser
• on CentOS 7, users who belong to the “wheel” group are allowed to use the sudo command: gpasswd -a myuser wheel or use a normal route of editing with /usr/sbin/visudo and add a line leuser ALL(ALL) ALL
• ssh-keygen – you get id_rsa and id_rsa.pub files which you upload (only public one OFC!) to .ssh/ folder in your home directory (you should do chmod 700 .ssh after mkdir-ing it)
• create file authorized_keys and paste the contents of the id_rsa.pub file in it and restrict the access to it by doing chmod 600 .ssh/authorized_keys

SSH settings

• sudo vi /etc/ssh/sshd_config
  • Port 25000
    Protocol 2
    PermitRootLogin no
    UseDNS no
    AllowUsers myuser
• systemctl reload sshd.service or service sshd restart

Firewall

• my version of CentOS ships with iptables, but in the article he works with a firewall called firewalld (yum install firewalld to install it)
• lock down everything that you do not have a good reason to keep open
• sudo systemctl start firewalld
• uses the concept of “zones” to label the trustworthiness of the other hosts
• sudo firewall-cmd –permanent –add-service=ssh
• if you use a different port for SSH then
  • sudo firewall-cmd –permanent –remove-service=ssh
    sudo firewall-cmd –permanent –add-port=4444/tcp
• sudo firewall-cmd –permanent –add-service=http
• sudo firewall-cmd –permanent –add-service=https
• sudo firewall-cmd –permanent –add-service=smtp
• all the services that you can enable: sudo firewall-cmd –get-services
• list exceptions: sudo firewall-cmd –permanent –list-all
• sudo firewall-cmd –reload
• start firewall at boot: sudo systemctl enable firewalld

Timezone

• sudo timedatectl list-timezones
• sudo timedatectl set-timezone Europe/Zagreb
• confirm the change has been done: sudo timedatectl

NTP

• sudo yum install ntp
• sudo systemctl start ntpd
• sudo systemctl enable ntpd

swap

• allows the system to move the less frequently accessed information of a running program from RAM to a location on disk, especially useful if you plan to host any databases on your system
• amount equal to or double the amount of RAM on your system is a good starting point
• sudo fallocate -l 4G /swapfile
• sudo chmod 600 /swapfile
• sudo mkswap /swapfile
• sudo swapon /swapfile
• in case after the last command you get an error like this: “swapon: /swapfile: swapon failed: Operation not permitted“, that basically means that you’re most probably on openvz and that you can’t create a swap file (more on serverfault.com)
• if you didn’t get an error then do: sudo sh -c ‘echo “/swapfile none swap sw 0 0” >> /etc/fstab’ to start it at boot

fail2ban

• it scans through log files and reacts to offending actions such as repeated failed login attempts
• EPEL (Extra Packages for Enterprise Linux)
• wget http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-2.noarch.rpm
• sudo rpm -ivh epel-release-7-2.noarch.rpm
• sudo yum install fail2ban
• default configuration file at /etc/fail2ban/jail.conf but copy it
  cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
• vi /etc/fail2ban/jail.local
• sudo chkconfig fail2ban on