How to set up your own VPS from scratch

I bought a VPS on a sale on WeLoveServers.net for a crazy 48$ a year with 2GB of RAM. If you know a cheaper one, please share it in the comments. Anyways, since this is a barebones setup, I had to set it up myself and this is how I did it.

I followed a great tutorial from DigitalOceanhttps://www.digitalocean.com/community/tutorials/initial-server-setup-with-centos-7

Login

  • login as root
  • change root’s password with passwd command
  • add new user – useradd myuser
  • change user’s password – passwd myuser
  • on CentOS 7, users who belong to the “wheel” group are allowed to use the sudo command: gpasswd -a myuser wheel or use a normal route of editing with /usr/sbin/visudo and add a line leuser ALL(ALL) ALL
  • ssh-keygen – you get id_rsa and id_rsa.pub files which you upload (only public one OFC!) to .ssh/ folder in your home directory (you should do chmod 700 .ssh after mkdir-ing it)
  • create file authorized_keys and paste the contents of the id_rsa.pub file in it and restrict the access to it by doing chmod 600 .ssh/authorized_keys

SSH settings

  • sudo vi /etc/ssh/sshd_config
    • Port 25000
      Protocol 2
      PermitRootLogin no
      UseDNS no
      AllowUsers myuser
  • systemctl reload sshd.service or service sshd restart

Firewall

  • my version of CentOS ships with iptables, but in the article he works with a firewall called firewalld (yum install firewalld to install it)
  • lock down everything that you do not have a good reason to keep open
  • sudo systemctl start firewalld
  • uses the concept of “zones” to label the trustworthiness of the other hosts
  • sudo firewall-cmd –permanent –add-service=ssh
  • if you use a different port for SSH then
    • sudo firewall-cmd –permanent –remove-service=ssh
      sudo firewall-cmd –permanent –add-port=4444/tcp
  • sudo firewall-cmd –permanent –add-service=http
  • sudo firewall-cmd –permanent –add-service=https
  • sudo firewall-cmd –permanent –add-service=smtp
  • all the services that you can enable: sudo firewall-cmd –get-services
  • list exceptions: sudo firewall-cmd –permanent –list-all
  • sudo firewall-cmd –reload
  • start firewall at boot: sudo systemctl enable firewalld

Timezone

  • sudo timedatectl list-timezones
  • sudo timedatectl set-timezone Europe/Zagreb
  • confirm the change has been done: sudo timedatectl

NTP

  • sudo yum install ntp
  • sudo systemctl start ntpd
  • sudo systemctl enable ntpd

swap

  • allows the system to move the less frequently accessed information of a running program from RAM to a location on disk, especially useful if you plan to host any databases on your system
  • amount equal to or double the amount of RAM on your system is a good starting point
  • sudo fallocate -l 4G /swapfile
  • sudo chmod 600 /swapfile
  • sudo mkswap /swapfile
  • sudo swapon /swapfile
  • in case after the last command you get an error like this: “swapon: /swapfile: swapon failed: Operation not permitted“, that basically means that you’re most probably on openvz and that you can’t create a swap file (more on serverfault.com)
  • if you didn’t get an error then do: sudo sh -c ‘echo “/swapfile none swap sw 0 0” >> /etc/fstab’ to start it at boot

fail2ban

  • it scans through log files and reacts to offending actions such as repeated failed login attempts
  • EPEL (Extra Packages for Enterprise Linux)
  • wget http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-2.noarch.rpm
  • sudo rpm -ivh epel-release-7-2.noarch.rpm
  • sudo yum install fail2ban
  • default configuration file at /etc/fail2ban/jail.conf but copy it
    cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
  • vi /etc/fail2ban/jail.local
  • sudo chkconfig fail2ban on
Written by Nikola Brežnjak