How to set up your own VPS from scratch
I bought a VPS on a sale on WeLoveServers.net for a crazy 48$ a year with 2GB of RAM. If you know a cheaper one, please share it in the comments. Anyways, since this is a barebones setup, I had to set it up myself and this is how I did it.
I followed a great tutorial from DigitalOcean: https://www.digitalocean.com/community/tutorials/initial-server-setup-with-centos-7
Login
- login as root
- change root’s password with passwd command
- add new user – useradd myuser
- change user’s password – passwd myuser
- on CentOS 7, users who belong to the “wheel” group are allowed to use the
sudo
command: gpasswd -a myuser wheel or use a normal route of editing with /usr/sbin/visudo and add a line leuser ALL(ALL) ALL - ssh-keygen – you get id_rsa and id_rsa.pub files which you upload (only public one OFC!) to .ssh/ folder in your home directory (you should do chmod 700 .ssh after mkdir-ing it)
- create file authorized_keys and paste the contents of the id_rsa.pub file in it and restrict the access to it by doing chmod 600 .ssh/authorized_keys
SSH settings
- sudo vi /etc/ssh/sshd_config
- Port 25000
Protocol 2
PermitRootLogin no
UseDNS no
AllowUsers myuser
- Port 25000
- systemctl reload sshd.service or service sshd restart
Firewall
- my version of CentOS ships with iptables, but in the article he works with a firewall called firewalld (yum install firewalld to install it)
- lock down everything that you do not have a good reason to keep open
- sudo systemctl start firewalld
- uses the concept of “zones” to label the trustworthiness of the other hosts
- sudo firewall-cmd –permanent –add-service=ssh
- if you use a different port for SSH then
- sudo firewall-cmd –permanent –remove-service=ssh
sudo firewall-cmd –permanent –add-port=4444/tcp
- sudo firewall-cmd –permanent –remove-service=ssh
- sudo firewall-cmd –permanent –add-service=http
- sudo firewall-cmd –permanent –add-service=https
- sudo firewall-cmd –permanent –add-service=smtp
- all the services that you can enable: sudo firewall-cmd –get-services
- list exceptions: sudo firewall-cmd –permanent –list-all
- sudo firewall-cmd –reload
- start firewall at boot: sudo systemctl enable firewalld
Timezone
- sudo timedatectl list-timezones
- sudo timedatectl set-timezone Europe/Zagreb
- confirm the change has been done: sudo timedatectl
NTP
- sudo yum install ntp
- sudo systemctl start ntpd
- sudo systemctl enable ntpd
swap
- allows the system to move the less frequently accessed information of a running program from RAM to a location on disk, especially useful if you plan to host any databases on your system
- amount equal to or double the amount of RAM on your system is a good starting point
- sudo fallocate -l 4G /swapfile
- sudo chmod 600 /swapfile
- sudo mkswap /swapfile
- sudo swapon /swapfile
- in case after the last command you get an error like this: “swapon: /swapfile: swapon failed: Operation not permitted“, that basically means that you’re most probably on openvz and that you can’t create a swap file (more on serverfault.com)
- if you didn’t get an error then do: sudo sh -c ‘echo “/swapfile none swap sw 0 0” >> /etc/fstab’ to start it at boot
fail2ban
- it scans through log files and reacts to offending actions such as repeated failed login attempts
- EPEL (Extra Packages for Enterprise Linux)
- wget http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-2.noarch.rpm
- sudo rpm -ivh epel-release-7-2.noarch.rpm
- sudo yum install fail2ban
- default configuration file at /etc/fail2ban/jail.conf but copy it
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local - vi /etc/fail2ban/jail.local
- sudo chkconfig fail2ban on