{"id":904,"date":"2014-12-10T15:35:10","date_gmt":"2014-12-10T15:35:10","guid":{"rendered":"http:\/\/www.nikola-breznjak.com\/blog\/?p=904"},"modified":"2015-08-16T20:09:38","modified_gmt":"2015-08-16T20:09:38","slug":"setting-up-your-own-vps-from-scratch","status":"publish","type":"post","link":"https:\/\/nikola-breznjak.com\/blog\/servers\/setting-up-your-own-vps-from-scratch\/","title":{"rendered":"How to set up your own VPS from scratch"},"content":{"rendered":"<p><a href=\"http:\/\/www.nikola-breznjak.com\/blog\/servers\/vps-with-1gb-of-ram-for-19-per-year\/\">I bought a VPS<\/a>\u00a0on a sale on WeLoveServers.net for a crazy 48$ a year with 2GB of RAM. If you know a cheaper one, please share it in the comments. Anyways, since this is a barebones setup, I had to set it up myself and this is how I did it.<\/p>\n<p>I followed a great tutorial from\u00a0<a href=\"https:\/\/www.digitalocean.com\/?refcode=974c9bc93d77\">DigitalOcean<\/a>:\u00a0<a href=\"https:\/\/www.digitalocean.com\/community\/tutorials\/initial-server-setup-with-centos-7\">https:\/\/www.digitalocean.com\/community\/tutorials\/initial-server-setup-with-centos-7<\/a><\/p>\n<h3>Login<\/h3>\n<ul>\n<li><a href=\"https:\/\/www.digitalocean.com\/community\/tutorials\/how-to-connect-to-your-droplet-with-ssh\">login<\/a> as <strong>root<\/strong><\/li>\n<li>change root&#8217;s password with <strong>passwd<\/strong> command<\/li>\n<li>add new user &#8211; <strong>useradd\u00a0myuser<\/strong><\/li>\n<li>change user&#8217;s password &#8211; <strong>passwd\u00a0myuser<\/strong><\/li>\n<li><span style=\"color: #000000;\">on CentOS 7, users who belong to the &#8220;wheel&#8221; group are allowed to use the\u00a0<\/span><code style=\"color: #111111;\">sudo<\/code><span style=\"color: #000000;\">\u00a0command:\u00a0<strong>gpasswd -a myuser\u00a0wheel<\/strong> or use a normal route of editing with\u00a0<\/span><strong>\/usr\/sbin\/visudo<\/strong> and add a line\u00a0<strong>leuser ALL(ALL) ALL<\/strong><\/li>\n<li><strong>ssh-keygen<\/strong>\u00a0&#8211; you get id_rsa and id_rsa.pub files which you upload (only public one OFC!) to <strong>.ssh\/<\/strong> folder in your home directory (you should do chmod 700 .ssh after mkdir-ing it)<\/li>\n<li>create file\u00a0<strong>authorized_keys<\/strong>\u00a0and paste the contents of the id_rsa.pub file in it and restrict the access to it by doing\u00a0<strong>chmod 600 .ssh\/authorized_keys<\/strong><\/li>\n<\/ul>\n<h3>SSH settings<\/h3>\n<ul>\n<li><strong>sudo vi \/etc\/ssh\/sshd_config<\/strong>\n<ul>\n<li>Port 25000<br \/>\nProtocol 2<br \/>\nPermitRootLogin no<br \/>\nUseDNS no<br \/>\nAllowUsers myuser<\/li>\n<\/ul>\n<\/li>\n<li><strong>systemctl reload sshd.service <\/strong>or service sshd restart<\/li>\n<\/ul>\n<h3>Firewall<\/h3>\n<ul>\n<li>my version of CentOS ships with <strong>iptables<\/strong>, but in the article he works with\u00a0a firewall called <strong>firewalld\u00a0<\/strong>(<strong>yum install firewalld<\/strong> to install it)<\/li>\n<li>lock down everything that you\u00a0do not have a good reason to keep open<\/li>\n<li><strong>sudo systemctl start firewalld<\/strong><\/li>\n<li>uses the concept of &#8220;zones&#8221; to label the trustworthiness of the other hosts<\/li>\n<li><strong>sudo firewall-cmd &#8211;permanent &#8211;add-service=ssh<\/strong><\/li>\n<li>if you use a different port for SSH then\n<ul>\n<li>sudo firewall-cmd &#8211;permanent &#8211;remove-service=ssh<br \/>\nsudo firewall-cmd &#8211;permanent &#8211;add-port=4444\/tcp<\/li>\n<\/ul>\n<\/li>\n<li><strong>sudo firewall-cmd &#8211;permanent &#8211;add-service=http<\/strong><\/li>\n<li>sudo firewall-cmd &#8211;permanent &#8211;add-service=https<\/li>\n<li>sudo firewall-cmd &#8211;permanent &#8211;add-service=smtp<\/li>\n<li>all the\u00a0services that you can enable:\u00a0<strong>sudo firewall-cmd &#8211;get-services<\/strong><\/li>\n<li>list exceptions:\u00a0<strong>sudo firewall-cmd &#8211;permanent &#8211;list-all<\/strong><\/li>\n<li><strong>sudo firewall-cmd &#8211;reload<\/strong><\/li>\n<li>start firewall at boot:\u00a0<strong>sudo systemctl enable firewalld<\/strong><\/li>\n<\/ul>\n<h3>Timezone<\/h3>\n<ul>\n<li><strong>sudo timedatectl list-timezones<\/strong><\/li>\n<li><strong>sudo timedatectl set-timezone Europe\/Zagreb<\/strong><\/li>\n<li>confirm the change has been done:\u00a0<strong>sudo timedatectl<\/strong><\/li>\n<\/ul>\n<h3>NTP<\/h3>\n<ul>\n<li><strong>sudo yum install ntp<\/strong><\/li>\n<li>sudo systemctl start ntpd<\/li>\n<li>sudo systemctl enable ntpd<\/li>\n<\/ul>\n<h3>swap<\/h3>\n<ul>\n<li>allows the system to move the less frequently accessed information of a running program from RAM to a location on disk,\u00a0especially useful if you plan to host any <strong>databases<\/strong> on your system<\/li>\n<li>amount equal to or double the amount of RAM on your system is a good starting point<\/li>\n<li><strong>sudo fallocate -l 4G \/swapfile<\/strong><\/li>\n<li><strong>sudo chmod 600 \/swapfile<\/strong><\/li>\n<li><strong>sudo mkswap \/swapfile<\/strong><\/li>\n<li><strong>sudo swapon \/swapfile<\/strong><\/li>\n<li>in case after the last command you get an error like this: &#8220;<strong>swapon: \/swapfile: swapon failed: Operation not permitted<\/strong>&#8220;, that basically means that you&#8217;re most probably on openvz and that you can&#8217;t create a swap file (more on <a href=\"http:\/\/serverfault.com\/questions\/107764\/centos-adding-swap-file-failed\">serverfault.com<\/a>)<\/li>\n<li>if you didn&#8217;t get an error then do:\u00a0<strong>sudo sh -c &#8216;echo &#8220;\/swapfile none swap sw 0 0&#8221; &gt;&gt; \/etc\/fstab&#8217;\u00a0<\/strong>to start it at boot<\/li>\n<\/ul>\n<h3>fail2ban<\/h3>\n<ul>\n<li>it\u00a0scans through log files and reacts to offending actions such as repeated failed login attempts<\/li>\n<li>EPEL (Extra Packages for Enterprise Linux)<\/li>\n<li><strong>wget http:\/\/dl.fedoraproject.org\/pub\/epel\/7\/x86_64\/e\/epel-release-7-2.noarch.rpm<\/strong><\/li>\n<li><strong>sudo rpm -ivh epel-release-7-2.noarch.rpm<\/strong><\/li>\n<li><strong>sudo yum install fail2ban<\/strong><\/li>\n<li>default configuration file at\u00a0<strong>\/etc\/fail2ban\/jail.conf<\/strong> but copy it<br \/>\n<strong>cp \/etc\/fail2ban\/jail.conf \/etc\/fail2ban\/jail.local<\/strong><\/li>\n<li>vi \/etc\/fail2ban\/jail.local<\/li>\n<li><strong>sudo chkconfig fail2ban on<\/strong><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>I bought a VPS\u00a0on a sale on WeLoveServers.net for a crazy 48$ a year with 2GB of RAM. If you know a cheaper one, please share it in&hellip;<\/p>\n","protected":false},"author":1,"featured_media":959,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[38],"tags":[],"class_list":["post-904","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-servers"],"_links":{"self":[{"href":"https:\/\/nikola-breznjak.com\/blog\/wp-json\/wp\/v2\/posts\/904","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nikola-breznjak.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nikola-breznjak.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nikola-breznjak.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nikola-breznjak.com\/blog\/wp-json\/wp\/v2\/comments?post=904"}],"version-history":[{"count":8,"href":"https:\/\/nikola-breznjak.com\/blog\/wp-json\/wp\/v2\/posts\/904\/revisions"}],"predecessor-version":[{"id":2100,"href":"https:\/\/nikola-breznjak.com\/blog\/wp-json\/wp\/v2\/posts\/904\/revisions\/2100"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/nikola-breznjak.com\/blog\/wp-json\/wp\/v2\/media\/959"}],"wp:attachment":[{"href":"https:\/\/nikola-breznjak.com\/blog\/wp-json\/wp\/v2\/media?parent=904"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nikola-breznjak.com\/blog\/wp-json\/wp\/v2\/categories?post=904"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nikola-breznjak.com\/blog\/wp-json\/wp\/v2\/tags?post=904"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}