VPS Setup Guide
This is intended to be a very basic guide to getting a VPS up and going, it's aimed at the hobbiest who has enough linux knowledge to want to use a VPS but isn't quite sure how to go about getting it up and going. It assumes you'll be using an Ubuntu VPS from bitfolk, if this isn't the case then some of the things in this guide may be slightly off.
The sudo command is used a lot, this allows a 'normal' user to execute a command as root. When you use sudo you'll be prompted for your password the first time (and every so often afterwards), your password should be provided in the email sent when your VPS is configured.
Commands which need to be typed into a terminal (or better still copy-pasted) appear in underlined italics.
Before we order our VPS we're going to setup a public/private key pair to use for logging into it. If you already have a pair (eg for another VPS) then skip this step.
Using PuTTY in Windows
You need to download putty and puttygen from putty.org if you haven't already. Generating your private and public keys is easy simply open puttygen, change the key length to 2048 (using the text box at the bottom of the window) and click generate.
Once you've made them you need to save both the private and public key, make sure the private key is saved to a secure place - you MUST protect it. Make sure you use a passphrase.
Next we need to use putty to connect to our VPS, open putty and enter the address you were given to connect to but before clicking open you need to:
- Navigate to Connection > SSH > Auth using the setup tree on the left of the window.
- Set the private key file to use (it's the one you saved earlier)
- If you wish to save these settings then click terminal at the top of the tree and use the save button, otherwise click the open button.
Use the command ssh-keygen -t rsa -b 2048 to generate your keys. Use the default options. You should use a pass-phrase, you'll be prompted for this whenever the private key is used. You should provide the contents of ~/.ssh/id_rsa.pub as your public key when you provision your vps.
Provisioning the VPS is a simple matter of visiting www.bitfolk.com/plans.html and following the instructions, make sure:
- You specify the package you want (not needed if using a paypal button).
- Which hostname you'd like the VPS setup to use.
- Which linux distribution you'd like, remember this guide assumes Ubuntu.
- You give them a copy of the public key you just setup, and specify what the login name it should be linked with is.
- Assuming you want backups either how much extra space you want to buy for them, or how much space to 'steal' from the vps for them.
- Your name and postal address.
- Most importantly that I sent you - specify yellow.tangyorange.co.uk
As soon as you can after getting the email from Andy to confirm that your VPS is up you need to login and start securing it. This is an important part as it protects you from having your VPS abused (and therefore incurring excess bandwidth charges and the wrath of Andy).
Change Your Password
An important first step is to change your password, use the command passwd for this. Make sure that you choose a strong password (8 or more characters, containing lower case, upper case and numbers) or visit www.grc.com/passwords.htm and use at least the first 8 characters from the '63 random printable ASCI characters' box.
The firewall is a bit of software which will control the internet traffic allowed into and out of your VPS. We'll be using iptables as it's powerful yet easy to setup, once you've learnt the options you need. IPTables works on the concept of chains, every packet it looks at starts life in a chain (in our case) either INPUT (for incoming data) or OUTPUT (for outgoing data). Rules are applied to these chains in order to tell the firewall what to do with these packets, if no rules match then the policy of the chain gets applied to the packet.
The first step is to install iptables so run sudo apt-get install iptables
We'll make sure any incoming stuff which relates to an established connection is allowed: sudo iptables --append INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
We need to make sure we allow inbound ssh: sudo iptables --append INPUT -p tcp --dport ssh -j ACCEPT
Lastly we make sure that any other incoming data is ignored: sudo iptables --policy INPUT DROP
Some people find it useful to be able use ping to check if internet machines are still there, the following command will add the reules needed to allow incoming ping requests and ping replies: sudo iptables --append INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT; sudo iptables --append INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
We'll also want to drop all ip6 packets (unless we're going to be using it). ip6tables works the same as iptables except it deals with IPv6 not IPv4. So sudo ip6tables --policy INPUT DROP and that's done.
One problem with iptables is that it clears the rules for an interface whenever it gets taken down, so we'll set things up so that when the interface goes down we save the rules we have and we'll reload them when the interface is started:
- Open the interfaces config: sudo nano -w /etc/network/interfaces
- In the section for eth0 we'll add the following lines:
- pre-up iptables-restore -c < /etc/network/iptables.rules
- pre-down iptables-save -c > /etc/network/iptables.rules
- pre-up ip6tables-restore -c < /etc/network/ip6tables.rules
- pre-down ip6tables-save -c > /etc/network/ip6tables.rules
- Control-X to exit, choose to save the file.
- Create a copy of the rules now by running sudo bash -c 'iptables-save -c > /etc/network/iptables.rules' and sudo bash -c 'ip6tables-save -c > /etc/network/ip6tables.rules'
There are several things which we can do to strengthen the SSH service on our VPS, we're just going to worry about a few of the main ones, you'll need to edit the file /etc/ssh/sshd_config (use the command sudo nano -w /etc/ssh/sshd_config):
- Only allow root to login using a certificate (and then only to run allowed commands):
- Change the line starting 'PermitRootLogin' to 'PermitRootLogin forced-commands-only'
- Require everyone else to use a certificate to logn:
- Change the line starting 'PasswordAuthentication' to 'PasswordAuthentication no'
- Andy will already have done this step for the certificate you gave him, if you wish to add other certificates you'll need to:
- Open the file /home/<username>/.ssh/authorized_hosts, replacing <username> with the username of the user to add the certificate to.
- Copy and Paste the contents of the public key to the end of the file - one certificate per line.
- Press Control-x to exit and save your changes
Blocking Failed Logins
One of the most common attacks against a machine on the internet is trying to gain access using several different passwords (a dictionary attack). We'll be installing a software package which will block IP addresses (for a few minutes) in order to stop these attacks. Simply run: sudo apt-get install fail2ban
One of the most important things about staying secure is to make sure that the software on your VPS is kept upto date. New bugs are found, exploited and fixed all the time, by staying upto date you significantly reduce your chances of being cracked as a result of one of these bugs.
Firstly get a list of available updates: sudo aptitude update
Secondly apply the updates: sudo aptitude safe-upgrade
It can be a pain to manually check for updates frequently enough so we'll setup the VPS to nag us when updates are available, we'll be using a package called apticron for this:
- Install apticron: sudo apt-get install apticron
- Configure apticron:
- Open the config file: sudo nano -w /etc/apticron/apticron.conf
- Change the value of EMAIL to your email address
Skip this section if you're sure you either don't want backups or that you'll take care of them yourself.
The backup machine logs in as root over ssh and uses rsync to backup the chosen files, so we need to:
- Install rsync: sudo apt-get rsync
- Allow the backup server to login:
- Open www.bitfolk.com/keys/rsnapshot.pub.txt in a browser and copy the line starting ssh-rsa to the clipboard.
- edit /root/.ssh/authorized_keys: sudo nano -w /root/.ssh/authorized_keys
- At the end of the file start a new line with 'command="/root/validate-rsync" ' then paste the previously copied line from the clipboard. This means that when the backup server logs in it will be forced to run the script /root/validate-rync, which in turn means that only the rsync command can be used.
- Download the validate-rync script from the bottom of the page and save it to /root/validate-rsync
- Change permissions on the script so it can be used: sudo chmod u=wrx,og=rx /root/validate-rsync
- Tell bitfolk what to backup - send an email to their support address giving a list of directories to backup, if you didn't setup backup space when you provisioned the VPS you'll also need to specify how much extra disk space you want to purchase.
Now you're ready to install and configure the services which you purchased your VPS to run. Remember to add firewall rules to allow the incoming connections which they require.