I bought two vps hosts for my web server and email server project. I specifically bought them from HostMada. I haven’t decided if I like them or not, but they were cheap and relatively painless to purchase from. I started with one of the servers and I wanted to document my steps and I am sure I will have to do something similar once I boot up the other one.

1. Login

So the first thing I did was ssh into the machine directly. Specifically as the root user as that is the user they setup for me with the password I selected.

ssh root@[VPS IP ADDRESS]

2. Update it.

The first thing I did on logging in was run all the updates I could. I am super scared of having a non-updated server directly on the internets. No sudo needed here as I am logged in as root.

apt-get update
apt-get upgrade
apt-get dist-upgrade
apt-get autoremove
apt-get update
apt-get upgrade
apt-get dist-upgrade
apt-get autoremove

I didn’t need the second round there, but I felt dirty after the first round with something like 100’s of updates available. I have never seen so many updates to a linux system and this one is already plugged into the internet shudder.

3. Change root password

I don’t know if this is strictly neccassary, but the vendor I chose sent me the root password to my new server in an unencrypted email (ugh). As such, the next thing I did was update the root password to something long and random. If you are struggling to find entropy, I always suggest Steve Gibson’s solution grc.com/passwords.

passwd root

4. Create a new user

I don’t want to use the root account to ssh into this machine. I don’t like making it that easy on ssh brute forcing bots.

groupadd admin
adduser aaron
usermod -a -G admin aaron
dpkg-statoverride --update --add root admin 4750 /bin/su

I switch over to the new user (double check sudo works here)

su aaron

5. Locking down ssh a bit

sudo apt-get install nano
sudo nano /etc/ssh/sshd_config

Change the port to something random:

Port [SSH PORT]

Turn off the ability to login as root

*PermitRootLogin no*

I also turn off the language setting while I’m here - just comment this line

#*AcceptEnv LANG LC_*

The reason I do this is becuase my client has newer language options than my server and this creates perl issues down the road for me.

and then go ahead and restart the ssh service.

sudo service ssh restart

I then log off and attempt to logon using port 22 which should fail

ssh root@[VPS IP ADDRESS]

and then try on the right port with the admin account, which should also fail

ssh root@[VPS IP ADDRESS] -p[SSH PORT]

and then try with my account on the right port which should work.

ssh aaron@[VPS IP ADDRESS] -p[SSH PORT]

and then I back out again and post my public key up to the server (this only works if you have already created a private-public key on your local machine using ssh-keygen - good tutorial on thegeekstuff)

ssh-copy-id aaron@[VPS IP ADDRESS] -p[SSH PORT]

Before moving on, I actually do the same thing on a different computer. I like having multiple computers that have the ability to login before I turn off the password login option. Anyway’s on to turning off the password logon.

sudo nano /etc/ssh/sshd_config

Changing this one line turns off password auth, but you may have to uncomment it.

PasswordAuthentication no

Restart the service again and test to make sure you can’t get in unless you are passing the appropriate keys.

sudo service ssh restart

6. Uninstalling extra “features”

For some reason this machine is running a few software packages that I will not be using. I ran the following apt command and scanned the list of all installed packages to see what I wasn’t planning on using.

apt --installed list

I then started judiciously removing software I didn’t want.

sudo apt-get remove --purge samba
sudo apt-get remove --purge bind9
sudo apt-get remove --purge apache2
sudo apt-get remove --purge postfix

after all this, I went ahead and rebooted to clean house a bit…

sudo reboot

7. Setup the firewall the easy way

So iptables is complicated, so I install ufw the uncomplicated firewall, which is really just a simple front end for iptables.

sudo apt-get install ufw
sudo ufw allow [SSH PORT]
sudo ufw limit ssh
sudo ufw allow out 53
sudo ufw enable

8. Edit sysctl.conf as securely as possible

sudo nano /etc/sysctl.conf

The following settings should be uncommented or added as needed.

# IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0

# Ignore send redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# Block SYN attacks
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5

# Log Martians
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

# Ignore Directed pings
net.ipv4.icmp_echo_ignore_all = 1

To make the changes actually happen you must reload sysctl

sudo sysctl -p

8. Install logwatch

This application is a great way to view system logs. It parses them for different information and just generates a simple report that is easy to read. By default this will run daily and do whatever you like with the reports. It can save them on the server, but I usually set it up to email them to me daily.

sudo apt-get install logwatch

To edit the config to the way I like it

sudo nano /usr/share/logwatch/default.conf/logwatch.conf

and I make just a few small changes:

Output = mail
Format = html
MailTo = [my email address]
MailFrom = [my servers email address]

That is about it. To test it out, I simply run the command that is in the daily cron file

sudo cat /etc/cron.daily/00logwatch
sudo /usr/sbin/logwatch --output mail

Now I go check my spam folder in my email account as these always get marked as spam. That is about it for the whole setup. If you have any questions or see any improvements to this please leave a comment below.

10. Credits

There is little to no original thought here. This was taken from and tweaked as needed from the following excellent tutorial pages. www.thefanclub.co.za learnaholic.me linoxide.com