So I heard you are ready to spin up a Cloud VPS? No problem. But you got some setup to do, such as security and automatic updates.
I’m using Debian as the guide here. If you are using different distros, commands are different.
Linux is the kind of Operating system that will do what you exactly want them to do. So don’t run commands in root and don’t use root account as your account. Secondly, when you log in as root, every application you run will run with root privileges. This might lead to apps deleting files, creating files in different places that they shouldn’t. And it will break your system.
Most VPS company will set the machine up as root and give you the freedom to do anything. So we are going to create a user, give it superuser privileges.
adduser yourusername # Add user yourusername usermod -aG sudo yourusername # Put yourusername to sudo group
Now you have your own user!
exit the root user and login in as your new user.
We are going to disable the root user from login using ssh. To ensure more security and reduce attack surface. I’m using vim, you can use nano or other text editor.
sudo vim /etc/ssh/sshd_config
When editing the system, configure files needs superuser privileges.
In the config file, find the line
PermitRootLogin yes, and replace the word
no. Save the file and restart ssh.
sudo systemctl restart sshd
Here we are going to reduce more attack surface by limiting Firewall ports.
I use Uncomplicated Firewall (ufw) on my Debian box.
Install it by using
sudo apt install -y ufw.
sudo ufw status
This command will tell you if your firewall is active and list out all the ports that are open. For me, I use this server as a web server and reverse proxy on it.
To ensure security, I want to close a port I no longer needed.
For example, I want to close port 8448:
sudo ufw deny 8448 sudo ufw reload
Always close ports you are no longer needed.
Don’t forget to reload your firewall after setting it up.
Secure Shell uses port 22. There’s nothing wrong with using this port, but it is too common. It’s really easy to determent if your machine is using SSH or not. The best practice is to change it to another port.
Let’s open up SSH’s config file again. Change this port to any ports higher than 3000.
Make sure you have that port opened on your firewall, and restart both your SSH service and your firewall.
This is the software that automatic updates your machines when you’re using Debian based systems (Ubuntu, etc…)
The config file
/etc/apt/apt.conf.d/20auto-upgrades can be easily created by run the following command as root:
sudo dpkg-reconfigure -plow unattended-upgrades
Yes and It should generate the config files automatically. Now we need to edit the config file for the things you want to automatic updates.
sudo vim /etc/apt/apt.conf.d/50unattended-upgrades
There are some lines you need to uncomment, for example
Uncomment this line will download every new packages, which is what I want my system to stay up to date all the time.
You can also just only uncommon the
"Debian-Security". This will only update for security rollouts.
There’s nothing wrong with stay on older packages, it will bring you the best stability. But I wanted my system to be up-to-date. It is all personal preference.
Here are some line you can also uncomment:
This will remove the old kernel that is no longer needed.
This will remove unused dependencies if a package updated and no longer needed.
This will remove unused dependencies.
Remove-Unused Dependencies works the same as command
sudo apt autoremove
Last but not least, let’s check if we have done it correctly.
sudo cat /etc/apt/apt.conf.d/20auto-upgrades apt-config dump APT::Periodic::Unattended-Upgrade
Both commands should return something like
Unattended-Upgrade "1";. This indicates that your configuration is correct.
Even tho we have already set up the automatic updates, I still highly recommend you log in from time to time to check the SELinux log if anything is not running correctly. Thanks for reading!