Set Up VPS on Debian
Setting Up Your First VPS: Secure Configuration Guide
When setting up a new VPS, securing access is critical to prevent unauthorized usage.
In this guide, you'll:
- create a new user
- disable SSH root access
- configure SSH key-based authentication for added security.
Step 1: Initial Login as Root
By default, VPS providers often grant root access. Start by logging in using the provided credentials:
ssh root@<your-server-ip>
Update and Upgrade Packages
apt update && apt upgrade -y
Step 2: Create a New User
Replace <username>
with your preferred username:
# -m create home directory
# -s /bin/bash set shell to bash
# -G sudo add user to sudo group
useradd -m -s /bin/bash -G sudo <username>
Set a password for the user: Will be required to send ssh key with ssh-copy-id command.
passwd <username>
In case of delete the User:
userdel -r <username>
-r
: Removes the user's home directory.
Step 3: Configure SSH Key-Based Authentication
3.1. Generate an SSH Key Pair (Local Machine)
On your local machine (not the VPS), check if you already have an SSH key:
ls ~/.ssh
Look for files like id_rsa
and id_rsa.pub
. If these files exist, you already have an SSH key. Skip to 3.2 to retrieve your public key.
If no SSH key exists, generate one with the following command:
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
# or
ssh-keygen -t rsa -b 4096 -f ~/.ssh/my_key
-t rsa
: Specifies the RSA algorithm.-b 4096
: Sets the key size to 4096 bits (more secure).-C "your_email@example.com"
: Adds a comment to identify the key.
Follow the prompts:
- Press Enter to save the key in the default location (
~/.ssh/id_rsa
). - Optionally, set a passphrase for additional security.
3.2. Copy the Public Key to the VPS
Your public key is stored in the file ~/.ssh/id_rsa.pub
. To display it, run:
ssh-copy-id <username>@YOUR_VPS_IP
# or
ssh-copy-id -i ~/.ssh/my_key.pub <username>@YOUR_VPS_IP
3.4. Test SSH Key Authentication
On your local machine, test the connection to your VPS using the myuser account:
ssh <username>@<your-server-ip>
# if using port:
ssh -p <port> <username>@<your-server-ip>
# or with new key path
ssh-copy-id -i ~/.ssh/my_key.pub <username>@YOUR_VPS_IP
If the setup is correct, you’ll log in without being prompted for a password.
Step 4: Disable Root SSH Login
Edit the SSH Configuration File
Open the SSH daemon configuration file:
sudo vi /etc/ssh/sshd_config
Update the Following Settings
Disable root login:
PermitRootLogin no
Disable password authentication:
PasswordAuthentication no
Save and Exit the file, then restart the SSH service:
sudo systemctl restart sshd
Step 5: Final Security Check
Test New Configuration
Open a new terminal and verify that:
- You can log in with the new user.
- Root login is disabled.
- Password-based login is disabled.
- Firewall Setup (Optional)
Enable the firewall and allow only SSH traffic:
ufw allow OpenSSH
ufw enable
Step 6: Backup and Monitor
Backup Your SSH Keys Ensure your private key is securely stored on your local machine.
Monitor Login Attempts Check login activity using:
cat /var/log/auth.log
Optional: Install Docker
sudo apt update
sudo apt install -y ca-certificates curl gnupg
Add Docker’s official GPG key
sudo install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
sudo chmod a+r /etc/apt/keyrings/docker.gpg
Add the repository to your sources list:
echo \
"deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \
"$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
Install Docker Engine
sudo apt update
sudo apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
Allow your user to run Docker without sudo.
Add your <username>
user to the docker group.
sudo usermod -aG docker <username>
Log out and log back in to apply the changes.
exit
Test Docker installation:
docker run hello-world
Be the first to comment.