How do I securely configure my first VPS server?

1. What is a VPS server? (Virtual Private Server)

A virtual private server (VPS) is the perfect solution for those who need more control and flexibility than traditional hosting. VPS provides dedicated resources, greater security (correctly configured) and performance. It's a great choice for growing businesses, developers, and high-traffic websites. With VPS, you can easily scale your resources, manage applications and enjoy the independence of a dedicated server at an affordable price.

2. Why choose VPS instead of Shared Hosting?

Choosing VPS over shared hosting provides greater performance, security and flexibility. VPS gives you dedicated resources, which eliminates the risk of performance degradation by other users. It also offers full control over the server configuration and the ability to adapt resources to individual needs. Perfect for websites with higher traffic and companies that need stability and better data protection.

Moreover, when we use Shared Hosting services, we are able to run only one application assigned to a given hosting. We are thus technologically and cost-limited. Currently, the prices of Shared Hosting usually start from PLN 100 per year, while we can get a cheap VPS from as little as PLN 260 per year.

Are you asking where the savings of VPS over Shared Hosting appear? , as I mentioned earlier, on Shared Hosting we are able to run only one website, while VPS allows us to host an unlimited number of websites, limited only by our system resources.

It is also worth mentioning at the very end a very an important aspect which are the technological limitations of Shared Hosting. Over 90% of Shared Hosting providers are mainly focused on supporting Wordpress applications, which may make it impossible to run applications based on technologies such as React, Laravel, Django or .NET on such a service.

3. Where to buy a VPS server?

It is worth considering purchasing a VPS server from reputable providers such as OVH, Hetzner, Hostinger, Google or DigitalOcean. The key criteria are reliability, performance and technical support. Be sure to pay attention to the location of servers, scalability options and the availability of additional services such as backups, external firewall and DDoS protection. Compare the offers and choose the solution that suits your needs.

I personally serve my clients using Hostinger solutions (unsponsored article, unfortunately...).

The company offers offers us VPS at very affordable prices. We can choose from server locations around the world. Additionally, we have access to functionalities such as External Firewall, Weekly Backups (included in the price), Basic server monitoring, and basic antivirus.

Before you start with VPS

Before we start the safe configuration of our VPS server, you must have one very important issue in mind, namely the fact that Linux as an operating system has many different distributions that differ not only in their applications, but also and architecture. This means that, depending on the selected distribution, it may be necessary to use other commands to perform certain operations.

I personally use Ubuntu and this tutorial was written with Ubuntu users in mind. If you use another Linux distribution, nothing is lost.

You can still use this material, but you will have to find the appropriate commands for your operating system distribution in several places.

In addition, this article assumes that you have already deployed your Linux and are able to log in to it using SSH.

If you do not know how to do this yourself, I invite you to this article in which, together, step by step we install our Linux on the servers of an external VPS Server Distributor

1. How to log in to Linux? (SSH)

SSH (Secure Shell) is a network protocol that ensures secure communication between computers. It enables remote login, server management and file transfer, while protecting your data with encryption. SSH is indispensable for system administrators and developers, guaranteeing the privacy and integrity of information. It is a standard server management tool used in various IT environments.

When you log in for the first time, you will be asked to confirm the creation of the keys. After acceptance, you will be connected to your server.

2. How to update Linux? (Ubuntu)

The first step after logging in to a new machine should be to update it. If you have already learned the basics of Linux, the following commands should be familiar to you.

Before you start, configure the Firewall

A firewall is an essential tool for controlling traffic coming in and out of your server. It is the first element of the entire system that receives all queries directed to your VPS server. A properly configured firewall can almost completely protect our system, but also if it is programmed too aggressively, we can block access to our network applications.

Before we get to the heart of the matter, it is worth knowing that we distinguish 2 types of firewalls:

• External firewall (e.g. the one from the VPS provider)
• Internal Firewall (active directly on our Linux)

The firewall acts as a kind of filter through which all queries directed to our server pass. It's up to us what traffic we allow. The firewall configuration is mainly based on access to individual ports in our system.

If you have problems running any application on the production server, first make sure that the port on which the application is transmitting is not blocked by one of the above-mentioned Firewalls

1. How to configure an external firewall?

If your VPS server provider does not offer an External Firewall, you can skip this step without any problems.
It is not necessary due to the fact that the internal Linux implementation of the Firewall' and it should be 100% sufficient.

The external firewall serves as additional security, which facilitates work mainly via the GUI.

Below is an example configuration of my external firewall at Hostinger provider.

• It blocks access to all available TCP and UDP ports
• Opens ports 80 and 443 (Web Applications)
• Opens port 22 for the specified IP address (SSH with IP filter)

2. How to configure a Linux firewall? (UFW)

It's time for what tigers like the most, i.e. a return to the old and proven Command Line.
Below we will implement exactly the same solution as in the External Firewall.

For this purpose, we will use a simplified Linux Firewall management interface called UFW (Uncomplicated Firewall)
We will do the following:

• We will block all incoming connections
• We will unblock all outgoing connections
• We will allow SSH access (Port 22)
• We will allow access to ports 80 and 443

This way we managed to configure our internal Firewall in a safe way. We blocked access to all ports and allowed only access to SSH (Port 22) and ports 80, 443 on which our Reverse-Proxy will listen in the future in order to host our web applications.

1. How to create a new sudo Linux user?

A user with sudo privileges is also called a Superuser due to the ability to perform actions reserved only for Root. An account that has such permissions can be called an administrative account.

2. How to create SSH keys for a new Linux user?

In the next section, we will increase the security of our server by allowing login to it only using SSH keys.
At the beginning of this tutorial, you used your password for a given user to log in to the server via SSH.

This approach is dangerous because in extreme cases, when your password is compromised, an unauthorized person will gain access to your VPS server, thanks to which they will be able to do whatever they want with it.

The solution to this problem is to limit SSH login to only the use of SSH Keys.
In this case, as long as your key file is safely stored with you, no one will be able to log in to your server via SSH.

This tutorial assumes that you do not have any SSH keys on your Local Computer yet

Using this command will create two files on your local machine at the following path C:\Users\user-name\.ssh

• id_rsa - Your private SSH key (Place on VPS)
• id_rsa.pub - Public SSH Key (Use to log in)

3. How to add SSH keys to a new Linux user on a VPS?

The next step is to properly prepare the Linux user account that you created in the first subsection of this stage.

We have the following steps to perform:

1. Copying the Public Key from the Local Computer to our VPS Server
2. Adding the Public Key to our new Linux User's account
3. Test the configuration (Necessary)

You will be asked to enter the password for the new user you created.
When everything goes well, you should have an id_rsa.pub file in your new Linux user's .ssh folder.

In this way, you have correctly added your SSH Key to the Authorized Keys on the server.
In the next stages of the guide, you will learn how to activate the ability to log in using SSH Keys

1. How to change the default SSH port?

SSH (Secure Shell) is a protocol used to remotely manage a server. Default SSH settings can be potentially dangerous, so it is worth configuring them appropriately.

The default SSH port (22) is often the target of attacks. Changing the port to a different one may make it more difficult for potential hackers to access the server.

Save changes

2. How to disable root logging in Linux?

Logging in as root directly via SSH is unsafe. A better solution is to use a user account with sudo permissions.

3. How to enable logging in using SSH keys in Linux?

Why we should use SSH keys was explained in the previous chapter. However, we still don't know how to allow their use.

4. How to restart SSH service in Linux?

In order to implement the changes we have made, you will need to restart the SSH service

5. How to use an SSH key to log in to Linux?

Before we continue, make sure your SSH keys have been successfully configured.

When you are 100% sure that your SSH keys are working properly, you can proceed to the next section.

6. How to block SSH login to Linux using a password?

This operation is optional, but its implementation significantly increases the security of your VPS server.

Open the sshd_config file again and check what directory it contains in the first line.
In my case it is /etc/ssh/sshd_config.d

Go to the above directory and check what files it contains

In my case I got the following results

The indicated files are additional SSH configuration files usually created by your VPS server provider.
Check what information your files contain.
In my case, the file that needs to be changed looks like this following

Edit each file that contains the above line of text by changing the option "yes" to "no"

At this point we should log out of the root shell and start using our newly created Administrator account.

1. What is Fail2Ban?

Fail2Ban is a tool that protects servers against unauthorized access. Monitors system logs to detect suspicious activity, such as multiple failed login attempts. If such behavior is detected, Fail2Ban blocks the source IP address for a specified period of time, reducing the risk of brute-force attacks. It works with various services, such as SSH, Apache, and Postfix, providing flexible and effective protection.

In the following part of this course, you will learn the basics of configuring and using this tool.

2. How to install Fail2Ban?

3. How to configure Fail2Ban?

The Fail2Ban service stores its configuration data in the jail.conf file, which can be found in the /etc/fail2ban directory.
Before we move on, let's check what is hidden in the first 20 lines of this file.

It is easy to notice that at the beginning of the file all fields are marked as comments, as evidenced by the # symbol at the beginning of each line.
This data serves as an introductory manual for the Fail2Ban tool.

The most important information is that you should NOT change the jail.conf file directly, but make any changes using the jail.local file

Now that we have the basics covered, it's time to learn how to configure fail2ban.

By viewing the jail.local file, we can see that line 41 is the beginning of the basic Fail2Ban configuration.

If we go a little lower, we can find out that:

• The maximum number of failed login attempts can be 5 (Line 10 8)
• The time window for detecting failed login attempts is 10m (Line 105)
• IP banning time is 10m (Line 101)

The above parameters tell us that if the client makes 5 incorrect login attempts within 10 minutes, his IP will be banned for 10 minutes. After this time, his IP address will be unblocked again.

4. How to read Fail2Ban logs?

Fail2Ban also has its own log system which is correlated with other most important system logs.
With its help we can check all the most important events that have been recorded by our system.

Spend 15 minutes on your own to analyze the above logs to thoroughly understand their nature.
Remember that you gain more knowledge through independent learning and dedicated exploration of the topics of your interests.
The most important thing is skillfully asking yourself questions: How?, Why?, What for? When?

Example questions:

• How can I check the IP address of the person who recently tried to SSH login to my VPS?
• How did the person authenticate with my VPS Server?
• Has the IP address been successfully banned by Fail2Ban?

5. How to verify if Fail2Ban is working properly?

So far, we have already managed to acquire a really large and valuable piece of knowledge. However, theoretical knowledge and practical knowledge, especially in IT fields, often differ from the truth. Each time you implement a new solution on your server, you should be able to test whether the solution is working properly. The ability to install a given website is not difficult. The most important thing is the appropriate configuration of a given solution and its constant testing and improvement appropriate to the technologies we use.

In order to perform basic Fail2Ban tests, we will make several attempts to log in to our VPS Server using SSH.
In To do this, open a new terminal so that you can simultaneously access the terminal where you are connected to your VPS and an empty new window.

If you chose the second method, which assumes a malformation of the id_rsa key, you should be asked for a password at this point.
Enter the incorrect password a maximum of 3 times.

The logs should include information about your IP address and failed login attempts.
Read these logs and make sure you understand what they mean.

At this point, if everything is working properly, your IP address should be blocked for 10 minutes. Unfortunately, if you do not have a second IP address, you must wait this time before you will be able to log in to your VPS server again. Just remember to restore a copy of your id_rsa file this time.

6. Fail2Ban Summary

In this chapter, we learned the minimal and basic configuration and operation of the Fail2Ban website. Due to the fact that this guide is intended to introduce you to the world of independent VPS configuration, I am not able to describe the details of this tool here.

I encourage you to explore it yourself. Remember that thanks to Google and Chat-GPT you will be able to discover all the secrets of this tool on your own. The knowledge you gain in this way will be consolidated in a much better way, because you will have to learn step by step how a given solution works.

Also, don't forget to constantly check my website, more will probably appear here in the future an extensive and comprehensive article on advanced configuration of the Fail2Ban service

1. What is ClamAV?

ClamAV, or Clam AntiVirus, is one of the most popular and comprehensive tools for detecting viruses in Linux systems. Its open-source nature, regular updates and the ability to integrate with a variety of systems make it an ideal choice for administrators who care about the security of their servers.

ClamAV was originally designed mainly for Linux systems, although it is also available for other platforms such as Windows and macOS. It offers a number of features that help detect and remove malicious software, including viruses, Trojans, malware and other threats. It consists of 3 basic elements:

• ClamD: Daemon that is responsible for background scanning.
• ClamScan: Command-line tool that allows you to manually scan files.
• FreshClam: Service responsible for automatic virus database updates.

2. How to install ClamAV?

3. How to configure ClamAV?

The default ClamAV configuration should be fine for most users.
Still, edit the ClamAV configuration file to customize the settings to suit your needs.

4. How to scan a Linux system with ClamAV?

A few final words

At the very beginning, I would like to thank you for your patience and congratulate you on your perseverance. I hope this article was understandable to you. If you have any problems, you can always contact me privately for help.

As you can see, safely configuring your new VPS server is not as difficult as it seems. In fact, this operation is mainly based on certain duplicated patterns, which are updated with safer solutions over time. You can use the server we have prepared today to host your first applications. It is safely configured and should not allow hacking.

This article is the first in the series of the "From Zero to DevOps" course. Remember that this is only the first stage in which we have jointly prepared the ground for building our web application. We focused primarily on the basics, i.e. ensuring that our server infrastructure is safe from the first start.

In the next parts of the course, we will learn the next steps to complete the deployment of a web application using Docker technology. We will learn the basics of safely creating Docker images, learn the details of the Docker Compose command and finally make our application available to the world using the Traefik tool. There's a lot of fun ahead of us. Don't forget to follow my website to stay up to date with the latest courses.