Visual for: But, how do I actually set up and secure a new VPS (on Hetzner)?
/setup-secure-vps

But, how do I actually set up and secure a new VPS (on Hetzner)?

August 31st, 2024
· 3 min read ·
Code
Tutorial

In the “But, how do I actually…” series, I try to explain how to do computer things in a way that previous me would have appreciated (and future me can reference).

This is a written checklist for me, borrowed and slightly adapted for my personal needs from an awesome video by CJ on the Syntax YouTube Channel. The video is included at the end of this post.

Keep in mind that I’m still learning, so if you have more tips for me when it comes to setting up a VPS as efficient and securely as possible, please reach out!

Setup and secure a new VPS provisioned on Hetzner

  1. Go to the Hetzner Cloud Dashboard and provision a new Ubuntu server (don’t overthink this too much, you can easily rescale these servers later – the only thing you can’t downsize is the disk storage)
  2. Add your public SSH Key during setup
  3. Connect to the server via your terminal ssh root@<serverip>
  4. Accept the fingerprint (if this ever comes up again, be aware that you might be the target of a man-in-the-middle attack)
  5. Update package lists: apt update
  6. Upgrade packages: apt upgrade
  7. Check, if a reboot is required: ls /var/run/reboot-required. If no such file or directory exists, you’re good. If it exists, reboot the server via the Hetzner dashboard. Alternatively, type reboot into the terminal.
  8. Run apt upgrade again. If a package has been kept back, try upgrading it manually with apt upgrade <package-name>.
  9. Optionally add a secondary user (see below)
  10. Disable password login: vim /etc/ssh/sshd_config, search for PasswordAuthentication and set it to no
  11. Restart ssh service: service ssh restart
  12. Add a firewall in Hetzner, a good default is to just open the ports 22, 80 and 443
  13. Enable auto-updates: apt install unattended-upgrades, then dpkg-reconfigure unattended-upgrades
  14. Open the config file: vim /etc/apt/apt.conf.d/50unattended-upgrades
  15. Uncomment this line to enable regular updates as well (not just security ones): // "$${distro\_codename}-updates";
  16. Verify with systemctl status unattended-upgrades (you should see a green dot)
  17. Done, your server is ready to be used now!

Create a separate user (optional)

  1. While logged in as root, run adduser <username>
  2. Set a secure password
  3. Add your data like full name etc. (optional)
  4. Give the new user the possibility to run sudo commands: usermod -aG sudo <username>
  5. Verify with groups <username>
  6. Create the .ssh directory in your home/<username> folder (you can get your current directory by running pwd): mkdir .ssh
  7. Add your public key to the server: vim .ssh/authorized_keys

Video

Here’s the video by CJ, that goes over many more details if you’re interested:

Just a fun little command

Run tail -n 10 -f /var/log/auth.log on your server to see all login attempts that happened on your server. The better secured your server is, the less login attempts not coming from you, you should see.

What are your thoughts on this post?

I’d love to hear from you! Please write me an email by clicking this link (I reply to every email I receive!).

If you're on Mastodon, interact with this post and your reaction will appear below after some time.

Public reactions to this post

  • reposted this on
  • liked this on
  • reposted this on
  • commented on this on

    @dominik I love the phrase “a guide for me that might help you,” I’m stealing that haha. I think it’s the whole idea behind digital gardening and other learning in public!

  • liked this on
  • commented on this on

    @dominik I think you should be able to reboot straight from the command line instead of having to go to the Hetzner UI.

    Also, what terminal is that in the hero image? I’ve been using Hyper on Mac but it’s been unmaintained for a while now and I’m in the market for a good looking alternative.

  • liked this on
  • liked this on
  • reposted this on