Robert Gauld's VPS Setup Guide

From BitFolk
Jump to navigation Jump to search

This is intended to be a very basic guide to getting a VPS up and going, it's aimed at the hobbyist who has enough Linux knowledge to want to use a VPS but isn't quite sure how to go about getting it up and going. It assumes you'll be using an Ubuntu VPS from BitFolk, if this isn't the case then some of the things in this guide may be slightly off.

The sudo command is used a lot, this allows a 'normal' user to execute a command as root. When you use sudo you'll be prompted for your password the first time (and every so often afterwards), your password should be provided in the email sent when your VPS is configured.

Commands which need to be typed into a terminal (or better still copy-pasted) appear monospaced.

Pre Provisioning

Before we order our VPS we're going to setup a public/private key pair to use for logging into it. If you already have a pair (e.g. for another VPS) then skip this step.

Using PuTTY in Windows

You need to download PuTTY and PuTTYgen if you haven't already. Generating your private and public keys is easy simply open puttygen, change the key length to 2048 (using the text box at the bottom of the window) and click generate.

Once you've made them you need to save both the private and public key, make sure the private key is saved to a secure place - you must protect it. Make sure you use a passphrase.

Next we need to use putty to connect to our VPS, open putty and enter the address you were given to connect to but before clicking open you need to:

  • Navigate to Connection > SSH > Auth using the setup tree on the left of the window.
  • Set the private key file to use (it's the one you saved earlier)
  • If you wish to save these settings then click terminal at the top of the tree and use the save button, otherwise click the open button.

Using Linux

Use the command ssh-keygen -t rsa -b 2048 to generate your keys. Use the default options. You should use a pass-phrase, you'll be prompted for this whenever the private key is used. You should provide the contents of ~/.ssh/id_rsa.pub as your public key when you provision your VPS.

Provisioning

Provisioning the VPS is a simple matter of visiting the BitFolk order page, filling in the "Spec your VPS" form, and providing the appropriate details on the following pages.

Post Provisioning

As soon as you can after getting the email from BitFolk to confirm that your VPS is up you need to login and start securing it. This is an important part as it protects you from having your VPS abused (and therefore incurring excess bandwidth charges).

Change Your Password

An important first step is to change your password, use the command passwd for this. Make sure that you choose a string password (8 or more characters, containing lower case, upper case and numbers) or visit [1] and use at least the first 8 characters from the '63 random printable ASCI characters' box.

Firewall

The firewall is a bit of software which will control the internet traffic allowed into and out of your VPS. We'll be using iptables as it's powerful yet easy to setup, once you've learnt the options you need. Iptables works on the concept of chains, every packet it looks at starts life in a chain (in our case) either INPUT (for incoming data) or OUTPUT (for outgoing data). Rules are applied to these chains in order to tell the firewall what to do with these packets, if no rules match then the policy of the chain gets applied to the packet.

The first step is to install iptables so run sudo apt-get install iptables.

We'll make sure any incoming stuff which relates to an established connection is allowed: sudo iptables --append INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

We need to make sure we allow inbound ssh: sudo iptables --append INPUT -p tcp --dport ssh -j ACCEPT

Lastly we make sure that any other incoming data is ignored: sudo iptables --policy INPUT DROP

The following command will add the rules needed to allow incoming ping requests and ping replies, this is important for diagnosing unexpected issues: sudo iptables --append INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT; sudo iptables --append INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT

Editor's Note: I don't think this should be recommended, IPv6 should be promoted as much as possible. Robert 11:29, 5 October 2010 (UTC)
Author's Response: More than happy to update this when IPv6 goes from 'not officially supported' to officially supported. At the moment those who want to 'play' with IPv6 will know what they need to do.

We'll also want to drop all ip6 packets (unless we're going to be using it). ip6tables works the same as iptables except it deals with IPv6 not IPv4. So sudo ip6tables --policy INPUT DROP and that's done.

One problem with iptables is that it clears the rules for an interface whenever it gets taken down, so we'll set things up so that when the interface goes down we save the rules we have and we'll reload them when the interface is started:

  1. Open the interfaces config: sudo nano -w /etc/network/interfaces
  2. In the section for eth0 we'll add the following lines:
    1. pre-up iptables-restore -c < /etc/network/iptables.rules
    2. pre-down iptables-save -c > /etc/network/iptables.rules
    3. pre-up ip6tables-restore -c < /etc/network/ip6tables.rules
    4. pre-down ip6tables-save -c > /etc/network/ip6tables.rules
  3. Control-X to exit, choose to save the file.
  4. Create a copy of the rules now by running sudo bash -c 'iptables-save -c > /etc/network/iptables.rules' and sudo bash -c 'ip6tables-save -c > /etc/network/ip6tables.rules

Strengthening SSH

There are several things which we can do to strengthen the SSH service on our VPS, we're just going to worry about a few of the main ones, you'll need to edit the file /etc/ssh/sshd_config (use the command sudo nano -w /etc/ssh/sshd_config):

  1. Only allow root to login using a certificate (and then only to run allowed commands):
    1. Change the line starting 'PermitRootLogin' to 'PermitRootLogin forced-commands-only'
  2. Require everyone else to use a certificate to logn:
    1. Change the line starting 'PasswordAuthentication' to 'PasswordAuthentication no'
    2. Andy will already have done this step for the certificate you gave him, if you wish to add other certificates you'll need to:
      1. Open the file /home/<username>/.ssh/authorized_hosts, replacing <username> with the username of the user to add the certificate to.
      2. Copy and Paste the contents of the public key to the end of the file - one certificate per line.
  3. Press Control-x to exit and save your changes

Blocking Failed Logins

One of the most common attacks against a machine on the internet is trying to gain access using several different passwords (a dictionary attack). We'll be installing a software package which will block IP addresses (for a few minutes) in order to stop these attacks. Simply run: sudo apt-get install fail2ban

Updating

One of the most important things about staying secure is to make sure that the software on your VPS is kept upto date. New bugs are found, exploited and fixed all the time, by staying upto date you significantly reduce your chances of being cracked as a result of one of these bugs.

Firstly get a list of available updates: sudo aptitude update

Secondly apply the updates: sudo aptitude safe-upgrade

It can be a pain to manually check for updates frequently enough so we'll setup the VPS to nag us when updates are available, we'll be using a package called apticron for this:

  1. Install apticron: sudo apt-get install apticron
  2. Configure apticron:
    1. Open the config file: sudo nano -w /etc/apticron/apticron.conf
    2. Change the value of EMAIL to your email address

Backups

Skip this section if you're sure you either don't want backups or that you'll take care of them yourself. The backup machine logs in as root over ssh and uses rsync to backup the chosen files, so we need to:

  1. Install rsync: sudo apt-get rsync
  2. Allow the backup server to login:
    1. Open [www.bitfolk.com/keys/rsnapshot.pub.txt] in a browser and copy the line starting ssh-rsa to the clipboard.
    2. edit /root/.ssh/authorized_keys: sudo nano -w /root/.ssh/authorized_keys
    3. At the end of the file start a new line with 'command="/root/validate-rsync" ' then paste the previously copied line from the clipboard. This means that when the backup server logs in it will be forced to run the script /root/validate-rync, which in turn means that only the rsync command can be used.
    4. Get the validate-rync script by running: sudo wget --output-document=/root/validate-rsync http://www.robertgauld.co.uk/system/files/validate-rync.txt
    5. Change permissions on the script so it can be used: sudo chmod u=wrx,og=rx /root/validate-rsync
    6. Tell bitfolk what to backup - send an email to their support address giving a list of directories to backup, if you didn't setup backup space when you provisioned the VPS you'll also need to specify how much extra disk space you want to purchase.

Install Services

Now you're ready to install and configure the services which you purchased your VPS to run. Remember to add firewall rules to allow the incoming connections which they require.