vps ubuntu server 16.04 for beginner

vps-ubuntu-server-16.04-for-beginner.md

Set up VPS server for beginner

use Ubuntu 16.04/18.04 (lsb_release -a)

Get Started

• Update packages and system

  • sudo apt update
  • sudo apt upgrade

  If you do encounter problem like this, "A new version of configuration file/etc/default/grub is available,but the version installed currently has been locally modified".

  You can choose "install the package maintainer's version."

• Edit the server "hostname" you want

  • echo "{your hostname}" > /etc/hostname
  • hostname -F /etc/hostname
  • reboot

  After system reboot success, you will see the "{user}@{hostname}" in terminal has changed

• Add "FQDN(fully qualified domain name)" setting (IPv4 & 6) with hostname in /etc/hosts file

  • 127.0.0.1 localhost
  • xxx.xxx.xxx.xxx {hostname}.domain.com {hostname}
  • xxxx:xxxx::xxxx:xxxx:xxxx:xxxx {hostname}.domain.com {hostname}

• Change time zone by your location

  • dpkg-reconfigure tzdata

• Add new user for ssh login

  • adduser {user}
  • usermod -a -G sudo {user}

• Add ssh-key to server for secure login

  • server
    • mkdir ~/.ssh
    • chown -R {user}:{user} ~/.ssh
    • chmod 700 ~/.ssh
    • chmod 600 ~/.ssh/authorized_keys

      Make sure you have on ~/.ssh directory on server

  • local (your computer)

    • ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

      Generate keys "id_rsa", "id_rsa.pub" in ~/.ssh on local

    • copy ssh public key (id_rsa.pub) to server

      cat ~/.ssh/id_rsa.pub | ssh {user}@{ip} "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

      or you can install "ssh-copy-id", this tool is part of openSSH. You can use alternative command below.

      ssh-copy-id -i ~/.ssh/id_rsa.pub {user}@{ip}

• Disable ssh login by root account

  • sudo vim /etc/ssh/sshd_config
  • modify "PermitRootLogin no"
  • sudo systemctl restart ssh

• Disable ssh login by password, use public key only

  • sudo vim /etc/ssh/sshd_config
  • modify "PubkeyAuthentication yes"
  • modify "PasswordAuthentication no"
  • modify "ChallengeResponseAuthentication no"
  • sudo systemctl restart ssh

• Set up firewall with ufw

  • http://www.arthurtoday.com/2013/12/ubuntu-ufw-add-firewall-rules.html
  • sudo ufw default deny
  • sudo ufw allow ssh
  • sudo ufw allow http/tcp
  • sudo ufw allow https/tcp
  • sudo ufw enable

• Common ufw commands

  • sudo ufw default allow
  • sudo ufw default deny
  • sudo ufw allow [in|out] [service|port]
  • sudo ufw deny [in|out] [service|port]
  • sudo ufw status [verbose|numbered]
  • sudo ufw delete {numbered id}
  • sudo ufw enable
  • sudo ufw disable
  • sudo ufw app list
  • sudo ufw loggin on (/var/log/ufw.log)

• Add semdmail service

  • sudo apt install sendmail-bin sendmail
  • sudo sendmailconfig

• Add Fail2Ban service to detect and block attacktion

  • sudo apt install fail2ban
  • sudo vim /etc/fail2ban/jail.local
  • sudo systemctl restart fail2ban    * sudo zgrep 'Ban' /var/log/fail2ban.log* 查詢封鎖記錄

  # /etc/fail2abn/jail.local
  # ssh protection config sample
  [DEFAULT]
  destemail = your@email.address
  sendername = {hostname} or whatever you want
  action = %(action_mwl)s
  [sshd]
  enabled  = true
  port     = ssh
  filter   = sshd
  logpath  = /var/log/auth.log
  maxretry = 3
  findtime = 600
  bantime = 604800
  

• Install docker-ce

  • https://docs.docker.com/engine/installation/linux/docker-ce/ubuntu/
  • sudo apt remove docker docker-engine docker.io

  Remove any older installations of Docker that may be on your system.

  • sudo apt install apt-transport-https ca-certificates curl gnupg-agent software-properties-common

  Make sure you have the necessary packages to allow the use of Docker’s repository.

  • curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -

  Add Docker’s GPG key.

  • apt-key fingerprint 0EBFCD88

  Verify the fingerprint of the GPG key.

  • sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"

  Add the stable Docker repository.

  • sudo apt update

  Update ubuntu apt packages list

  • sudo apt install docker-ce

  install Docker CE.

  • sudo usermod -a -G docker {user}

  Add your {user} account to the "docker" group.

  You will need to restart your terminal shell session for this change to take effect.

  • sudo systemctl enable docker

  Docker containers will start automatically upon a reboot

• Install docker-compose

  • https://docs.docker.com/compose/install/#install-compose
  • sudo curl -L https://github.com/docker/compose/releases/download/1.25.3/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose

  Run this command to download the latest version of Docker Compose

  • sudo chmod +x /usr/local/bin/docker-compose

  Apply executable permissions to the binary

  • docker-compose --version

  Get docker-compose version

• install nodejs 6.x/8.x from NodeSource

  • https://github.com/nodesource/distributions#deb

  add nodesource 6.x to packages source

  • curl -sL https://deb.nodesource.com/setup_6.x | sudo -E bash -
  • curl -sL https://deb.nodesource.com/setup_8.x | sudo -E bash -

  install nodejs

  • sudo apt install nodejs -y

• change npm global modules path, avoid access permission errors

  • https://docs.npmjs.com/getting-started/fixing-npm-permissions

  add nodesource 6.x to packages source

  • mkdir ~/.npm-global
  • npm config set prefix '~/.npm-global'

  add custom environment path to ~/.profile

  • export PATH=~/.npm-global/bin:$PATH

  reload profile

  • source ~/.profile