New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
First time Budget VPS Owner - Plenty of Questions..
Hello again guys,
I have a few questions regarding setting up the VPS.
Before I start I would like to say I am sorry for the ton of stupid questions that follow below lol..
So what do you do when you get in your hands for first time the new VPS?
I guess you need to test out your server? Do you check out the speed and performance somehow? And do you monitor it somehow?
After you are done with testing out, I guess you need to secure your server. From what I read I need to: install csf, rkroothunder, chkrootkit and change the ssh port number to something other than default port22. Am I missing something here?
Do I need to take care of something else?
Thank you!
Comments
Just change the ssh port and disable password auth (use ssh keys) and skip the firewall stuff.
tbh i don't think tools such as csf, rkhunter and chkrootkit are needed.
Just move SSH away from the default port, disable password login, use a strong keyfile and restrict ssh login to your account only.
Also keep in mind other things like removing all unwanted services and doing frequent updates.
The rest of your questions pretty much depends on what you want to use the server for.
First of all thank you for your replies!
I will look into the disabling password auth then (although I have no idea what this does :P) and will look into restricting ssh login to my account only (I am currently using the root account, is that enough, or am I offtopic here lol..).
Plus I would like to know how someone can test out server speed and performance and what I should look after.
Thank you once again!
Disabling pass auth is exactly what it sounds like, prevents login via SSH using a password, you'll have to use the key
Think of password vs SSH key in the same way you'd compare a keypad lock on a door to a deadbolt. Anyone with the combination can open a keypad, but only someone with a key can open the deadbolt.
Thats not a good idea. You should add another account and put him into the sudoers list, then disable ssh root login.
Just make sure to generate your key pairs before disabling root login and password auth
Update your packages as well.
The very first thing I do with a new VPS is install Debian 6, and run maxexcloo's Minimal, which gets rid of all of the extra junk. Then, install htop, less, and sudo, and create a regular user account, which I add to the sudo group. Next, I install OpenStatus Client and configure it and add it on my OpenStatus Server. Then I configure syslog to send it's logs to my logging server. The next step depends on what I'm using the VPS for.... if it's a web server, install nginx (and php-fpm and mysql if needed), etc
That's a pretty good analogy. But I don't think it makes a case for SSH keys being inherently better than passwords. A key is an object, and can be lost or stolen. If there is information associated with it that identifies its purpose then you're screwed. A combination can exist only in your memory. It's safe unless it's guessable or you're tied down and tortured until you tell.
Securing SSH isn't simply a case of disabling password authentication and enabling SSH keys. It's necessary I think to consider how you work and all the implications. For example, suppose you use a Windows laptop, setup key authentication to your severs, and travel. If the laptop is stolen is Windows password authentication the only obstacle?
Great info guys! I am mainly trying to set up DNSOnly + run a few cronjobs..
You can set up ssh keys with a passphrase. Then it becomes like your bank ATM card and PIN (something you have + something you know, and one doesn't work without the other)
Something to consider regarding SSH authentication is two-factor auth. If you need really high security, that's definitely one way to go, though it does become inconvenient at times. I've tested it out, and it's quite easy to set up on your server and mobile phone with Google Authenticator.
Agree, IMHO can be easier to lost a key than forget a password. But anyway, with all this OpenVZ stuff, is easy to recover it.
On KVM or anything with ISO based installes just boot a live cd or system rescue cd and mount your disk, then install a new key.
For losing a key, I mean "someone stole it"
Use a good passphrase (14+ chars) on your key and on my laptop i keep my putty install and key in a truecrypt volume.
A key is useless if you don't know what door (username) it unlocks...
Lol good point
This is very much worth pointing out... these 6 panels can save you a lot of headache and explain passwords much quicker than I could:
You're my damn hero, @aldryic
I
xkcd!
@Aldryic: sudo make me a sandwich.
-bash: sudo: command not foundDoesn't come installed with debian-base
@Aldryc
apt-get install sudosudo make KuJoe a sandwichyou're welcome
@u4ia don't forget to install make too
And to write the appropriate Makefile
And I already told snape I do not want to be a sandwich.
Besides ChkRootKit and RKHunter, I would also suggest checking out RootCheck; then setting up a cronjob to run those scans daily, also sending you an e-mail with the results.
Heh nice one, i saw that awhile ago when they talked about it on the pauldotcom podcast. Sent it to no end of my customers now.