Skip to content

VPS setup⚓︎

How to setup your VPS

What is a VPS⚓︎

Your own space in the cloud, to host a website or app 24/7. It is most useful when running an application, because you can install the software of your choice.

Where to get a VPS⚓︎

Most website domain service providers also offer VPS (Virtual Private Server)

What to get⚓︎

When starting to learn something new, always choose the recommended option

For Ditto, when subscribing to a VPS plan, the recommendation is to have a server with Ubuntu software.

Point your domain to your server⚓︎

what you need

  1. domain name

  2. Your VPS plan (Ubuntu) will provide you with:

    • IP address for your server (using 111.111.11.11 here as an example, please replace with your own)

    • SSH port of access (the standard is 22 or replace with what your provider gives you)

    • Root (admin) password

Your hosting provider should have a tutorial on how to point your domain name to your server's IP address. Sometimes, the steps can vary slightly from provider to provider, but it will look similar to this:

Record Host Value
A Record @ 111.111.11.11 (example, enter your own)
CNAME Record www yourdomain.ending

To check if your records point your website's domain to your IP you can enter the following command in your terminal:

dig yourwebsite.com ANY +noall + answer

recommended

password manager

For this process, you will need to keep track of a few passwords. Password managers can help both save them and generate new ones for you. Choose long strong passwords with numbers, a mixture of uppercase and lowercase letters, and special characters.

warnings exist for a reason, preventing future mistakes

My hosting provider had a security warning on running a VPS from a root (admin) user. I'm documenting the steps to their security recommendations here.

Secure your VPS⚓︎

remove root user & set up a custom one

Examples used in this tutorial, please substitute with your own:

IP: 111.111.11.11

custom port: 2140

server hostname: server0

log in to your server (first time)⚓︎

using your terminal

your terminal will show you your home directory
yourname@yourcomputer ~ %

enter the following command to log in through ssh
ssh root@111.111.11.11 -p22
message from terminal
The authenticity of host '111.111.11.11 (111.111.11.11)' cannot be established. 
...fingerprint...
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/)?

enter yes
yes
success message from terminal
Warning: Permanently added '111.111.11.11' (RSA) to the list of known hosts.

new credentials⚓︎

log in, if not already
ssh root@111.111.11.11 -p22
enter the password your service provider gave you
root@111.111.11.11 s password:
message from terminal
Welcome to Ubuntu

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

New release '' available.
Run 'do-release-upgrade' to upgrade to it.

Last login: date and time
[] [server1.yourdomain.ending ~] #

create a new user⚓︎

from your root directory
root@server1 ~ %

choose the name you're going to use to access your server (yourusername)

useradd -m -s /bin/bash -c "Admin"  yourusername

no message from terminal often means success

set a new password⚓︎

passwd yourusername
enter your desired password
New password:
Retype new password:
message from terminal, after entering a password and retyping it
passwd: password updated successfully
[] [root@server1 ~] #

give admin rights to yourusername⚓︎

usermod -aG sudo yourusername
no message from terminal often means success

test⚓︎

switch to your username
sudo su - yourusername
message from terminal, if this message does not appear, make sure you have given admin rights to yourusername (see one step above)
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
notice the directory change
yourusername@server1:~$
run this command as a test, it will request your password for your new user
sudo ls -la /root
if, after entering your password, you can see a list similar to the one below, your new user has admin/sudoer rights
total 21
drwx------   
drwxr-xr-x  
...

disable root⚓︎

open config file
sudo nano /etc/ssh/sshd_config

it will open a new window, look for PermitRootLogin (using the up and down arrows)
# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.
...
#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
set PermitRootLogin to no. Make sure there is no hashtag in front of it, unlike the other options. Hashtags are used to make comments that the program ignores.
# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.
...
#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

change the SSH port⚓︎

In the same window you have open, remove the hashtag from port 22 and add another port number of your preference (the example here is 2140).

You can check this list of ports to avoid choosing a number in conflict with another service.

find port 22
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

remove the hashtag from Port 22 and add another port of your preference
Port 22
Port 2140
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
Save with Ctrl + O

you'll see the following message highlighted in the bottom bar
File Name to Write: /etc/ssh/sshd_config

hit enter

Exit with Ctrl + X

Restart using one of the following three commands, if you get a command not found error, try a different one, until you don't get a message.

sudo /etc/init.d/sshd restart

sudo service sshd restart

sudo restart ssh

exit twice log out of the server
exit

Log back in with your custom port (2140 shown here as an example)

log in
ssh yourusername@111.111.11.11 -p2140

Make sure to enter the config file again and add a hashtag to comment out port 22

#Port 22
Port 2140
#AddressFamily any
#ListenAddress 0.0.0.0
#Lis

If you get a WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!
See how to solve this issue at the bottom of this page.

SSH keys⚓︎

These keys (long strings of characters) will authenticate you to your server. Generate new keys with the following, if you already have one it will give you a warning that you'll overwrite it.

from your home directory, in your terminal

ssh-keygen -t rsa

press enter to accept their recommended directory path
Generating public/private rsa key pair.
Enter file in which to save the key (/recommended-path):
enter a strong password
Enter passphrase (empty for no passphrase):
you'll get a similar message to this, along with randomart
Your identification has been saved in
Your public key has been saved in
The keys randomart image is

check if your keys exist, listed as id_rsa and id_rsa.pub
ls -la ~/.ssh/

You can share your public key (id_rsa.pub).

Do NOT upload nor share your secret or private key, in this case, id_rsa (without the .pub at the end).

deeper dive on passwords for SSH keys

a good explanation on public keys and private keys and why they help in connecting to a server

copy your SSH keys to the server⚓︎

from your home directory yourusername@yourcomputer
ssh-copy-id -p 2140 yourusername@111.111.11.11
message from terminal, it will request your server password
source of keys to be installed
...
number of keys added: 1
Now try logging into the machine and check to make sure that only the key(s) you wanted were added

Log in with your custom settings⚓︎

log back in

enter your keys password
ssh yourusername@111.111.11.11 -p2140
you'll get a message like this one
Welcome to Ubuntu

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

New release '' available.
Run 'do-release-upgrade' to upgrade to it.

Last login: date and time
[] [server1.yourdomain.ending ~] #
check if your key has been saved
nano ~/.ssh/authorized_keys
you should see your key in a new window
ssh- ...

exit with Ctrl + X

Update⚓︎

When you log in, remember to update your server's software. 

sudo apt update
message from terminal
Hit:1 http://us.archive.ubuntu.com/ubuntu focal InRelease
Get:2 http://us.archive.ubuntu.com/ubuntu focal-updates InRelease [128 kB]
...
All packages are up to date.

If the message above mentions that packages could be upgraded, run the command below.

sudo apt upgrade
message terminal gives
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
The following NEW packages will be installed:
...
Do you want to continue? [Y/n]

Y

You should see a progress bar at the bottom.

If you get a message to restart services in order to update Kernel. Hit enter. It will list which ones need to be restarted. Hit enter again.

It will then display a list of items and say that nothing needs to be restarted, nor is anything outdated.

Automatic updates⚓︎

To ensure the server is up to date on security patches, etc, set up automatic updates. 

sudo apt install unattended-upgrades
message from terminal
Reading package lists... Done
...
check if it is running
sudo systemctl status unattended-upgrades.service
message from terminal
unattended-upgrades.service - Unattended Upgrades Shutdown
     Loaded: loaded 
     Active: active (running) since 
       ...Started Unattended Upgrades Shutdown.
...

Keep in mind that this does not install automatic Kernel updates, which need a reboot.

deeper dive: How to Keep Ubuntu Servers Updated

Reboot⚓︎

(Also run reboot if a message to restart appears as you log in)

sudo reboot now

log in, again

Setup a firewall⚓︎

Setup a firewall.

Ditto⚓︎

Install Ditto.

Manage Logfiles⚓︎

How to Manage Logfiles with Logrotate

Restart from scratch⚓︎

Learning about tech means learning to make mistakes and trying again.

If you reinstall your server to try this process again from scratch, on the same server IP, you will get a scary warning like this one:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
Don't worry, you can fix it by removing your old key from the known_hosts file an making a copy of it in a separate folder, just in case.

from your computer's home directory, using terminal

ssh-keygen -R 111.111.11.11
message from terminal
# Host 111.111.11.11 found: 
/route/ updated
Original contents retained as /route-for-old-keys

If you still cannot log in after that. The error message will give you a directory path at the bottom. The last numbers after the colon indicate the line you need to find and delete.

/thedirectory/path/it/gives/you/known_hosts:21

get to the right directory (leave out the known_hosts file name, the colon, and the line number)
cd /thedirectory/path/it/gives/you/.ssh
list the files in the directory, known_hosts should be one of the files
ls

open the known_hosts file, it will ask for your computer password
sudo nano known_hosts
It will open up a new window. You can delete the "offending" line with Ctrl + K. It will start with the server's IP.

Ctrl + O to save

Ctrl + X to exit the window

go back to your home folder and log in again
cd

Now create your SSH keys to authenticate to your server. The steps will change, as the terminal will ask you to overwrite your key. Say yes.

sources:

How to Fix Warning Remote Host Identification Has Changed

Removing an SSH Public Key for user