Self Host 101 - Set up and Secure Your Own Server

you are looking at SSH login attempts to a brand new virtual private server that I just created and if you have your own VPS and you haven't taken the steps to lock it down try running this command to see if there are login attempts happening and you'll be surprised to what you find because there are hackers running automated scripts 24/7 trying to find and exploit vulnerable servers and you don't want to be a victim of this now in this video I'm going to show you the basics of setting up and locking down a VPS to prevent these login attempts and automatically block other types of attacks as well this will be the first video in a series on self-hosting with the VPS so if this kind of thing interests you let us know in the comments and also stick around for future videos in the series where we take this VPS and turn it into a web server or a database server now whether you're a complete beginner a hobbyist or a developer that wants to start managing their own servers this video will show you everything you need to know to create a secure locked down VPS that's ready to run any service you throw at it so let's jump in I'm CJ welcome to sentense now if you're new to the world of vpss welcome there are a lot of things you can do with them and a lot of reasons why you would want to manage one yourself now a VPS is just one way to host things on the web if you're interested in learning about more check out episode 615 of syntax where Wes and Scott compare the different kinds of hosting and the various providers now like I mentioned you can do a lot of things with a VPS and one of the reasons people typically start learning about and looking into VPS is to self-host uh things like a personal Media Server Like Plex jellyfin or MB or host their own cloud with something like nexcloud or host photos with something like Photo prism or host your own password manager with like bit Warden or passbolt uh but you can also self-host your own applications and web services things like a custom Discord bot or some long running process or like a websocket server or self-host your own instance of Sentry you could also run web servers like enginex Apache or caddy you can host databases like MySQL postgress mongodb or reddis and others and ultimately reduce your dependency on managed services like versell netlify Heroku render Railway fly. io am I missing any and also manage database services like AWS RDS Planet scale neon and others now in episode 730 of syntax Wes and Scott talk about some of these paas or platform as a Service Alternatives they talk about things like uh piku doku Kubo cap Rover kifi probably a couple others and these all allow you to get the same functionality as verell or netlify but running on your own server now managing a VPS is not not for the faint of heart it requires constant attention and maintenance which is why managed Services exist and why this type of thing is typically a full-time job but if this kind of thing still interests you let's get into it now the next part of this video will assume that you want to set up a VPS and you have acquired one so like I mentioned check out episode 615 of syntax if you'd like to know where to get one and more about these various hosting providers now I'm going to be setting up a tiny VPS it's running Ubuntu 22. 041 gig of RAM 1 CPU and 10 GB of dis space now this video is not sponsored by any VPS hosting or domain provider so I'm going to keep things fairly generic so you can use whatever you can afford and whatever you prefer now depending on the type of workload you're going to be running on this VPS you might need better specs but for me I'm going to have a few static sites a few node.

js applications and a couple databases so the minimal specs that I mentioned will work for what I need to do now let's connect to rvps for this we're going to use a thing called SSH and you're going to need a terminal to do this now on a Mac I am using an app called iterm you can also use the buil-in terminal on a Mac if you're on Windows there's a thing called Windows terminal if you're on Linux just search for the app called terminal and open it up and we're going to want to run the command SSH so once it's open we're going to type SSH and then we'll need to type the username that has been set up for us on the VPS now this is going to vary by where you got your VPS for me the VPS username is root and we're going to log in with that you yours might be admin or Ubuntu or Debian uh it might vary but for me it's root and then after the at sign we're going to put in the IP address of our server now this IP address will be listed in whatever dashboard of wherever you got your VPS but this is a public IP address and that means anyone in the world that's on the internet will be able to access uh the server at this IP address just like we're about to access this server now you should have a command that's SSH username at IP address hit enter and now it's going to attempt to connect now the first time you're ever connected ing to a server you're going to see this warning and here you can just type yes and what this is doing is it's storing the fingerprint of this server on your computer so the next time you connect it's going to validate that fingerprint now uh the next time you connect you shouldn't see this warning and if you ever see this warning again and you haven't changed anything on the server then that means something has gone wrong something is potentially compromised like the the SSH key on the server has actually changed and sometimes there's a legitimate reason for that uh but just so you know you should only see that warning the first time you connected the server and you shouldn't see it anytime after that now we'll need to type in our password now as you type you're not going to see anything on the screen here in the terminal but as long as you type everything correctly you should get connected to your server now one of the first things you should do when you connect to your VPS for the first time is run updates and upgrades so like I mentioned earlier I'm running Ubuntu will work if you're on an Ubuntu or dbn based system now depending on what your VPS has set up for you if you are not connecting as the root or super user then all of these commands you're going to need to type pseudo in front of so like pseudo apt upgrade or pseudo apt install for me because I'm running as the root user I will not need to put pseudo in front of those commands but if you try running those commands and it says you don't have permission put pseudo in front of them so the first thing we're going to do is just say apt update now this command isn't going to actually upgrade anything it's just going to to update the package lists locally on your machine so when you do run an upgrade or you do run an install it's always grabbing the latest versions from those specific repositories so now that we have the latest package list you can see that it says 76 packages can be upgraded so we're going to run the upgrade command so I'll just do apt upgrade and that's going to grab and install all of the latest versions of all the packages that I have installed and we can confirm this with Y and it'll start downloading and and upgrading everything now you might be wondering why are we upgrading one of the ways to keep your VPS secure is to always be running the latest versions of all packages because when hackers attempt to gain access to a machine or exploit a machine typically they're taking advantage of old broken versions and so anytime a a package has an upgrade a lot of times it's potentially a bug fix or a vulnerability fix and so we always want to make sure we're always running the latest versions of all packages just to make sure that we always have the latest fixes and patches for for anything that we're using on our system now when you run this upgrade you may or may not see this notice that there is a pending kernel upgrade now the kernel is like the root of the operating system and this is another thing that could potentially be be vulnerable so we always want to be running the latest version of the kernel now if you upgrade the kernel you are going to have to restart the machine which is why we typically want to run these commands before we do anything else on the VPS because we're going to need to reboot it a few times before we can start running our own applications so I am going to do the kernel upgrade here and then uh from there will'll likely restart our machine now this is asking me what services should be restarted uh like I said we are going to restart the entire machine so we actually don't really even have to worry about this I can just okay through it because once we reboot the whole machine then all of these services will be restarted anyways now that all of the upgrades have run and in my case I also upgraded the kernel you can do this to determine if you need to reboot so if you do an LS of /var run/ reboot required if that exists that means your machine needs to be rebooted and uh there are different ways to do this you can actually do this from the command line if you just type reboot but you can also do it from your VPS dashboard and that's how I'm going to do it just because I want to make sure that this thing actually reboots because if you accidentally shut down the machine and there there's no way to restart it in your dashboard you're going to have to reach out to like to the support team of where wherever you're hosting your VPS so for my VPS there's a dashboard where I can literally say restart VM so I am going to exit from my SSH session here go to my dashboard and restart the VPS now that the machine has rebooted we're going to SSH back in and once you're in as long you shouldn't see system restart required that's a good sign and also if it says zero updates can be applied immediately you should be good to go but since I upgraded the kernel it's likely that some packages some more packages can be upgraded as well so we are actually going to do an apt upgrade again now in my case it says there are a couple of packages that have been kept back and it didn't autoinstall them so I'm actually just going to try to install them directly so I'm going to copy their name and then just do an apt install with those names now you may not have gotten that error and that's completely fine if it says you have no upgradeable packages you're good to go but at this point because I did install those if I do an app upgrade now I should see uh there's nothing to be upgraded which means I'm on a fully upgraded system now the next thing I'll do is change the root users password now uh for me in my VPS dashboard they literally gave me a password that I could copy paste to log in as the root user and I don't want to be able to do that so I'm going to change it to something that only I know and something that can't be copy pasted from the dashboard so if you type PWD that will prompt you to change the password for the currently logged in user in this case I'm going to change the password of the root user now you won't see anything when you're typing your password but as long as you type it correct both times it'll change the password now to check it I'll exit the SSH session and relog in with my new password so I've confirmed my updated password works now we can start locking down the server and one of the first Concepts you'll learn in security is the principle of least privilege and if we're running all of our commands as root we always have super user privileges if you actually if you type ID in the terminal and your user ID is zero that means you are the super user you can do anything on this machine and there are some things we need super user privileges for but we don't need it for everything so we're going to create a secondary user and they will not have super user permissions by default but will be able to run things with super user permissions if they require it now to add a new user we can use the add user command so I'm going to type add user and then the name of the user in this case I'm going to call it CJ because that's me so this will create the user and it's going to ask for a password now give it a password but give it a different password than the root user you don't want those passwords to be exactly the same for security purposes so I'm going to give this a password now after you set up the password It'll ask you a few more questions just fill those out and for some of these you can just leave them blank if you don't have any info for them now that we've created the user they're a regular plain old user they can't do anything as the super user yet but what we'll do is We'll add them to a group called pseudo and that will then allow them to perform Super User actions if they need to so to do this we're going to do a user mod we'll do- lowercase A- capital G and then we will specify pseudo and then the username in this case my username is CJ now from here if we want to make sure it worked we can type groups and then the name of the user and we'll see the groups that they're in so by default a user is always in a group with their own name so I'm in the CJ group but you can see that we've added that pseudo group as well so now to try this out let's actually exit our SSH session as root and try logging in as this new user that we created so I'm going to exit we're going to do an SSH but now instead of logging in as root we're going to type the username that we just created we'll type in the password and we're good to go so now we are able to log into the machine but not as the root user and like I said this is is one of the first steps of locking down the machine is making sure that you're not always doing things as the root user now you can see that Ubuntu is actually being very helpful right now and it's saying uh if you want to run something as the administrator or as the super user you can use the pseudo command so for example if I tried running an app update like we did when we were under the root account you'll see this error and basically that means we don't have permissions to do it but if I'd like to perform this action as the super user I can do pseudo apt update now it's going to ask for your password the first time and this is your user password so just typee that in and from there it will run the command with super user privileges now you can use this pseudo command for any command that you want to run as the super user now if you're new to Linux and the the pseudo command um you you are basically unlocking the ability to understand this classic XKCD joke of um if you put pseudo in front of any command you now are executing it as the super user and pseudo used to stand for super user do uh but now the command can also be used to run commands on the machine as other users as well so it actually stands for substitute user do and it allows you to perform commands as other users and by default it'll perform the commands as the root user now the next step in locking down the machine is making it so that we connect with an SSH key instead of a password now to do this you will need an SSH key I'm going to link this article by GitHub in the description it shows you how to generate an SSH key if you don't have one uh but the next steps will require you to have an SSH key now it's important to note that SSH key that you generate should be generated on your local machine the machine that you're going to be connecting to the VPS from not on the VPS itself so make sure when you follow the directions to generate the SSH key it's happening on your local machine now that SSH key locally on your machine lives in your home folder in a folder called SSH and for me this is the public key file and if we run the cat command on it we can see the contents of it now this is completely okay to share because this is my public key I would not want to share the private key which is in the file without the pub on it but the public key completely okay to share and this is what we need to add to the server to be able to log in using this SSH key now let's add this public key to the VPS so I'm going to copy the my public key and then over on the VPS I need to create a folder in my home folder called SSH so right now I'm in my home folder I'm going to make a directory called SSH and then I need to create a file called authorized unor keys now to do this I'm going to use a command line tool called Nano it's very easy to use basically it's a command line text editor and then I'm going to specify the file name so I want to edit the file called SSH SL authorized Keys now once I'm in here this is just a text editor I can I can type whatever I want but I need to put my public key into this file so I'm going to paste it in and then I'm going to exit and save the file so you you can see in Nano it literally tells us to exit we can press crl X and then to save it we'll press press Y and then hit enter so now my public key is in that authorized key file and that's actually all we need if I exit my session here and then try sshing back in you'll notice it doesn't ask for my password and just instantly logs me in and this is because behind the scenes it was doing a public private key negotiation and allowed me to log in with my SSH key now that we've set up our SSH key we are going to disable password login in entirely and this is how we're going to stop attackers from trying a bunch of different passwords is no one will be able to log into our server with a password you have to use an SSH key once we enable this setting now it's important to note if you're connecting to this VPS from other computers you're going to need to make sure that you set up an SSH key on those machines as well and you add the public key to that authorized Keys file that we worked on earlier but at this point let's disable password login now to disable password login we're going to need to edit the sshd config we'll use pseudo for this because we need super user to edit that file we'll use Nano because it's a text file and the file is ATC SSH sdore config now we'll edit this file and because we're using pseudo we'll have to type in our user password now once we're in the file we can hold the down arrow to get to the section on password authentication now I will note that in the previous section I said that login with SSH key would just work if it's not working for you it's possible that this setting was not set to yes so make sure that you set this setting to yes but we're looking for the password authentication setting so yeah right now password authentication is set to yes I want to set this to no and then save the file now on my machine there's actually another config that I need to update and that is in the D folder so if we take a look in that folder there's also sshd config. inc authentication set to yes so I want to make sure that I set this one to no as well so we'll save that update it and now we need to restart the SSH service to get these settings to kick in so I'm going to do pseudo service SSH restart now to test if this worked let's actually try logging in as the root user so I'm going to ssh in as root and if we get this error permission denied public key we know that it's working because we didn't set up a public key for the root user we only set it up for our other user and uh now we actually can't log in with the password uh as the user but if we try sshing in as the user we created the public private key exchange should happen and we should get logged into the machine now we've locked things down so we can only log in Via an SSH key but to lock things down even further we're going to prevent login via the root user over SSH entirely so to do this we'll jump into that same config file we're going to go down to the section that says permit rout login and we're going to remove the hash will actually which will actually enable this configuration by default without password just means that it would only allow the public private key authentication for the root user but we're actually just going to set this to no and that way the root user cannot log in bya SSH at all so we'll save this file and then we'll restart the SSH service so we'll do pseudo service SSH restart and from here root can no longer log in bya SSH now the next step in locking down your VPS is to control the network and firewall policy now for me my VPS provider has a dashboard where I can open and close various ports on the firewall you might have that as well you're going to want to look for a section called ports or firewall or network uh but if you don't have that section in your VPS provider dashboard you can actually use an application firewall so built into Ubuntu is an application called ufw or uncomplicated firewall and it allows you to control the firewall from the command line directly on the VPS itself but uh since my provider has a dashboard where I can control all of the ports and everything I'm going to be using that for all of these this network stuff that I talk about now the first thing we'll do is close all ports that don't need to be open now if you're new to all of this stuff ports are like little doorways on your computer that can receive and respond to network requests and so for example we've been connecting to our VPS via SSA and by default the SSH service is running on Port 22 to respond to those SSH requests now um if if you're not running anything else on your machine that needs to be exposed to the internet like you don't have a web server or you don't have a database or anything else you can just close down all other ports so either use ufw to do this from the command line or go into your VPS provider dashboard and any ports that it has open like a lot of times Port 80 and 443 will be open by default because the provider assumes that you're going to be running an H HTTP or https service and that's those Services respond on those specific ports but if you're not going to have a web server there you can close those ports so just remove those rules that that open up those ports or if you're using ufw uh use it to either open or close those ports now one of the common things people do to lock down a machine further is change the port that SSH is running on now we mentioned it runs on Port 22 but you could run it on 2222 or 4242 you could pick a port number um and to do that you would need to go into your firewall whether it's in a dashboard or it's from the command line and open up the port that you run want to run SSH on and then you can go into that configuration file that we were in earlier and there's actually a section that will let you set the port that SSH runs on now if you do this this is one way of preventing automated attacks against your server because a lot of scripts that hackers are running will assume that SSH is running on Port 22 if Port 22 is open so if you close 22 and run SSH on a different port that's going to prevent those automated attacks now there are ways of poking and pting at a server to figure out what ports are open and if any ports are open attempting to figure out what services are running on those ports so a Savvy hacker will still be able to find your SSH Port even if you change it from the default 22 now personally I like the convenience of not having to type in the port number when I SSH so I just leave SSH running on Port 22 but again that's this is one way of locking down the Sur if you want to prevent those automated login attempts now you can further lock down these ports by restricting access to specific IP addresses Now by default if you're setting up a rule and it has the ipv4 address 0. 0.

0. 0 that means allow and respond to requests from any IP address but let's say for instance you only want to allow access to Port 22 from your computer that you're running right now if you have a static IP address that means an IP address that doesn't change you can set up that firewall rule so that it only allows connections from your IP address now I don't have a static IP address I'm just running home internet um and so day-to-day my IP address might change but if you're at a business or you're paying your internet service provider for a static IP address then this is a kind of rule that you can set up where basically in the rule instead of 0. 0.

0.