ffoxin/1_ssh.md

## 1_ssh.md

      
    Raw
  

              1_ssh.md
            
          
    Configure SSH

Let's define

<service_name>

i.e. Vultr: service_name = vultr, GitHub: service_name = github


<location> is short name + index

i.e. Frankfurt DC = fr1, Stockholm DC = st1


<vps_name> = <service_name>-<location>

i.e. Vultr VPS in Frankfurt DC = vultr-fr1


Generate ssh key for vps server
ssh-keygen -t rsa -b 4096 -C "<client_name i.e. mbp13 or username>" -f ~/.ssh/<service_name>_rsa
Add to local ~/.ssh/config
Host *
  UseKeychain yes
  AddKeysToAgent yes

Host <vps_name>-root
  HostName <hostname>
  Port 22
  User root
  IdentityFile ~/.ssh/<service_name>_rsa
  ServerAliveInterval 120
  IdentitiesOnly yes

Host <vps_name>-vps
  HostName <hostname>
  Port 22
  User vps
  IdentityFile ~/.ssh/<service_name>_rsa
  ServerAliveInterval 120
  IdentitiesOnly yes

Fix server ssh config
vim /etc/ssh/sshd_config
Find all includes and change it to the following values:
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no
PermitRootLogin prohibit-password

And reload ssh service:
systemctl reload ssh
Check from local host in the separate terminal that you can connect to ssh:
ssh <vps_name>-root

  
## 2_ufw.md

      
    Raw
  

              2_ufw.md
            
          
    Configure ufw (firewall)

ufw status
ufw disable

ufw default deny incoming
ufw default allow outgoing

# common things
ufw allow ssh
ufw allow http
ufw allow https
# wireguard server
ufw allow 51820/udp
# dns server
ufw allow 53/tcp
ufw allow 53/udp
ufw allow 67/udp

ufw enable
ufw status verbose
You should get smth like
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere
80/tcp                     ALLOW IN    Anywhere
443/tcp                    ALLOW IN    Anywhere
51821/udp                  ALLOW IN    Anywhere
53/tcp                     ALLOW IN    Anywhere
53/udp                     ALLOW IN    Anywhere
67/udp                     ALLOW IN    Anywhere

Check in the separate terminal that you can still connect to ssh:
ssh <vps_name>-root

  
## 3_user.md

      
    Raw
  

              3_user.md
            
          
    Add non-root user

adduser vps
mkdir /home/vps/.ssh
cp ~/.ssh/authorized_keys /home/vps/.ssh/authorized_keys
chmod 700 /home/vps/.ssh
chmod 600 /home/vps/.ssh/authorized_keys
chown -R vps:vps /home/vps/.ssh

  
## 4_docker.md

      
    Raw
  

              4_docker.md
            
          
    Add docker

Run docker installer
curl -fsSL https://get.docker.com -o get-docker.sh
sh get-docker.sh
usermod -aG docker vps