Setting up a VPS for website hosting - Part 1

September 11^th 2019 Updated May 11^th 2020

Setting Up The Local Account

Create local account

We don't want to use our VPS with the root account for security reasons. It is better to create a local admin account and run everything from there. Run these lines of code to create a new user:

adduser cindy
adduser cindy sudo
                    

Where cindy is the name of the new user. This creates a new user and gives it sudo/administrative permissions.

Intro to SSH keys

Now that we have a local account, we can personalize and tailor how we login to our server. Exit the server and go back to your own computer by typing exit

Entering a password to access a server works, but is easy to brute-force hijack. A more secure way to login to a server is through a key-pair. A key pair consists of a public key and a private key. We'll use OpenSSH to create a private/public key-pair and connect it to the server.

The basics of private/public key encryption is that there are a pair of 2 "keys", which are like strings of some length. They can be something like 4096 bits. Both keys are used together in order to encrypt and decrypt messages.

Here's one implementation of public/private key encryption. If your friend wants to send you a secret message, you can give them your public key. They encrypt the secret message using some hashing functions and send the encrypted message to you. No one else can read it while it's in transit. Once it gets to you, using your private key, you can decrypt the message and read it. OpenSSH does all of the math and calculations for us to have a pair of keys that encrypt/decrypt perfectly.

Setting Up SSH Keys

So now we know that we need to setup a public key and a private key and send the public key out to someone. If you have never setup ssh before, run:

ssh-keygen

you can optionally run:

ssh-keygen -b 4096

to have a more secure key with more bits. You can put it in the default directory with the default names, which is id_rsa for the private key and id_rsa.pub for the public key. A password is optional, but I prefer to not have a password.

Your public and private keys will now be created. Next step is to send the public key to your server. There's a command for that:

ssh-copy-id cindy@123.456.789

where cindy is the name of your user, and 123.456.789 is your IP Address.

Configuring SSH

You can now log into your server using ssh. However, it's easier and better to rely on the private/public keys and to completely remove the passwords while logging in from your local computer. It's also better and more secure to completely remove root SSH logins. You can do this by modifying your /etc/ssh/sshd_config file. Find these lines:

PermitRootLogin yes 
...
# PasswordAuthentication no
# PermitEmptyPasswords yes
                    

and change them to:

PermitRootLogin no
...
PasswordAuthentication no
PermitEmptyPasswords yes
                    
                    

(Optional) Removing the user password

Because we are going to use SSH to authenticate and log in, we can clear our password on the server. This doesn't mean you can run updates and sudo level commands automatically. You still need to type sudo, but it will not prompt you for your password.

To do this, run

sudo visudo 

and then append the line:

cindy ALL=(ALL) NOPASSWD:ALL

Then hit Control+X to exit and save. This will remove the need to enter your password when you use sudo. If you created a password already, you can remove it using:

sudo passwd -d cindy

You must set the SSH parameters allowing empty passwords before you do this, and you must copy your public key to the server before this. If you didn't, it's not the end of the world. If you're using Linode, you can log in using WebLish or Glish to create a password so you can do those things and then clear your password.