Introduction to SSH*
SSH (Secure Shell) is a protocol used to securely connect to remote computers or servers over a network. You can interact with it via ssh program which comes by default on Linux, macOS, and on Windows.
Connecting to VPS using SSH*
SSH can be used to connect to your VPS.
ssh root@62.72.59.218
// Here, root is username. That's what was given by hostinger to us.
// It might be different based on your VPS provider.
// Content after `@` is IP Address of VPS server.
When you first connect, it will ask you if you want to continue connecting. If you say yes
, it will store the fingerprint of this server on your computer. When you connect to it next time, it will validate whether fingerprint is correct, if not then it won’t let you connect. If you can’t login at that time, then your server might have been compromised.
It will ask for your password, enter your password that you want.
Updating Package Repositories, and Upgrading Packages*
This is one of the first things that you should do when you buy a VPS is to update package repositories, and upgrade all packages.
Updating Package Lists
apt update
Our VPS uses Ubuntu, hence we are using APT package manager. For any debian based distributions, you are going to use APT. If your VPS uses any other Linux distribution, you can search online for equivalent command. Like, Redhat based distributions like CentOS, Fedora, etc. uses dnf
. So, you can just replace apt
with dnf
apt update
doesn’t upgrade your packages, but it updates the package list on a Debian-based Linux system (like Ubuntu). It fetches the latest metadata about available software packages from the repositories configured in your system.
Upgrading Packages
apt upgrade
This will upgrade all the upgrade-able packages in your system.
Check whether reboot is required, if yes then reboot.
cat /var/run/reboot-required
If /var/run/reboot-required
file exists then it means that reboot is required.
You can go to your VPS dashboard, and reboot your VPS from there.
If you aren’t using hostinger, then you can search where this feature is in your dashboard. If you can’t find then, you can also use this command via SSH
reboot
Creating Non-Root User-
We are using root user right now. It can be extremely risky to always be logged in as root user, and it’s generally recommended to use non-root user. And use superuser permission only when we know it’s right, and needed. We will now create a new user which can’t use superuser commands by default, but can use it if needed. This step is not needed if your VPS already gives non root user.
adduser thapa
This will create a new user with the name thapa
This will ask for new password, make sure to give password separate from root user for security purposes.
We added a new user, but the new user can’t do super user commands even when needed. We will add the new user in sudo
group which will allow them to use superuser commands.
usermod -aG sudo thapa
You can use groups username
to check whether the new user is added in sudo
group or not.
Let’s exit our SSH connection, and try logging in as new user.
ssh thapa@62.72.59.218
Now, if you try to run any superuser commands like apt install
, apt update
, apt upgrade,
you will get error.
You have to prefix the superuser commands with sudo
We are installing a popular text editor which can be used from terminal named neovim just for testing.
Setting up SSH Keys for connecting to VPS-
We have been using passwords for authentication right now, but we are now going to switch to SSH keys, and will turn off connecting using password. This is because, anyone can bruteforce the password and connect to our VPS if we have weak password.
Creating a SSH Key
ssh-keygen -t ed25519 -C "your_email@example.com"
// If you are using a legacy system that doesn't support the Ed25519 algorithm, use:
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
Same command will work for macOS, and Linux too. Remember that, when it is asking for the name, you have to either write absolute path or relative path from your current directory to .ssh folder.
Typically, it stores in .ssh folder in your home directory of user for Windows, macOS, and Linux. (C:\Users\Username\.ssh for windows, ~/.ssh for macOS, and Linux)
On Windows, Turn on SSH Agent Service
Get-Service -Name ssh-agent | Set-Service -StartupType Automatic
Start-Service ssh-agent
Open PowerShell as administrator, and paste those two commands. This will make sure to start ssh-agent service when you restart your PC everytime.
Alternatively, you can also turn it on through GUI
Search for Services on Windows Search, and search for “OpenSSH”. Then right click, and click Properties
Change it to Automatic if it’s already isn’t. And, also start it from there.
Adding newly created SSH key in ssh-agent
ssh-add .\\.ssh\\id_ed25519
# Note that I am already on my C:\\Users\\Username folder.
# If you had different name for your SSH key, then use that.
This step might not be needed most of the times if you chose default name, but if you chose different name for your SSH Key, you will have to do this.
Adding our SSH Public Key in VPS
-
First, copy the content of your public key file of SSH Key. You have to copy content of .pub file, and not of file without extension as you shouldn’t share that.
~\\.ssh ❯ cat .\\id_ed25519.pub
You can also open the file from notepad, and copy
-
Now, connect to your VPS using the non root user. Hostinger also has option to add SSH keys but that only does for root, but we want to use non root user.
-
After connecting, create a .ssh folder inside home directory if it doesn’t exist.
mkdir .ssh cd .ssh # Cd into the .ssh folder that we created.
-
Create a file named authorized_keys inside .ssh folder, and paste the content of your public key
nano authorized_keys
You can use Ctrl + O, to save the file in Nano, and Ctrl + X to exit.
-
Now, just exit out of VPS, and try to login. You will see that it will automatically login to the VPS without asking for password. If you had setup password in your SSH Key then it will ask for that every time. If you don’t like that then you can use ssh-add command like we discussed previously.
Disable Password Login-
We are going to disable it so that hackers can’t bruteforce our server. Remember to setup SSH Key before disabling it, else you won’t be able to connect to your VPS. Also, if you have to connect on a new computer, you first have to generate ssh key in that computer, and paste the public key in VPS from your previous device where you connected using SSH Key.
-
Edit the SSH config
sudo nano /etc/ssh/sshd_config
-
Scroll down the file and change PasswordAuthentication value to no from yes.
Now, save it using Ctrl + O, and exit using Ctrl + X
-
On Hostinger VPS, I have a file named 50-cloud-init.conf inside /etc/ssh/sshd_config.d which has PasswordAuthentication set to turned on, so we will turn it off from that file as well.
Remember that it’s inside sshd_config.d folder not inside ssh_config.d
Use Nano to update it too.
-
After that, restart ssh service.
sudo systemctl restart ssh # Service name might be sshd for CentOS
-
Now, if you try to login to root user then you can see that it doesn’t allow because we haven’t really setup SSH keys on root user. You can set it through hostinger dashboard too, but we are going to disable root user entirely.
Disable Root User login-
We want to disable root user entirely so that you are forced to use non root user.
-
Edit sshd_config
sudo nano /etc/ssh/sshd_config
-
Search for PermitRootLogin, and set it’s value to no
Alternatively, you can change its value to without-password which will allow using SSH Keys but not through password. But, we have already turned off password authentication, it’s not needed.
Setting up Firewall*
A firewall is a network security system that monitors and controls incoming and outgoing network traffic. It acts as a barrier between your server and potential threats from the internet.
Many VPS providers, like AWS, DigitalOcean, and Linode, offer firewall options that can be set up through their dashboard. But, we are going to use UFW, or Uncomplicated Firewall through CLI, as it’s easy to use.
Install if you don’t have
Hostinger already comes with UFW by default, so we don’t have to do it.
sudo apt install ufw
Checking Status
sudo ufw status
It is currently inactive, so let’s enable it.
Disable all incoming request by default
sudo ufw default deny incoming
Enable all outgoing request by default
sudo ufw default allow outgoing
MOST IMPORTANT: Enable OpenSSH Connection
We know that OpenSSH uses port 22 by default. So, we have to enable this before exiting VPS. If we don’t follow this step, and enable the firewall, then we can no longer connect to our VPS using SSH connection.
sudo ufw allow OpenSSH
If you had changed your port number for SSH, then you have to do this:
sudo ufw allow <port-number>
See list of added configuration
sudo ufw show added
Enable Firewall
Make sure to enable OpenSSH connection before enabling the firewall, otherwise you won’t be able to SSH into the VPS.
sudo ufw enable
Enabling HTTP, and HTTPS connections
We are going to deploy a website/web app in future, so we are going to enable HTTP, and HTTPS connections.
sudo ufw allow http
# Alternatively: sudo ufw allow 80/tcp
sudo ufw allow https
# Alternative: sudo ufw allow 443/tcp