Self Host 101 - Set up and Secure Your Own Server

Syntax

21 Mar 202425:56

Summary

TLDRThis video tutorial offers a comprehensive guide to securing a newly created Virtual Private Server (VPS). It begins by highlighting the importance of locking down a VPS to protect against relentless hacking attempts. The host, CJ, demonstrates how to update and upgrade the VPS to its latest secure state, change default root passwords, and create a non-root user with sudo privileges. The tutorial also covers setting up SSH key-based authentication to replace passwords, disabling root login via SSH, and configuring firewall rules to restrict access to necessary ports only. Finally, it introduces the setup of unattended-upgrades to keep the system updated automatically, ensuring a secure and well-maintained server environment.

Takeaways

🛡️ The importance of securing a VPS from the constant threat of automated hacking attempts targeting default login credentials.
🔑 Demonstration of checking for SSH login attempts to identify any unauthorized access to a new VPS.
🔒 Basic steps for setting up and securing a VPS, including running updates and upgrades to protect against vulnerabilities.
👥 Introduction to the concept of least privilege by creating a secondary user with limited permissions to perform administrative tasks when necessary.
🔄 The necessity of keeping the system updated with the latest security patches through regular package upgrades.
🔒🔑 Transitioning from password-based SSH logins to key-based authentication for enhanced security.
🚫 Disabling password authentication in SSH to prevent brute force attacks.
🔒🚫 Prohibiting SSH access for the root user to further secure the server against unauthorized access.
🔄 Using application firewalls like UFW to control network traffic and close unnecessary ports.
🔄🔒 Configuring the firewall to allow traffic only from specific IP addresses to limit exposure.
🤖 Implementing unattended-upgrades to automate the process of keeping the system updated with the latest security patches.

Q & A

What is the main purpose of the video?
-The main purpose of the video is to guide viewers on setting up and securing a new Virtual Private Server (VPS) to prevent unauthorized access and potential attacks.
Why is it important to check for SSH login attempts on a new VPS?
-It is important to check for SSH login attempts because hackers are constantly running automated scripts to exploit vulnerable servers, and being aware of such attempts can help in taking preventive measures.
What does the video offer for different types of users interested in VPS?
-The video offers a basic guide suitable for complete beginners, hobbyists, and developers, showing them how to create a secure and locked-down VPS ready for various services.
What are some examples of self-hosted applications one might run on a VPS?
-Examples include personal media servers like Plex or Jellyfin, cloud services like Nextcloud, photo hosting with PhotoPrism, password managers like Bitwarden or Passbolt, custom Discord bots, web servers like Nginx or Apache, and databases like MySQL, PostgreSQL, MongoDB, or Redis.
What is the difference between a VPS and PaaS?
-A VPS provides a virtual machine with full control over the operating system and software, while PaaS (Platform as a Service) offers a platform to deploy applications without managing the underlying infrastructure.
How does one connect to a VPS using SSH?
-One connects to a VPS using SSH by opening a terminal, typing 'ssh' followed by the username and the IP address of the VPS, and then entering the password when prompted.
Why is it recommended to run updates and upgrades immediately after connecting to a new VPS?
-Running updates and upgrades ensures that the VPS is running the latest versions of all packages, which often include security patches and bug fixes, thus making the system more secure.
What is the principle of least privilege and how does it relate to VPS security?
-The principle of least privilege suggests giving a user only the permissions they need to perform their tasks. In the context of VPS security, it means not running all commands as the root user to minimize potential damage from any security breaches.
How can one create a secondary user on a VPS with limited permissions?
-One can create a secondary user with the 'adduser' command and then add this user to the 'sudo' group to grant them the ability to perform superuser actions when necessary, without having root privileges all the time.
Why is it advised to change the default password for the root user on a new VPS?
-Changing the default root password is advised to prevent unauthorized access, as the default password provided by the VPS provider could be known or easily guessed.
What is SSH key-based authentication and how does it enhance security?
-SSH key-based authentication uses a pair of cryptographic keys, a public key and a private key, to authenticate the user to the server without the need for a password. This method enhances security by making it harder for unauthorized users to gain access, even if they know the username.
How can one disable password authentication for SSH on a VPS?
-One can disable password authentication for SSH by editing the 'sshd_config' file, setting 'PasswordAuthentication' to 'no', and then restarting the SSH service.
What is the purpose of changing the default SSH port on a VPS?
-Changing the default SSH port can help deter automated attacks that target the standard port (22), as it forces potential attackers to discover the new port number before they can attempt to exploit it.
How can one restrict SSH access to specific IP addresses?
-One can restrict SSH access by setting up firewall rules that only allow connections from specified IP addresses, using either the VPS provider's dashboard or command-line tools like 'ufw'.
What is 'unattended-upgrades' and why is it useful for a VPS?
-'unattended-upgrades' is a program that automatically installs security and other updates on a system without user intervention. It is useful for a VPS as it helps keep the system up-to-date with the latest security patches and software updates, reducing the risk of vulnerabilities.
How can one ensure that automatic updates are enabled on a VPS?
-One can ensure automatic updates are enabled by installing the 'unattended-upgrades' package and then running 'dpkg-reconfigure' to enable automatic upgrades through a configuration wizard.