Seems like I’ve been doing this incantation on a number of Virtual Private Servers (VPS) recently so why not document it.
The service provider has a number of choices of stock images to start with and, getting burned by Heartbleed on a Ubuntu 13.04 system that was no longer supported for security fixes, I now stick with the Long Term Support (LTS) flavors. Ubuntu 14.04LTS is not yet supported by my service provider, so the following is for Ubuntu 12.04 LTS but should be pretty universal.
1. Bring installation from VM image up to date with latest fixes and patches on repositories.
# apt-get update # apt-get upgrade
2. Set timezone and setup for tracking a time server.
# dpkg-reconfigure tzdata # apt-get install ntp
3. Use git to track all the configuration files for the server.
# apt-get install git-core # git config --global user.name "My Name" # git config --global user.email "firstname.lastname@example.org" # cd /etc # git init # git add * # git commit -s
Repeat “git init”, “git add *” and “git commit -s” for /usr, /root, and /var (put .gitignore at root of /var to exclude things like /var/log).
4. Setup SSH to use pre-shared keys for authentication and block password based logins
# cd ~ # mkdir -p .ssh # cd .ssh # vi authorized_keys # cd .. # chmod 0700 .ssh # chmod 0640 .ssh/authorized_keys # cd /etc/ssh/ # cp sshd_config sshd_config.1 # vi sshd_config # reload ssh
Contents of authorized keys will be pasted from the public RSA key(s) for the users that are allowed to log in. Contents of /etc/ssh/sshd_config are changed as follows:
Verify that you can log in using a new terminal window before calling the no-password setup complete! You don’t want to be locked out in the cold. (On the other hand at this point it is not too big a deal, just use the provider’s control panel to re-install the image and then start over.)
Basic setup complete!
Time to do specific setup for actual intended use.