💾 Archived View for the.teabag.ninja › akkoma › linode captured on 2024-05-26 at 14:43:21. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-09-08)
-=-=-=-=-=-=-
2022-11-25
I looked around for something local to me, and found Linode does a $5USD/month Shared CPU 1GB RAM VPS.
I made an account unfortunately before realising I should have used the link from Late Night Linux so I didn't get the $100 credit, assuming it's still a thing. No matter though, as I was only going to use $5 of it.
Do give them a listen, if Linux podcasts are your thing.
So, I created my account, added a credit card, then once logged into after verfying email etc. I then went to "Linodes" on left menu and then *Create Linode*
This brings up a new page where you select what you want:
- Choose Distribution: Debian 11
- Linode Plan: The second tab along is Shared CPU, which are super cheap. Nanode 1GB is a great start for trying this out and is what I use with multiple users.
- Linode Label: Give your server a name for the Admin Panel in Linode. I entered the domain I will be using, to make it obvious for myself if I end up with more than one.
- Root Password: make a password for root user. I generate long strings in KeepassXC and save there.
- SSH Keys: I am on a windows machine, however this is pretty simple. See below
- Attach a VLAN: leave, not needed
- Add-ons: Backups would be a smart idea.
Check the summary of your Linode, then click *Create Linode*
Create Linode Summary sceenshot
I should have done this sooner to allow time for DNS propogation - which is why I am suggesting you do it now.
Go into the DNS settings of your domain providor, and create a new A-Record.
The entry you need to put in will be the IPv4 address of your shiny new Linode VPS. You can see this by going to cloud.linode.com
You can also do the same for IPv6 using the AAAA-Record IP which you can get by clicking into the VPS to show more info.
---
Open start menu, then type `cmd`
Run `ssh-keygen` and give the output file a memorable name if needed (Or just *Enter* to use the default of id_rsa)
![screenshot showing the process described above](/cmd_sshkeygen.jpg)
This will output the public and private keys to a folder on Windows at `C:\Users\<username>\.ssh`
This will show a bunch of files. `id_rsa.pub` is the one we want to upload to Linode. Or `whatever-you-named-it.pub`
![screenshot of the folder containing id_rsa.pub and a couple of other files](/id_rsa.jpg)
---
ssh root@server.ip
The first time you connect it will ask if you're sure, then store the fingerprint of the server so it knows you are always connecting to the same server. It does not ask for a password, as it uses the ssh key we uploaded when creating the server.
Once in, you can update the software package repositories
apt udpate
And then upgrade the system
apt full-upgrade -y
---
Optional, but recommended.
<br/>This can be done later if need be... but you should really just do it now and get it out of the way.
...so that multiple failed logins lock that IP out.
Make sure system is updated, then install:
apt install fail2ban
Then start the service
systemctl start fail2ban
And enable the service to run at startup, so it comes back up when rebooting
systemctl enable fail2ban
This is so if someone manages to get into your server, they do not have root. Also the port being a non-standard port for ssh means the likelyhood of that actually happening is lower. If you like, it may be a good idea to do a manual snapshot in cloud.linode.com in case you screw up and can't log in.
Do all of the following while logged in as root.
Create a new user, where `<user>` is a username of your choosing:
adduser <user>
Set a long pasword - ideally using a password manager to create a random string or phrase so it can't be easily worked out or guessed. You can leave the other entries blank and just *Enter* through them (Name, Room, etc).
You then need to add your public ssh key from earlier, to the user you just created.
mkdir /home/<user>/.ssh
chmod 700 /home/<user>/.ssh
cp /root/.ssh/authorized_keys /home/<user>/.ssh/authorized_keys
chmod 600 /home/<user>/.ssh/authorized_keys
chown -R <user>:<user> /home/<user>/.ssh
Now edit the ssh config
nano /etc/ssh/sshd_config
Where it says `#Port 22` insert another line above or below saying `Port 55555` (or whatever port you want to use)
Down a bit further in the config it says `PermitRootLogin` change the `yes` to `no`
Then add `AllowUsers <user>` at the top or bottom of that block - or anywhere. The end... or where ever.
Then do the following to restart the ssh service and apply the settings.
systemctl restart sshd
Leave the current session open, and start another terminal on your machine (eg. another cmd.exe) and attempt to login as described below before you close the other one - this is so you can recify any mistakes if it does not work.
Open cmd.exe or Powershell (assuming Windows), and enter the following substituting port/username/IP to suit:
ssh -p 55555 <user>@server.ip
Then once in, drop to root using `su -` and enter the root password. (and no, the curser does not move when entering passwords)
I currently manually do this every week(ish) to make sure I have security updates etc for my system. I really need to automate it with cron probably. I will update here when I get around to it...