Getting a Hetzner VPS

Getting the VPS

I selected a Hetzner “CAX11” instance (2 vCPUs, 4GB RAM, 40GB SSD, €3.95/mo) running CentOS Stream 10. I chose Nuremberg for the location as this was the closest to me and, all this being an experiment, I chose the cheapest instance type. I knew that CentOS had a reputation for being a boring and stable server OS and so, being relatively uninformed in such matters, it seemed like a reasonable choice. It was also a chance to try out an OS that I was unfamiliar with.

My first attempt to create the server seemed to hang on the creating server step. After waiting more than twenty minutes I decided to give up, delete the server and try again. The second time the server creation completed within two minutes and I was then able to SSH into the server as “root” using the SSH key that I had selected when configuring the instance.

Securing the VPS

1. Disabled password authentication for SSH by editing /etc/ssh/sshd_config and setting PasswordAuthentication no.
2. Created a new user chris and added it to the wheel group

   useradd -m -G wheel chris
   

3. Created a password for the new user

    passwd chris
   

4. Copied .ssh/authorized_keys from the root user to the new user

    mkdir /home/chris/.ssh
    cp /root/.ssh/authorized_keys /home/chris/.ssh/
    chown -R chris:chris /home/chris/.ssh
    chmod 700 /home/chris/.ssh
    chmod 600 /home/chris/.ssh/authorized_keys
   

5. Checked that I could ssh into the server as “chris”
6. Checked that I could sudo as “chris”
7. Only allow “chris” to SSH into the server by editing /etc/ssh/sshd_config and setting AllowUsers chris.
8. Restarted the SSH service

    service sshd restart
   

9. Check that I can still SSH into the server as “chris” and that I cannot SSH in as “root”.
10. Install updates

     sudo dnf update
    

11. Install fail2ban

     sudo yum install epel-release
     sudo yum install fail2ban
     sudo systemctl enable --now fail2ban
    

12. Install ufw

     sudo dnf install ufw
    

13. Check the default policies and ensure SSH is allowed

     sudo ufw status verbose
     sudo ufw default deny incoming
     sudo ufw allow ssh
    

14. Enable the firewall

     sudo ufw enable
    

15. Check that I can still SSH into the server as “chris”