Getting a Hetzner VPS

Posted on Aug 1, 2025

Getting the VPS

I selected a Hetzner “CAX11” instance (2 vCPUs, 4GB RAM, 40GB SSD, €3.95/mo) running CentOS Stream 10. I chose Nuremberg for the location as this was the closest to me and, all this being an experiment, I chose the cheapest instance type. I knew that CentOS had a reputation for being a boring and stable server OS and so, being relatively uninformed in such matters, it seemed like a reasonable choice. It was also a chance to try out an OS that I was unfamiliar with.

My first attempt to create the server seemed to hang on the creating server step. After waiting more than twenty minutes I decided to give up, delete the server and try again. The second time the server creation completed within two minutes and I was then able to SSH into the server as “root” using the SSH key that I had selected when configuring the instance.

Securing the VPS

  1. Disabled password authentication for SSH by editing /etc/ssh/sshd_config and setting PasswordAuthentication no.
  2. Created a new user chris and added it to the wheel group 
    useradd -m -G wheel chris
  3. Created a password for the new user 
     passwd chris
  4. Copied .ssh/authorized_keys from the root user to the new user 
     mkdir /home/chris/.ssh
 cp /root/.ssh/authorized_keys /home/chris/.ssh/
 chown -R chris:chris /home/chris/.ssh
 chmod 700 /home/chris/.ssh
 chmod 600 /home/chris/.ssh/authorized_keys
  5. Checked that I could ssh into the server as “chris”
  6. Checked that I could sudo as “chris”
  7. Only allow “chris” to SSH into the server by editing /etc/ssh/sshd_config and setting AllowUsers chris.
  8. Restarted the SSH service 
     service sshd restart
  9. Check that I can still SSH into the server as “chris” and that I cannot SSH in as “root”.
  10. Install updates 
     sudo dnf update
  11. Install fail2ban 
     sudo yum install epel-release
 sudo yum install fail2ban
 sudo systemctl enable --now fail2ban
  12. Install ufw 
     sudo dnf install ufw
  13. Check the default policies and ensure SSH is allowed 
     sudo ufw status verbose
 sudo ufw default deny incoming
 sudo ufw allow ssh
  14. Enable the firewall 
     sudo ufw enable
  15. Check that I can still SSH into the server as “chris”