Setup openSUSE VPS - openSUSE Wiki
Jump to: navigation, search
Connect to your VPS
When you purchase a VPS running openSUSE, you usually get:
- an IP address like
111.111.111.111
- the root password
With them, you can use SSH to access your VPS:
1 | ssh [email protected] |
Then, you can run commands to setup your server.
System update
VPS are usually created with the original release image. This means your VPS may miss some important security patches. So the first thing you should do is to update the system and reboot:
1 | zypper up |
After reboot, you can connect to your VPS via SSH again.
Create a normal user
Using root is dangerous. You better create a normal user with sudo permission. Don’t use admin, shop, a nick name or a real name. It should only be known by the person actually use it.
The following command will create a user named zmvxr and create its home directory:
1 | useradd -m zmvxr |
Set a passowrd for zmvxr:
1 | passwd zmvxr |
Give zmvxr sudo power:
1 | visudo |
You need basic vi knowledge here. Check this tutorial.
Change the following:
1 | root ALL=(ALL) ALL |
To:
1 | root ALL=(ALL) ALL |
Now you can exit root and ssh with new user:
1 | ssh [email protected] |
SSH configuration
Here are millions of evil bots are trying to hack your server, 24/7. Usually they will guess your SSH password. If your root’s password is your date of birth, your server will be easily hacked. To protect your server, you need to do the following to harden SSH access.
First, exit SSH connection and return to your local shell environment.
Generate yourself a SSH key if you don’t already have one:
1 | ssh-keygen -b 4096 |
Copy the public key to your user on VPS
1 | ssh-copy-id [email protected] |
Next time when you SSH, you won’t need to type the password because your local PC will authenticate with SSH keys. It is a much more secure way than using a password.
However, hackers still access your machine if they got the password. Now, let’s disable SSH access with password.
SSH to your server again. Run the following command to edit your server’s SSH configuration:
1 | sudo vi /etc/ssh/sshd_config |
Change the following line to disable password login:
1 | PasswordAuthentication no |
Also, we would like to forbid SSH connection as root user:
1 | PermitRootLogin no |
Save the file and restart SSH service:
1 | sudo systemctl restart sshd |
The SSH connection will be closed and you need to connect again.
Firewalld configuration
Install firewalld:
1 | sudo zypper install firewalld |
Then start firewalld’s systemd service:
1 | sudo systemctl enable firewalld |
Firewalld has several different firewall zones/areas, to be used in different network environment. Usually public is chosen by default, which means that the server is in public network and is visible to unknown people and devices. Run firewall-cmd --list-all
to check which zone is active and what services are enabled.
1 | localhost:~ # firewall-cmd --list-all |
In a zone, you can add services or ports to allow certain connections. For a common web server, we need SSH, HTTP and HTTPS access. To enable these services:
1 | sudo firewall-cmd --permanent --zone=public --add-service=http |
Reload firewalld to take effects:
1 | sudo firewall-cmd --reload |
MariaDB configuration
MariaDB is a compatible implementation of MySQL.
Install:
1 | sudo zypper in mariadb |
Start service:
1 | sudo systemctl enable mariadb |
Run security setup:
1 | sudo mysql_secure_installation |
Choose Y for all y/n questions. And type a strong password when asked.
Create a new user and a database for it:
1 | mysql -u root |
1 | > CREATE USER 'mydbuser'@'localhost' IDENTIFIED BY 'xxxxxx'; |
Reference
NGINX configuration
See NGINX
Get SSL certificates with Certbot
See Certbot