Setup openSUSE VPS
Connect to your VPS
When you purchase a VPS running openSUSE, you usually get:
- an IP address like 126.96.36.199
- the root password
With them, you can use SSH to access your VPS:
Then, you can run commands to setup your server.
VPS are usually created with the original release image. This means your VPS may miss some important security patches. So the first thing you should do is to update the system and reboot:
zypper up reboot
After reboot, you can connect to your VPS via SSH again.
Create a normal user
Using root is dangerous. You better create a normal user with sudo permission. Don't use admin, shop, a nick name or a real name. It should only be known by the person actually use it.
The following command will create a user named zmvxr and create its home directory:
useradd -m zmvxr
Set a passowrd for zmvxr:
Give zmvxr sudo power:
Change the following:
root ALL=(ALL) ALL
root ALL=(ALL) ALL zmvxr ALL=(ALL) ALL
Now you can exit root and ssh with new user:
Here are millions of evil bots are trying to hack your server, 24/7. Usually they will guess your SSH password. If your root's password is your date of birth, your server will be easily hacked. To protect your server, you need to do the following to harden SSH access.
First, exit SSH connection and return to your local shell environment.
Generate yourself a SSH key if you don't already have one:
ssh-keygen -b 4096
Copy the public key to your user on VPS
Next time when you SSH, you won't need to type the password because your local PC will authenticate with SSH keys. It is a much more secure way than using a password.
However, hackers still access your machine if they got the password. Now, let's disable SSH access with password.
SSH to your server again. Run the following command to edit your server's SSH configuration:
sudo vi /etc/ssh/sshd_config
Change the following line to disable password login:
Also, we would like to forbid SSH connection as root user:
Save the file and restart SSH service:
sudo systemctl restart sshd
The SSH connection will be closed and you need to connect again.
sudo zypper install firewalld
Then start firewalld's systemd service:
sudo systemctl enable firewalld sudo systemctl start firewalld
Firewalld has several different firewall zones/areas, to be used in different network environment. Usually public is chosen by default, which means that the server is in public network and is visible to unknown people and devices. Run
firewall-cmd --list-all to check which zone is active and what services are enabled.
localhost:~ # firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: dhcpv6-client ssh ports: protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
In a zone, you can add services or ports to allow certain connections. For a common web server, we need SSH, HTTP and HTTPS access. To enable these services:
sudo firewall-cmd --permanent --zone=public --add-service=http sudo firewall-cmd --permanent --zone=public --add-service=https sudo firewall-cmd --permanent --zone=public --add-service=ssh
Reload firewalld to take effects:
sudo firewall-cmd --reload
MariaDB is a compatible implementation of MySQL.
sudo zypper in mariadb
sudo systemctl enable mariadb sudo systemctl start mariadb
Run security setup:
Choose Y for all y/n questions. And type a strong password when asked.
Create a new user and a database for it:
mysql -u root > CREATE USER 'mydbuser'@'localhost' IDENTIFIED BY 'xxxxxx'; > CREATE DATABASE mydb; > GRANT ALL PRIVILEGES ON mydb.* TO 'mydbuser'@'localhost'; > exit
Get SSL certificates with Certbot