Setup openSUSE VPS

Jump to: navigation, search

Connect to your VPS

When you purchase a VPS running openSUSE, you usually get:

  1. an IP address like
  2. the root password

With them, you can use SSH to access your VPS:

ssh root@

Then, you can run commands to setup your server.

System update

VPS are usually created with the original release image. This means your VPS may miss some important security patches. So the first thing you should do is to update the system and reboot:

zypper up

After reboot, you can connect to your VPS via SSH again.

Create a normal user

Using root is dangerous. You better create a normal user with sudo permission. Don't use admin, shop, a nick name or a real name. It should only be known by the person actually use it.

The following command will create a user named zmvxr and create its home directory:

useradd -m zmvxr

Set a passowrd for zmvxr:

passwd zmvxr

Give zmvxr sudo power:

You need basic vi knowledge here. Check this tutorial.

Change the following:

root ALL=(ALL) ALL


root ALL=(ALL) ALL
zmvxr ALL=(ALL) ALL

Now you can exit root and ssh with new user:

ssh zmvxr@

SSH configuration

Here are millions of evil bots are trying to hack your server, 24/7. Usually they will guess your SSH password. If your root's password is your date of birth, your server will be easily hacked. To protect your server, you need to do the following to harden SSH access.

First, exit SSH connection and return to your local shell environment.

Generate yourself a SSH key if you don't already have one:

ssh-keygen -b 4096

Copy the public key to your user on VPS

ssh-copy-id zmxvr@

Next time when you SSH, you won't need to type the password because your local PC will authenticate with SSH keys. It is a much more secure way than using a password.

However, hackers still access your machine if they got the password. Now, let's disable SSH access with password.

SSH to your server again. Run the following command to edit your server's SSH configuration:

sudo vi /etc/ssh/sshd_config

Change the following line to disable password login:

PasswordAuthentication no

Also, we would like to forbid SSH connection as root user:

PermitRootLogin no

Save the file and restart SSH service:

sudo systemctl restart sshd

The SSH connection will be closed and you need to connect again.

Firewalld configuration

Install firewalld:

sudo zypper install firewalld

Then start firewalld's systemd service:

sudo systemctl enable firewalld
sudo systemctl start firewalld

Firewalld has several different firewall zones/areas, to be used in different network environment. Usually public is chosen by default, which means that the server is in public network and is visible to unknown people and devices. Run firewall-cmd --list-all to check which zone is active and what services are enabled.

localhost:~ # firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  services: dhcpv6-client ssh
  forward: no
  masquerade: no
  rich rules:

In a zone, you can add services or ports to allow certain connections. For a common web server, we need SSH, HTTP and HTTPS access. To enable these services:

sudo firewall-cmd --permanent --zone=public --add-service=http
sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd --permanent --zone=public --add-service=ssh

Reload firewalld to take effects:

sudo firewall-cmd --reload

MariaDB configuration

MariaDB is a compatible implementation of MySQL.


sudo zypper in mariadb

Start service:

sudo systemctl enable mariadb
sudo systemctl start mariadb

Run security setup:

sudo mysql_secure_installation

Choose Y for all y/n questions. And type a strong password when asked.

Create a new user and a database for it:

mysql -u root
> CREATE USER 'mydbuser'@'localhost' IDENTIFIED BY 'xxxxxx';
> GRANT ALL PRIVILEGES ON mydb.* TO 'mydbuser'@'localhost';
> exit

NGINX configuration


Get SSL certificates with Certbot

See Certbot

External links

1. How to Secure Your Server