Setup openSUSE VPS
Connect to your VPS
When you purchase a VPS running openSUSE, you usually get:
- an IP address like 111.111.111.111
- the root password
With them, you can use SSH to access your VPS:
ssh root@111.111.111.111
Then, you can run commands to setup your server.
System update
VPS are usually created with the original release image. This means your VPS may miss some important security patches. So the first thing you should do is to update the system and reboot:
zypper up reboot
After reboot, you can connect to your VPS via SSH again.
Create a normal user
Using root is dangerous. You better create a normal user with sudo permission. Don't use admin, shop, a nick name or a real name. It should only be known by the person actually use it.
The following command will create a user named zmvxr and create its home directory:
useradd -m zmvxr
Set a passowrd for zmvxr:
passwd zmvxr
Give zmvxr sudo power:
visudo
Change the following:
root ALL=(ALL) ALL
To:
root ALL=(ALL) ALL zmvxr ALL=(ALL) ALL
Now you can exit root and ssh with new user:
ssh zmvxr@111.111.111.111
SSH configuration
Here are millions of evil bots are trying to hack your server, 24/7. Usually they will guess your SSH password. If your root's password is your date of birth, your server will be easily hacked. To protect your server, you need to do the following to harden SSH access.
First, exit SSH connection and return to your local shell environment.
Generate yourself a SSH key if you don't already have one:
ssh-keygen -b 4096
Copy the public key to your user on VPS
ssh-copy-id zmxvr@111.111.111.111
Next time when you SSH, you won't need to type the password because your local PC will authenticate with SSH keys. It is a much more secure way than using a password.
However, hackers still access your machine if they got the password. Now, let's disable SSH access with password.
SSH to your server again. Run the following command to edit your server's SSH configuration:
sudo vi /etc/ssh/sshd_config
Change the following line to disable password login:
PasswordAuthentication no
Also, we would like to forbid SSH connection as root user:
PermitRootLogin no
Save the file and restart SSH service:
sudo systemctl restart sshd
The SSH connection will be closed and you need to connect again.
Firewalld configuration
Install firewalld:
sudo zypper install firewalld
Then start firewalld's systemd service:
sudo systemctl enable firewalld sudo systemctl start firewalld
Firewalld has several different firewall zones/areas, to be used in different network environment. Usually public is chosen by default, which means that the server is in public network and is visible to unknown people and devices. Run firewall-cmd --list-all to check which zone is active and what services are enabled.
localhost:~ # firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: dhcpv6-client ssh ports: protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
In a zone, you can add services or ports to allow certain connections. For a common web server, we need SSH, HTTP and HTTPS access. To enable these services:
sudo firewall-cmd --permanent --zone=public --add-service=http sudo firewall-cmd --permanent --zone=public --add-service=https sudo firewall-cmd --permanent --zone=public --add-service=ssh
Reload firewalld to take effects:
sudo firewall-cmd --reload
MariaDB configuration
MariaDB is a compatible implementation of MySQL.
Install:
sudo zypper in mariadb
Start service:
sudo systemctl enable mariadb sudo systemctl start mariadb
Run security setup:
sudo mysql_secure_installation
Choose Y for all y/n questions. And type a strong password when asked.
Create a new user and a database for it:
mysql -u root > CREATE USER 'mydbuser'@'localhost' IDENTIFIED BY 'xxxxxx'; > CREATE DATABASE mydb; > GRANT ALL PRIVILEGES ON mydb.* TO 'mydbuser'@'localhost'; > exit
NGINX configuration
See NGINX
Get SSL certificates with Certbot
See Certbot