VPS Setup Guide

This comprehensive guide will walk you through the process of setting up a Virtual Private Server (VPS) from scratch, covering initial access, user management, security measures, and software installation.

Local Creation of an SSH Key Pair

On your local machine, open a terminal and create a new SSH key pair:

ssh-keygen -t rsa -b 4096 -C "vps_setup@example.com" -f ~/.ssh/id_rsa_vps_setup

Add a strong passphrase when prompted. This command sets the file location to ~/.ssh/id_rsa_vps_setup.

Display your public key on terminal and take note of it:

cat ~/.ssh/id_rsa_vps_setup.pub

Remote creation of a VPS with Root Access

The exact setup may vary depending on your VPS provider, but generally:

• Log in to your VPS provider’s control panel, and choose to create a VPS
• Select Ubuntu as the Operating System, and choose your specifications (CPU, RAM, storage)
• In the SSH key section, paste the contents of your public key, in our case: ~/.ssh/id_rsa_vps_setup.pub.
• Give a memorable name to your VPS, e.g. PhantomVPS
• Complete the creation and note down the VPS IP address provided

In this example, I use DigitalOcean to create a VPS with Ubuntu 24.10

Local modification of the Hosts File

To simplify SSH access, update your local ~/.ssh/config file:

Host phantom-root
  HostName 157.245.213.137
  User root
  IdentityFile ~/.ssh/id_rsa_vps_setup

Now you can easily connect to your VPS using the alias phantom-root.

ssh phantom-root

Alternatively, you can use the default connection method. Note the ~/.ssh/config file is still used to specify which public key you use for a given server.

ssh root@<your.vps.address>

For daily operations, avoid using the root user. Files created by root are owned by root, restricting access to others.

Create sudo User for DevOps

To avoid using root, let’s create a sudo-enabled user for DevOps:

Make sure you’re logged in as root, then create the user:

adduser devops
usermod -aG sudo devops
passwd -e devops #force change password at first login

Enable Public Key Authentication for the User

To enable public key authentication for the new user, you can reuse the authorized_keys file from the root user or set up a new public key.

Method 1: Reuse root’s authorized_keys

This method is often used in small teams and test environments. From the VPS as root:

mkdir -p /home/devops/.ssh
cp /root/.ssh/authorized_keys /home/devops/.ssh/
sudo chown -R devops:devops /home/devops/.ssh
sudo chmod 700 /home/devops/.ssh
sudo chmod 600 /home/devops/.ssh/authorized_keys

Here, we login as root, copy the root’s authorized_keys to the new user, and set proper permissions on user ~/.ssh folder and contents.

Method 2: Adding a new public key with ssh-copy-id

If you have the public key for the new user (e.g., id_rsa_devops_vps.pub), you can copy it to the server. From your local terminal:

ssh-copy-id -i /path/to/user/publickey.pub "devops@your_vps_ip -o 'ProxyCommand ssh root@your_vps_ip -W %h:%p'"

This command uses root access to connect and forward the connection to the devops user:

• -i /path/to/user/publickey.pub: Specifies the public key file to copy
• The quoted part creates a ProxyCommand that uses your root access to connect, then forwards the connection to the devops user
• You’ll be prompted for the root password of your VPS.
• After entering the password, the public key will be copied to the /home/devops/.ssh/authorized_keys file.

Test devops user

Log out, then test access with the new user:

Update your ~/.ssh/config file by adding :

Host phantom-devops
    HostName <your.vps.ip.address>
    User devops
    IdentityFile ~/.ssh/id_rsa_vps_setup

Then connect using:

ssh phantom-devops

Here you see at first login you need to change password. Do so, and then re-login, so you can start operations.

If successful, avoid using the root account and switch to devops for all operations.

VSCode remote SSH setup

If you’re using Visual Studio Code for server management, follow these steps to set up Remote SSH:

• Install the “Remote – SSH” extension from microsoft (link)
• Press F1 (or Cmd+Shift+P), type “Remote-SSH: Connect to Host”, and select it
• Enter devops@<your.vps.address> and press enter
• Select the appropriate SSH configuration file if prompted
• VSCode will open in a new window connected to your VPS

You can now explore the filesystem and work on your VPS directly from VSCode

Visual Guide

See the screnshoots below for a quick guide to help you with the process.

Select Remote-SSH

Select Host

Open Terminal, then select Open Folder, and select the user’s home folder

And then you can comfortably operate on your VPS and edit files on your filesystem in a nicely integrated environment 😉

Secure your VPS

Connect to the VPS as the devops user, then apply the following security measures:

Secure SSH

Edit the SSH config file:

sudo nano /etc/ssh/sshd_config

Update the following lines to deny root access and password authentication:

PermitRootLogin no
PasswordAuthentication no

Tips: use Ctrl+W to find specific text in nano; Ctrl+X, followed by Y, to save and exit.

Restart SSH for the changes to take effect:

sudo systemctl restart ssh

After restart, ssh open a new terminal, and verify that you cannot login as root and that you can still login as devops, as in the image below.

Install UFW firewall

UFW (Uncomplicated Firefall) simplifies firewall management on Linux. Start by installing it:

sudo apt update && sudo apt upgrade -y
sudo apt install ufw
sudo ufw allow OpenSSH
sudo ufw enable

Allow or deny specific services:

sudo ufw allow ssh
sudo ufw allow 80 # Allow http 
sudo ufw allow 443 # Allow https
sudo ufw deny 21 # Deny FTP

Check firewall status:

sudo ufw status verbose

Install and configure fail2ban

Fail2Ban protects servers from brute-force attacks by temporarily/permanently banning IP addresses. Install it using:

sudo apt install fail2ban

Configure Fail2Ban settings as needed, then restart the service:

sudo systemctl restart fail2ban

When running, you can check the status and the running jails with the commands below:

# system status
sudo systemctl status fail2ban

# check jails
sudo fail2ban-client status

Install and Configure Software

Node.js (with NVM)

Install NVM (Node Version Manager) to manage multiple Node.js versions:

curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.1/install.sh | bash
source ~/.bashrc
nvm install node

To change Node.js versions:

nvm install <version>
nvm use <version>

See below an example of version change.

Python

Install python

sudo apt install python3 python3-pip

To manage Python versions, consider using pyenv.

Java

Install Java

sudo apt install default-jdk

To manage Java versions, consider using sdkman.

Docker

Docker is a platform for develop, ship and run applications in a container. Here’s how to install it on your VPS:

Update the package index and install prerequisites

sudo apt update
sudo apt install apt-transport-https ca-certificates curl software-properties-common

Add Docker’s official GPG key

curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg

Set up the stable docker repository

echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

Update the package index again and install docker

sudo apt update
sudo apt install docker-ce docker-ce-cli containerd.io

Verify that Docker is installed correctly:

sudo docker run hello-world

(Optional) Add your user to the docker group to run Docker commands without sudo:

sudo usermod -aG docker ${USER}

Note: You’ll need to log out and back in for this change to take effect.

(Options) Configure Docker to start on boot:

sudo systemctl enable docker

Add Helpful DevOps Scripts

I typically have some scripts for helping me in everyday operations. To do so, I create a .dev/ops.sh file, which I source with bashrc.

Create .dev/ops.sh script fileL

mkdir -p ~/.dev
nano ~/.dev/ops.sh

Add the following content

#!/bin/bash

# Aliases
alias ..="cd ../"
alias cl="clear"

# Helpful functions below
info() {
  echo "Running Services"
  systemctl list-units --type=service --state=running | grep -E '(docker|nginx|apache2|mysql|mariadb|postgresql|mongodb|redis)'

  if command -v node &> /dev/null; then
    node --version
  fi
  if command -v python3 &> /dev/null; then
    python3 --version
  fi
  if command -v java &> /dev/null; then
    java -version
  fi
  if command -v ufw &> /dev/null; then
    sudo ufw status verbose
  fi
}

Make the script executable:

chmod +x ~/.dev/ops.sh

Edit your .bashrc to source this script

echo "source ~/.dev/ops.sh" >> ~/.bashrc

Apply changes

source ~/.bashrc

Now you can use the defined aliases and functions to operate on your VPS.