In the following I describe a first setup of a Debian-VPS with SSH as an FTP and WEB Server for a single Website built with WordPress. I assume you have booked a VPS and a Domain at a provider of your choice. Then you have a Root Login with SSH into your server. Since you work as administrator of your VPS with shell commands, I suggest to avoid completely a graphical interface and to use only the command line interface. There are many other tutorials to find in the internet how to setup a VPS, sometimes a bit different depending on the according provider.
SSH Access
The first you should do is to change the ssh login and the ssh port number. If necessary see the man pages of used commands with man “command”.
1) Login to your VPS as root (ssh root@your_vps_ip with your VPS password) and create a user account that you will use in future (command useradd). Choose a username, which can not easily be guessed, and of course a strong password (16 mixed characters or more). Change also your initial root password to a strong one.
2) Create a ssh-key pair on your local account at home with the command ssh-keygen and transfer your public key to your server with ssh-copy-id.
Follow a detailed instruction on www.ssh.com. Choose a strong passphrase. Save your passphrase locally to remember it, if necessary.
3) Edit as root with nano /etc/ssh/sshd_config: disable Port 22 by #Port 22, enable an other port for ssh, e.g. by Port 987, and set PermitRootLogin no and also PasswordAuthentication no .
Save and exit (nano: ^o , Enter, ^x)
4) Add the created user to the groups sudo and www-data, if the webserver apache2 is installed (see Add a user to a group).
5) Restart ssh by systemctl restart ssh and check it by systemctl status ssh
6) If the firewall ufw is not yet installed, apt install ufw as Root. Allow the new ssh port from before: sudo ufw allow in to any port “port_number” proto tcp
Reload the firewall by sudo ufw reload . If you feel insecure hold the ssh port 22 until you have tested the new configuration. But disable it as soon as possible: show the current rules sudo ufw status numbered and delete the rule for port 22 sudo ufw delete “rule–number” , since you will observe hundreds of attacks against it within a short time (see sudo lastb for that).
7) Exit and login again with ssh username@your_server_ip -p Port-Number as configured before. Remember your passphrase, when requested. Your passphrase must be provided, when you make your first ssh connection.
Remark: Sometimes – I had it after cloning my system – your keyring requires in a window to unlock the keyring for your secret in ~/.ssh/id_rsa.
Unfortunately, your password is required there. This does not work with your login password and you get the same window again. What worked for me:
Do not provide your login password, but your passphrase of your id_rsa in ssh. I had also once – apparently among many others – the problem that “ssh-agent refused operation” or ssh-add had no identity. What helped out in that case: Use in a terminal a) eval $(ssh-agent -s) and b) ssh-add, after renaming the files ~/.ssh/ssa_host_ecdsa_key and ssa_host_ed25519_key without _key in the filename and c) provide a ~/.ssh/config file as downloadable here. After all this reboot or logout/login. Then, your passphrase should be required once and furtheron never again. I hope that helps as in my system. If not, check the manpage of ssh-add (man ssh-add).
8) When logged in as user, for work as root enter su and type your root passwort on request. Alternatively use sudo commands as user with your user password. You will experience that there are several commands, which work only as sudo “command”.
Firewall
Allow your ssh port (example 987 from above) and later ftp ports 20, 21, 10000:10100 only for selected ip addresses, e.g. here as example for 188.24.10.10 by
sudo ufw allow from 188.24.10.10 to any port 20,21,987,10000:10100 proto tcp comment guest-domain
Don’t use blanks between the port numbers. If your guest-domain has a dynamic ip address and a DYNDNS-Domain (as mine at home), you must update the firewall rule on your server, when the ip changes. You can do this by a script ufw-ddns-update.sh. Test it first manually and insert it suitably in your /etc/crontab, if it works. Then restart cron by systemctl restart cron. (In the script it’s assumed that the guest domain is also in your /etc/hosts file and updated there too)
Remark: It’s in vain to try to block certain countries like China, Russia or others by firewall rules, because hackers have always possibilities to bypass such rules.
FTP Server
Configuration of a ftp server is exactly as described before on the Home Network page. Choose usernames that cannot be easily guessed, very strong passwords and dont give ftp users a shell, i.e. hold them in the jail /home/ftp.
Security Updates
Configure automatic Security Updates and outgoing mail:
Edit /etc/apt/apt.conf.d/50unattended-upgrades and generate 10periodic or download mine 50unattended-upgrades and download 10periodic and insert them into /etc/apt/apt.conf.d as root (observe owner and permissions).
If exim4 is not yet installed, add it by sudo apt install exim4 and configure it by sudo dpkg-reconfigure exim4-config. Once you are finished, type sudo update-exim4.conf and sudo service exim4 start.
Exim4 can be configured to use SMTP-AUTH with Transport Layer Security (TLS) and Simple Authentication and Security Layer (SASL). For details see the reference Ubuntu: Install-and-configure-exim4.
If you want outgoing mails, for example a message on unattended upgrades, to your account at a mail provider like gmx.de et. al., you should configure your mail account not to classify these mails from your VPS as Spam (if that is possible). In your VPS the mails are stored in /var/mail.
The host of this VPS