Basic Linux VPS Set Up from a Windows PC

This article will show Windows PC users how to set up a Linux virtual private server (VPS). The VPS in this article is running Ubuntu 16.04 Long-Term Support (LTS). If you choose a VPS running a different distribution of Linux, you will need to adjust the commands in this article accordingly.

Open an Account with DigitalOcean

Visit DigitalOcean and open and fund your account. If you use my link, they may reward you with an extra credit when you add funds for the first time.

Download and Run PuTTY Installer

PuTTY is the tool we will use to connect to the Linux VPS from a Windows PC.

Visit the PuTTY developer’s site at http://www.chiark.greenend.org.uk/~sgtatham/putty/.

Go to the latest downloads page on the PuTTY site.

For modern PCs running Windows, you will want the 64-bit Windows installer. For older PCs that are capable of running only 32-bit software, you will want the 32-bit Windows installer.

Click on the appropriate Windows installer file. You will be asked whether you want to save it. Click Save File.

Once the file is downloaded, double-click on it. You will be asked to confirm that you want to run the downloaded Windows installer package. Click Run to run the installer.

The installer will inform you of the folder in which it proposes to install PuTTY. Make a note of the installation location. It will most likely be either C:\Program Files\PuTTY or C:\Program Files (x86)\PuTTY. Click Next to accept the default installation folder.

The PuTTY installer asks you which features you want to install. Accept the defaults, and click Install.

The setup wizard installs PuTTY and displays a progress bar as it proceeds. Once PuTTY is installed, the setup wizard displays a final screen. Click Finish to exit the PuTTY setup wizard.

Use PuTTYgen to Generate Private/Public Key Pair

Now we’re going to run the PuTTYgen utility to generate a secure shell (SSH) key pair.

Open the PuTTY file location, i.e., either C:\Program Files\PuTTY or C:\Program Files(x86)\PuTTY.

Double-click on puttygen.exe.

A window appears titled PuTTY Key Generator. You can leave the defaults as they are. The type is SSH-2 RSA, and the number of bits is 2048. Click the Generate button to begin the process of generating an SSH key pair.

A progress bar appears. As the instructions on the screen indicate, move your mouse around randomly over the blank area immediately beneath the progress bar.

When the key is generated, it is displayed, along with fields for copying it from for subsequent pasting and for specifying a passphrase. There are also buttons for saving the private key, etc.

PuTTYgen after generating key

Save Public Key

Create a folder to hold your public and private keys. For example, you might create it inside your Documents folder and name it SSH.

In the PuTTY Key Generator (PuTTYgen) dialogue box, you will see a field in the box Public key for pasting into OpenSSH authorized keys file. Select all of this field, being careful to make sure you have the full contents, including any characters that may be hidden from view. This field will begin with the key type, which is ssh-rsa, and end with a generated name such as rsa-key-20170702.

Copy the public key to your PC clipboard (Ctrl + C), open the Notepad program, then paste it into Notepad (Ctrl + V).

Save the public key from Notepad in a file within your SSH folder. Name it, for example, rsa-key-20170702-public.txt.

Save Private Key

Now, back in the dialogue box, fill in a Key passphrase, and type in the same passphrase in the Confirm passphrase field. This passphrase is your last line of defense in case someone finds your private key file. Press Save private key.

Save it in the same folder, i.e. SSH, that you created a moment ago for the public key. Name it, for example, rsa-key-20170702-private.ppk.

You now have two files in your SSH folder:

You can now close the PuTTY Key Generator (PuTTYgen) program.

Upload Public Key to DigitalOcean

Again using Notepad, open the file where you saved the public key, named for example rsa-key-20170702-public.txt. Press Ctrl+C to copy the public key to your PC’s clipbpard.

Go to your browser and log on to your DigitalOcean account. Under Settings, choose Security, and then the Add SSH Key section.

Paste in your public key, give it a name (such as rsa-key-20170702), and click Create SSH Key.

The new key is added to your DigitalOcean account’s Security area.

SSH
Key in DigitalOcean Security area

Create VPS with Public Key Preinstalled

“Droplet” is DigitalOcean’s name for a virtual private server (VPS). We will now create a droplet with the public key pre-installed. In your DigitalOcean account, go to the Droplets page, and click Create Droplet.

We will assume in this article that you pick Ubuntu 16.04 as your operating system.

512 MB of random-access memory (RAM) is plenty for small-scale projects.

Ubuntu 16.04 Droplet with 512 MB of memory

A region close to you is best, unless you have some other preference.

You must check the box to Add your SSH key to the droplet!!!

You can either leave the hostname as the default, or else enter a hostname and domain name that you own.

Click Create.

Wait about one minute. When the droplet creation process is complete, make a note of the IP address that DigitalOcean has allocated to your VPS.

Set Up PuTTY to Access VPS

Double-click on the putty.exe executable or on a desktop shortcut to PuTTY.

Paste in the IP address of your Digital Ocean droplet.

The default of port 22 is fine to begin with.

On PuTTY’s Window > Appearance page, you can change the font size if you wish. The default font of Courier 10-point is rather small, so you can change it to something like Lucida Console 12-point for improved legibility.

On PuTTY’s Connection > SSH > Auth page, browse for the private key file you created with PuTTYgen. In the example in this article, it is named rsa-key-20170702-private.ppk. Select it and click Open.

Your private key file’s location now appear in the private key field at the bottom of the right-hand pane on PuTTY’s SSH > Auth page.

PuTTY with private key specified for SSH authorization

Now we will save these settings for future use.

In the left-hand pane (the Category tree), click on the first page again (Session). Select the Default Settings session so that it is highlighted in blue. Click Save.

Your complete settings — IP address, port, font, and SSH private key location — are now saved.

SSH into VPS as Root

Now in the main PuTTY window click Open.

The first time you connect to a server that you have not connected to before, a warning message box appears. Click Yes to say that you trust this host.

You are asked what id you want to log in as. Some VPS providers create a non-root user id automatically. Since DigitalOcean did not create a non-root id, you need to put root here for now and create a non-root user in a few moments.

You will be asked to enter the passphrase for your private key.

When you are successfully logged in, you will see a command prompt. It will end in a dollar sign $ when you sign in as a non-root user, and a hash sign # when you sign in as root.

Set Timezone

Before we go any further, you may need to correct the timezone on your server. As root, issue the command:

dpkg-reconfigure tzdata

Choose the appropriate time zone for your VPS.

Create Non-Root User

Some VPS providers creates a non-root user for you on Ubuntu servers. If this is the case, you can skip this section. However, DigitalOcean and many other VPS providers create only the root user for you. In this case, you are best advised to created your own non-root user. If you want the non-root user to be named derek, for example, you would issue the commands as root:

adduser derek

The next command adds the new user to the group sudo. This means that derek can issue root commands without being the root user by prefixing the command with sudo.

usermod -a -G sudo derek

Now copy your private key from the root account into derek’s account.

Create a directory for derek’s SSH keys:

mkdir /home/derek/.ssh

Make derek the owner of the new directory:

chown derek:derek /home/derek/.ssh

Restrict access to the directory to just derek:

chmod 700 /home/derek/.ssh

Copy your SSH authorized keys file from the root SSH directory into the equivalent directory for user derek:

cp ~/.ssh/authorized_keys /home/derek/.ssh/

Make derek the owner of the authorized keys file:

chown derek:derek /home/derek/.ssh/authorized_keys

Restrict access to the authorized keys file to just derek:

chmod 600 /home/derek/.ssh/authorized_keys

Now exit your root SSH session with your server:

exit

Check that you can now SSH into the server as the non-root user. Open PuTTY again, and connect to your server. This time, log in as the non-root user, derek in our example.

We will use the non-root user from this point forward. Therefore commands that are normally restricted to the root user will be prefixed with sudo from now on in this article.

Limit SSH Access

Your SSH configuration file is located at /etc/ssh/sshd_config.

To edit this file, enter the command:

sudo nano /etc/ssh/sshd_config

You will be taken into the nano editor. (More experienced Linux users may prefer to use the vi editor rather than nano.)

The most important special function keys in nano are indicated at the bottom of the screen. Ctrl+O writes your file out to disk, and Ctrl+X exits the editor.

We will prevent root login and prevent password login by changing the appropriate lines to read as follows (these lines will not all be in one place in the file, and you will need to look for their location in the file):

PermitRootLogin no

PubkeyAuthentication yes

PasswordAuthentication no

This means that only non-root users, with an SSH public key on the server, will be able to log in to the server.

nano editor for SSH configuration file

Do Ctrl+O to write your file out to disk, and Ctrl+X to exit the editor.

Restart your SSH server to pick up these changes:

sudo service ssh restart

Update Packages

You will improve the security of your server if you always have the most up-to-date versions of all software packages. Update your package lists and your packages themselves by issuing the commands:

sudo apt-get update

sudo apt-get upgrade

sudo reboot

(With Linux kernels above version 4.0, you no longer strictly need to reboot after every kernel upgrade.)

You should update your packages frequently from now on, typically weekly, or more frequently if you hear about a fix being issued for a serious security flaw.

Set Up Iptables Firewall

We will use the iptables firewall to restrict input traffic to the server. All unauthorized packets will be dropped.

Allow input for connections that are already established:

sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

(On this web page, long commands may appear to span multiple lines. Enter them as a single command.)

Allow input on the loopback interface. This is input directed from the VPS to localhost:

sudo iptables -A INPUT -i lo -j ACCEPT

Whitelist your own input on port 22. It is vitally important to protect port 22 (the SSH port) against intrusions. In the example given below, your local ISP allocates IP addresses to you in the range 12.34.0.0 through 12.34.255.255. In classless inter-domain routing (CIDR) notation, this is 12.34.0.0/16:

sudo iptables -A INPUT -p tcp --dport 22 -s 12.34.0.0/16 -j ACCEPT

If you can guarantee that you will always have a static IP address, you can substitute it as the source, e.g. -s 12.34.56.78/32. If you cannot guarantee your IP address or the range it will come from, you must unfortunately leave the source unspecified in the above, which leaves port 22 open to the world.

Allow PING requests to your VPS:

sudo iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT

All other packets will be dropped as a policy:

sudo iptables -P INPUT DROP

To make your firewall rules persist across reboots, issue the command:

sudo apt-get install iptables-persistent

If iptables-persistent was already installed, then instead of installing it, reconfigure it with the command:

sudo dpkg-reconfigure iptables-persistent

You can review your iptables rules with the commands:

sudo iptables -nvL

Log Off

To exit your SSH session, enter the command:

exit

You will be logged out, and PuTTY will close automatically.