Skip to main content

Recommended Setup

To ensure your DewaVPS Instance is secure, stable, and easier to manage from the start, we strongly recommend following these best practices during creation and initial configuration. While DewaVPS offers flexibility, these steps provide a robust foundation.

1. Secure Authentication: Use SSH Keys

Recommendation: Always use SSH key authentication and explicitly disable password-based and direct root logins via SSH.

  • Why: Passwords can be guessed, brute-forced, or phished. SSH keys use public-key cryptography, providing a significantly more secure method for remote login. Disabling direct root login forces users to log in via a standard account and use sudo, adding an extra layer of security and accountability.

  • How (Adding SSH Keys):

    1. Generate an SSH key pair on your local computer if you don't already have one.
    2. Add your public key (usually the file ending in .pub) to DewaVPS:
      • You can pre-upload keys via the Authentication/SSH Keys section in the DewaVPS control panel.
      • Alternatively, during the Instance Creation / Launch Instance process, there will be an option to select a previously uploaded key.
    3. Ensure your desired SSH key is selected for the new Instance before clicking "Create".

  • How (Disable Password Login - Verify & Enforce): Using SSH keys during creation usually disables root password login by default, but it's best practice to verify and enforce this setting.

    1. Log in to your new VPS using SSH with your key.
    2. Edit the SSH daemon configuration file: sudo nano /etc/ssh/sshd_config (or use vim).
    3. Find the line PasswordAuthentication. Uncomment it if necessary (remove the leading #) and ensure it is set to no: 
      PasswordAuthentication no
    4. Save the file (Ctrl+O, Enter in nano) and exit (Ctrl+X in nano).
    5. Crucial: Before restarting SSH, open a second terminal window and confirm you can still log in with your SSH key. This prevents accidental lockout.
    6. Once confirmed, restart the SSH service to apply the change: sudo systemctl restart sshd (or sudo service ssh restart on older systems).

  • How (Disable Direct Root Login): This enhances security by requiring users to log in as a standard user first.

    1. Important: Ensure you have already created a non-root user with sudo privileges (See step 3 below) and have successfully logged in as that user before proceeding.
    2. Edit the SSH configuration file again: sudo nano /etc/ssh/sshd_config.
    3. Find the line PermitRootLogin. Uncomment it if necessary and set it to no: 
      PermitRootLogin no
      (Note: prohibit-password is another option, but no is generally recommended when you have sudo users).
    4. Save the file and exit.
    5. Restart the SSH service after confirming your non-root user login works with sudo: sudo systemctl restart sshd (or sudo service ssh restart). Now, direct login attempts as root via SSH should be denied.

2. Choose a Stable Operating System

Recommendation: Select a Long-Term Support (LTS) version of a well-maintained Linux distribution.

  • Why: LTS releases (like Ubuntu LTS, Debian Stable, CentOS Stream) receive security updates and bug fixes for an extended period (often 5+ years). This provides a stable environment without requiring frequent major OS upgrades. Non-LTS versions have much shorter support lifecycles.
  • How: Choose an image marked as "LTS" or known for its stability (e.g., the latest Ubuntu LTS, Debian) from the image selection list during VPS creation.

3. Create a Non-Root User with Sudo Privileges

Recommendation: Avoid using the root user for everyday tasks. Create a standard user account and grant it sudo privileges.

  • Why: Operating directly as root is risky; a single typo or mistake can cause significant damage to the system. Using a standard user with sudo forces you to intentionally elevate privileges for administrative tasks, adding a layer of safety and providing an audit trail.
  • How:
    1. Log in initially as root using your SSH key.
    2. Create a new user: adduser yourusername (follow the prompts).
    3. Add the user to the sudo (Debian/Ubuntu) or wheel (CentOS) group:
      • usermod -aG sudo yourusername (for Debian/Ubuntu)
      • usermod -aG wheel yourusername (for CentOS/Fedora - ensure the wheel group is configured for sudo access in /etc/sudoers)
    4. Log out from the root session.
    5. Log back in as yourusername. You can now run administrative commands using sudo command_name.

4. Configure a Firewall

Recommendation: Utilize the DewaVPS Cloud Firewall service to control traffic to and from your instances.

  • Why: DewaVPS Cloud Firewalls provide a network-level barrier, blocking unwanted traffic before it even reaches your instance. This offers several advantages:

    • Reduced Server Load: Your instance doesn't waste resources processing blocked traffic.
    • Increased Security: Limits the exposure of your instance's operating system directly to the internet.
    • Simplicity: Easier to manage rules through the control panel compared to configuring firewalls through CLI.

  • How:

    1. Navigate to the Networking section in the DewaVPS control panel and find the Firewalls area.
    2. Create a New Firewall: Give it a descriptive description (e.g., webserver-prod-fw, database-staging-fw).
    3. Define Rules: This is the most critical part. Start with the principle of least privilege – allow only what's necessary. Add rules for essential services:

      • SSH (TCP Port 22):

        • Crucial: Set the Source to only your specific IP address (Your_Static_IP/32) or trusted network range (Your_Office_Network/24).
        • Avoid using All IPv4 / All IPv6 for SSH unless absolutely necessary and you understand the risks, as this exposes your SSH port to the entire internet. If your IP address is dynamic, consider using a VPN or bastion host with a static IP as the source.

      • HTTP (TCP Port 80): If running a public web server, set the Source to All IPv4 and All IPv6 (0.0.0.0/0, ::/0).

      • HTTPS (TCP Port 443): If running a public web server with SSL/TLS, set the Source to All IPv4 and All IPv6.

      • Other Services: Add specific rules for any other application ports (e.g., database ports, API ports, game server ports), always restricting the Source IPs as much as possible.

      • You can choose whether to ACCEPT or DENY incoming traffic for a specific ports.

    4. Verify: After applying the firewall, test access. Ensure you can connect via SSH from your allowed IP. Check if your web server (if applicable) is accessible from the internet. Try connecting to a disallowed port from an external source to confirm it's blocked.

By default, your DewaVPS server is configured to allow all incoming and outgoing network traffic. This means that all ports are open, and connections are accepted unless you specifically configure rules to DENY certain ports or traffic. For enhanced security, you also have the option to switch to a "deny all" policy, where all incoming traffic is blocked by default, and you must explicitly ALLOW the specific ports and connections you need.

5. Configure Backup

Recommendation: Leverage the integrated DewaVPS backup services for data protection and recovery.

  • Why: Software issues arise, security incidents occur, and accidental deletions happen. Regular backups are crucial for recovering your data, configurations, and ensuring business continuity. Using DewaVPS' native features simplifies this process.

  • How: DewaVPS offers two primary methods for backing up your instance, managed directly through the control panel:

    • Automated Backups:

      • What: These are system-level backups automatically created by DewaVPS on a regular schedule (e.g., daily or weekly, check DewaVPS specifics). They typically retain several recent copies.
      • Best For: Providing consistent, routine protection with minimal manual effort ("set it and forget it"). Ideal for general disaster recovery.
      • How: You can usually enable automated backups via a checkbox during the Instance creation process or later through the Instance Backups page in the DewaVPS control panel. Note that this service may have an associated cost based on your instance plan or size. Review the retention policy to understand how many backups are kept.

    • Manual Backups (Snapshots):

      • What: Snapshots are point-in-time, image-level copies of your instance's disk that you create manually whenever needed.
      • Best For: Creating a specific restore point before performing major system changes like OS upgrades, installing complex software, critical configuration modifications, or deploying new code. They can also be used to create custom images for launching new, pre-configured VPS instances.
      • How: You can create a snapshot via the Instance Backups page in the DewaVPS control panel. Keep in mind that storing snapshots usually incurs costs based on their size and how long you keep them. Remember to delete old, unneeded snapshots to manage costs.

Summary

For a secure, stable, and manageable instance, follow these key practices:

  1. Use SSH Keys: Authenticate using SSH keys only. Disable password logins and direct root login via SSH in the sshd_config file.
  2. Choose Stable OS: Select a Long-Term Support (LTS) version of a Linux distribution (e.g., Ubuntu LTS, Debian Stable).
  3. Create Sudo User: Avoid using root. Create a standard user account and grant it sudo privileges for administrative tasks.
  4. Configure Cloud Firewall: Utilize the DewaVPS Cloud Firewall to restrict incoming traffic. Allow only necessary ports (like 80/443 for web) and crucially limit SSH (port 22) access to your specific IP address(es).
  5. Use DewaVPS Backups: Enable DewaVPS Automated Backups for regular protection and create Manual Snapshots before making significant system changes.

Following these steps provides a strong foundation for your DewaVPS server environment.