How to Set Up and Secure Your Linode Server

You have created a Linode account and want to create and set up a new Linode server. This blog post will show you how to set it up.

How to set up a Linode server from scratch

About Linode and others

These are my notes about setting up my Linode servers from scratch. I have used Linode for several years and they have never let me down.

These steps can work for DigitalOcean, OVHCloud and other VPS hosting providers with unmanaged Linux hosting.

Create your Linode account

Your Linode account should have already been created. If you have not done it yet, head over to Linode.com and create it.

In the next step, we will create a Linode Debian 12 instance.

Create your Linode Debian 12 instance

Choose Debian 12 in the Linux distribution.

Choose your region. I personally find New Jersey is the fastest, even though I live in Virginia and there is a Virginia location (IAD).

Select a plan. If you are just starting out, you may want to select Nanode Shared CPU plan for $5/month. You can upgrade when traffic builds up.

Enter your root password.

Click on "Create Linode".

After a few seconds, you will see a message that the server is running.

Your Debian 12 bookworm server is up and you can SSH to it using your root account.

Update and upgrade

Run these commands (as root user, the only account you have for now).

apt update
apt upgrade

The first command apt update fetches the latest version of the package list from Debian's software repository and any third-party repositories in the configuration.

The second command apt upgrade downloads and installs the updated versions for each outdated package and their dependencies on the system. You will be prompted to answer y/n before certain software upgrades.

You can also run these two in one command with auto-confirmation.

apt update && apt upgrade -y

Create regular user and give sudo root access

You are still root user, and we will create a regular user sonic. Run this:

useradd -m sonic
passwd sonic

Enter the password for user sonic and press ENTER.

Now, we will give sonic root access by adding them to the sudo group.

usermod -a -G sudo sonic

That command will add the regular user sonic to the sudo group.

Login as regular user

Log out as root, and log back in as user sonic.

You can test sudo access by running this:

sudo -l

This will show the sudo permissions that user sonic has.

Change the default editor

The default editor appears to be Nano, and I want Vim to be the default.

Run this:

select-editor

Output:

select-editor 

Select an editor.  To change later, run 'select-editor'.
  1. /bin/nano        <---- easiest
  2. /usr/bin/vim.basic
  3. /usr/bin/vim.tiny

Choose 1-3 [1]: 2

Your default editor has been changed to Vim.

Set timezone

To list timezones, run this:

timedatectl list-timezones

Find the current timezone with this:

$ date
Tue Dec 31 04:12:29 PM UTC 2024

To change the timezone from UTC to Eastern:

timedatectl set-timezone 'America/New_York'

Verify the updated timezone:

$ date
Tue Dec 31 11:12:39 AM EST 2024

Change ssh port from 22 to something else

Changing the ssh port from the default 22 is important to prevent unauthorized users from attempting to break in with brute force attacks.

We will change the port number to 4242.

Edit the file /etc/ssh/sshd_config:

sudo vi /etc/ssh/sshd_config

Change the port number from 22 to 4242:

Port 4242

While we are editing sshd_config, you can also disable root login:

PermitRootLogin no

Save and quit with :wq!

Then, restart the SSH service.

sudo systemctl restart ssh

Now, when you ssh into the server, you have to ssh on port 4242.

If you are using Terminal to ssh, this would be the command:

ssh -p 4242 sonic@IP-ADDRESS

Install ufw firewall

You want to lock down your system as much as possible by allowing only a whitelist or allowlist of ports that can access the system. These ports can include http (port 80), https (port 443), ssh port (port 4242 as we did in the previous section) and ports that you may use for other applications.

I used to use iptables for a long time. I recently started using ufw and it is more user friendly.

Follow these steps to install ufw.

sudo apt update
sudo apt install ufw

Now that ufw is installed, let us allow the permitted ports.

sudo ufw allow 80
sudo ufw allow 443
sudo ufw allow 4242

ufw is still not enabled. You can verify it with:

sudo ufw status

Output:

Status: inactive 

Enable ufw:

sudo ufw enable

Verify ufw status:

Status: active

To                         Action      From
--                         ------      ----
4242                       ALLOW       Anywhere                  
443/tcp                    ALLOW       Anywhere                  
80/tcp                     ALLOW       Anywhere                  
443/tcp (v6)               ALLOW       Anywhere (v6)             
80/tcp (v6)                ALLOW       Anywhere (v6)

If you want to delete a specific entry in ufw, display the status listing by numbering.

sudo ufw status numbered

Output:

Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 4242                       ALLOW IN    Anywhere                  
[ 2] 443/tcp                    ALLOW IN    Anywhere                  
[ 3] 80/tcp                     ALLOW IN    Anywhere                  
[ 4] 443/tcp (v6)               ALLOW IN    Anywhere (v6)             
[ 5] 80/tcp (v6)                ALLOW IN    Anywhere (v6)             

If you want to delete the IPv6 services, that are 443 and 80 and numbered 4 and 5 respectively:

sudo ufw delete 5
sudo ufw delete 4

Each time you delete a service from ufw, the numbering gets reordered and bottom services move up, so be careful not to delete from top to bottom.

Ban an IP address using ufw

If you want to deny visitor with IP address 91.108.194.40 from getting past your firewall:

sudo ufw insert 1 deny from 91.108.194.40 && sudo ufw reload

ufw deny lines need to go to the top of the list, so when you create the deny command, you have to run it above the ALLOW lines.

If you want to unban someone, find their number with sudo ufw status numbered and delete it.

Update /etc/hosts

If you want to map your IP address, say 40.40.40.40 to the domains (domain1.com) being hosted on your Linode, edit the /etc/hosts file as root, and then append IP address -- domain name mappings like this:

40.40.40.40    domain1.com
40.40.40.40    domain2.com
40.40.40.40    domain3.com

Conclusion

This is a common sequence of steps used when you set up your Linode server with Debian 12. Your use case and environment may be very different. Feel free to comment or email me.

Most of these steps will work for DigitalOcean, Hetzner and OVHCloud as well.

Thanks for reading!

Related Posts

If you have any questions, please contact me at arulbOsutkNiqlzziyties@gNqmaizl.bkcom. You can also post questions in our Facebook group. Thank you.