> VPS setup guide with **Nginx + Let’s Encrypt** # 🛡️ Modern Debian VPS Setup & Hardening Guide A secure, minimal, production-ready setup for Debian servers. Assumes you already ran `apt update && apt upgrade`. --- ## ✅ 1. Create a New Non-Root User ```bash adduser yourname usermod -aG sudo yourname ``` --- ## ✅ 2. SSH Hardening ```bash sudo nano /etc/ssh/sshd_config ``` Recommended changes: ```ini PermitRootLogin no PasswordAuthentication no AllowUsers yourname ``` Then reload SSH: ```bash sudo systemctl reload ssh ``` --- ## ✅ 3. SSH Key Setup (Local → Server) On **your local machine**: ```bash ssh-keygen -t ed25519 -C "your@email" ssh-copy-id [email protected] ``` Or manually: ```bash cat ~/.ssh/id_ed25519.pub | ssh [email protected] 'mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys' ``` --- ## ✅ 4. Firewall (UFW) ```bash sudo apt install ufw sudo ufw allow OpenSSH sudo ufw enable sudo ufw status ``` Allow web traffic: ```bash sudo ufw allow 80/tcp sudo ufw allow 443/tcp ``` --- ## ✅ 5. Security Tools ```bash sudo apt install fail2ban unattended-upgrades sudo dpkg-reconfigure --priority=low unattended-upgrades ``` --- ## ✅ 6. Base Utilities ```bash sudo apt autoremove sudo apt install curl wget htop git vim nano unzip ``` --- ## ✅ 7. Harden Kernel with sysctl ```bash sudo nano /etc/sysctl.d/99-custom.conf ``` Paste: ```conf net.ipv4.tcp_syncookies = 1 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.tcp_timestamps = 0 net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 ``` Apply changes: ```bash sudo sysctl -p /etc/sysctl.d/99-custom.conf ``` --- ## ✅ 8. Reboot & Verify ```bash sudo reboot ``` Make sure: * SSH works as your user * Firewall is up * Root login is blocked * Auto updates are on --- ## ✅ 9. Install Nginx ```bash sudo apt install nginx sudo systemctl enable nginx sudo systemctl start nginx ``` Allow in firewall: ```bash sudo ufw allow 'Nginx Full' ``` --- ## ✅ 10. Install Certbot (Let’s Encrypt) ```bash sudo apt install certbot python3-certbot-nginx ``` --- ## ✅ 11. Get SSL Certificate ```bash sudo certbot --nginx ``` Follow the prompts: * Enter your domain name * Agree to terms * Choose HTTP to HTTPS redirect (usually yes) --- ## ✅ 12. Auto-Renew Test ```bash sudo certbot renew --dry-run ``` --- ## ✅ Done! 🚀 You now have: * A locked-down, patched Debian VPS * SSH key-only login * Firewall with only web and SSH ports open * Nginx with auto-renewing Let’s Encrypt SSL --- Let me know if you want to: * Add a domain name to this * Reverse proxy to a backend (Node, Flask, etc.) * Use Caddy instead of Nginx (simpler HTTPS) * Set up monitoring or metrics (uptime, fail2ban logs, etc.)