The internet is a dangerous place for servers. As a reluctant sysadmin, I go the small target route. Instead of leaving ports open to the elements, I use a couple of modern tools to run no-ingress servers.

Here is my simple recipe for setting up a new VPS to avoid the heartache of a heartbleed. This assumes you’ve just minted a new VPS (or equivalent) know how to access it.

Make an Account

Don’t be a silly goose and run your code as root. Make a proper user for your project:

adduser sam

Come up with a strong password and keep it somewhere safe.

Stage a Coup

Now that you’ve got an account, it is time to seize power. Add your user to the sudo group like so:

usermod -aG sudo sam

And disable root access via SSH:

nano /etc/ssh/sshd_config

# Find "PermitRootLogin yes" and replace with "PermitRootLogin no"

systemctl restart sshd

At this point, you’ll be booted out of your session. Wait a moment and log back in using your brand-new user account and password.

Subvert Passwords

Passwords are a liability. Instead of logging in via SSH, you can set authenticate via public key cryptography. On your home computer, run this command and follow the promps:

ssh-keygen

Then add the resultant public key from ~/.ssh/ID_RSA.pub to your server’s list of known hosts:

mkdir ~/.ssh
touch ~/.ssh/authorized_keys
echo @@YOUR ID_RSA.PUB HERE@@ >> ~/.ssh/authorized_keys
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
systemctl restart sshd

You’ll be booted again at this point. Try to log back in and, if it works without a password, you’re golden.

If you feel confident keeping your private key stable, now might be a good time to disable password-based SSH login entirely:

nano /etc/ssh/sshd_config

# Find "#PasswordAuthentication no" and remove the "#"

systemctl restart sshd

Get Tailscale

Tailscale is a WireGuard-based VPN that uses super-clever NAT traversal to put your devices on one virtual network, no matter where they are. That means my laptop and my servers can all chatter away on a pseudo-local network, without opening a single port on my router.

Tailscale recently released dedicated SSH support, which I now use to get into my servers from my development machine. Everything you need to do is extensively documented on their website.

Listen to Casey¹: you should really check out Tailscale.

And Cloudflare

Most of my public-facing sites are piped to the internet through a Cloudflare Tunnel, which saves me all the hassle of opening :80 and :443 to HTTP traffic. Cloudflare will also happily send SSH over those same tunnels, so I leave it running in the background just in case Tailscale fails.

Two is one and one is none, they tell me.

Shields Up

With two no-ingress ways to SSH into your server, we can finally set up an airtight firewall. Uncomplicated Firewall is the tool for the job. It’s installed by default on Ubuntu and on Debian you can get it like so:

sudo apt install ufw

Once installed, run three simple commands:

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw enable

And bingo, no more weirdo traffic jiggling your locks 24 hours a day.