Open in app

Sign in

Write

Sign in

Setting up and securing an Alpine Linux VPS

Johan Book
2 min readDec 22, 2022

This article will explain the process of setting up and securing a Linux server and is my own go-to guide for getting it done.

Let us start by provisioning the VPS. I will here use an Alpine system, but the following guide will apply for any Linux system apart from a few differences that I will point out.

First thing is to obtain a shell into the VPS. This is either provided by the cloud provider or by a simple SSH shell. As we should not be using the root user for longer than needed, let us add a new user by running

useradd --create-home <name>
passwd <name>

Add the users to the sudoer’s file through visudo .

Securing SSH

As we likely want to keep using SSH to access our VPS, we need to secure it. Start by generating a SSH key-pair on your local machine with ssh-keygen and copy the public key to our VPS using e.g. scp. Add the public key to our user’s authorized keys by running

mkdir ~/.ssh
cat <PUBLIC_KEY> >> ~/.ssh/authorized_keys

Next up, there are several important configuration we want to perform in/etc/sshd_config/ (assuming the OpenSSH implementation). Do the following

  • Change the port to a random high-numbered port to avoid automated scans for SSH vulnerabilities, for example Port 1234.
  • Disable root login using PermitRootLogin no.
  • Disable password login PasswordAuthentication no.
  • Allow our user to log in AllowUsers <USER>.

Once this is in place, restart the SSH daemon. Using Alpine’s OpenRC, this is done using service sshd restart. Although it typically won’t, there is risk it logs you out of your current SSH session.

Setup a firewall

Next stage is putting a firewall in place. For this I usually go for ufw. We can configure out using:

apk add ufw
ufw default deny incoming
ufw default allow outgoing
ufw allow <SSH>/tcp
ufw enable

Here you add your high-numbered SSH port. This will open the port for both IPv4 and IPv6.

If the VPS is to be used as a web server, you can use ufw allow http/tcp https/tcp.

Installing fail2ban

To avoid brute-force attacks, we will install fail2ban like so

apk add fail2ban
rc-update add fail2ban
/etc/init.d/fail2ban start

For Alpine, this comes with predefined filters for SSH.

Conclusion

Setting up VPS is pretty straight-forward.

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Johan Book
Johan Book

Written by Johan Book

2 Followers
3 Following

I am a frontend engineer who likes to dabble in philosophy, AI and IT security

No responses yet

Write a response

What are your thoughts?

More from Johan Book

See all from Johan Book

Recommended from Medium

Lists

Staff picks

827 stories1648 saves

Stories to Help You Level-Up at Work

19 stories948 saves

Self-Improvement 101

20 stories3355 saves

Productivity 101

20 stories2819 saves
See more recommendations

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams