Skip to content

Instantly share code, notes, and snippets.

@gquittet

gquittet/vps_setup.md

Last active June 11, 2025 22:35
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save gquittet/9deeabce7e143edb343fe0097cc8d420 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save gquittet/9deeabce7e143edb343fe0097cc8d420 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
vps_setup.md

VPS

Locale

Edit /etc/locale.conf to change LANG to en_US.UTF-8

LANG=en_US.UTF-8

Security

Update

sudo apt update
sudo apt upgrade

SSH

sudo vim /etc/ssh/sshd_config

Uncomment and change only the line

#Port 22

with a custom one between 49152 and 65535

Port 49166

Fail2Ban

sudo apt install fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo vim /etc/fail2ban/jail.local

Search [sshd] section and edit it like this with the custom SSH port

[sshd]
enabled = true
port = 49166
maxretry = 3
findtime = 15m
bantime  = 30m
logpath = %(sshd_log)s
backend = %(sshd_backend)s

Restart it

sudo systemctl restart fail2ban

Firewall

Enable only HTTP, HTTPS and custom SSH port

sudo ufw default allow outgoing
sudo ufw default deny incoming
sudo ufw allow http
sudo ufw allow https
sudo ufw allow 49166/tcp

Then enable it

sudo ufw enable

To delete a rule list them and use the delete command:

sudo ufw status numbered
sudo ufw delete 3

Docker

Follow this page to remove conflicting packages and install docker

https://docs.docker.com/engine/install/ubuntu/

Customize docker IP address, edit /etc/docker/daemon.json + tweak log files size

{
  "bip": "172.30.0.1/16",
  "default-address-pools": [
    {"base":"172.31.0.0/16","size":24}
  ],
  "log-driver": "json-file",
  "log-opts": {
    "max-size": "20m",
    "max-file": "5"
  }
}

Restart docker

sudo systemctl restart docker

Postgres

Install the database

sudo apt install postgresql

Connect to it + create the user

sudo -i -u postgres psql

Create a custom user

CREATE USER my_user_name WITH CREATEDB ENCRYPTED PASSWORD 'my_secret_password';

Create the database

create database my_database with owner="my_user_name" encoding='utf8' lc_collate='en_US.utf8' lc_ctype='en_US.utf8';

Allow connection from outside

sudo vim /etc/postgresql/16/main/pg_hba.conf

Add these lines

# TYPE  DATABASE        USER            ADDRESS                 METHOD
local   my_database     my_user_name                            scram-sha-256
host    my_database     my_user_name    0.0.0.0/0               scram-sha-256

The scram-sha-256 method is useful to avoid to show the password in plain text when connecting to the database.

sudo vim /etc/postgresql/16/main/postgresql.conf

Change these lines

listen_addresses = '*'                  # (change requires restart)
port = 54321                            # (change requires restart)

Increase the number of maximum connections (40 per instance)

max_connections = 120                   # (change requires restart)

Restart the database

sudo systemctl restart postgresql

Allow Docker + my public IP address to access to the database

sudo ufw allow from 172.31.0.0/16 proto tcp to any port 54321
sudo ufw allow from 1.2.3.4 proto tcp to any port 54321

Cron to clean /tmp

Clean all files older than 10 minutes

*/5 * * * *	find /tmp/ -maxdepth 1 -type f -mmin +10 -delete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment