vps arch first settings

Introduce | 導入

Build a VPS server using a simple, minimalistic Arch Linux in a relatively major Linux distribution.

You may be able to operate the Command Line Interface(CLI) more comfortably by making the settings introduced this time.

Future development will be done with this setting, so if you experience a difference with your environment, we would appreciate it if you could flexibly respond while maintaining a high degree of flexibility.

必要な装備

The environment required to execute this tutorial is

・PC running bash shell script ・Arch VPS development environment ・Tough heart

Tools for USE | 使った道具

Global

Microsoft Surface Laptop 3 – 13.5

New Microsoft Surface Laptop 3 – 15

NEW Microsoft Surface Pro X – 13

日本

マイクロソフト Surface Laptop 3 13.5インチ

マイクロソフト Surface Laptop 3 15インチ

マイクロソフト Surface Pro X

Services and equipment used this time|今回利用したサービス

Describe the services used and used in this environment. Reproducibility may be improved by making the environment the same.

How to open vps server with Conoha VPS conoha vps 初期設定 ssh接続方法

I do not operate the server with my home server, so I am using the service of the company, but if you can build the environment of your home server with extra PC etc., You might set up on the PC containing Arch linux It seems to work.

ssh connection|ssh接続

Start an application that runs Bash or zsh. You can read about how to do yesterday by looking at the detailed list.

How to open vps server with Conoha VPS

Youtube

Blog https://prototype.tel/how-to-ssh-connect-vps-conoha-en

conoha vps 初期設定 ssh接続方法

Youtube

Blog https://prototype.tel/how-to-ssh-connect-vps-conoha-jp

Open bash|バッシュの起動

See previous articles on how to install Bash.

Youtube

How to install git bash

Youtube

ギットバッシュのインストールのやり方

After starting Bash, type ssh ???.???.???.?? and Enter

The part of ??? is the number displayed in VPS of this time.

The authenticity of host ~ ngerprint])? Is displayed, type yes then enter

root@???.???.???.???'s password: is displayed, type the password that you recommended when creating the Arch VPS and enter.

If you see [root @ localhost ~] #, you can successfully connect to ssh.

Arch linux 初期設定

Make settings inside SSH.

Update the initial package to the latest|初期パッケージを最新に更新

pacman -Syu elinks

Type pacman -Syu elinks to enter. Update Arch Linux to the latest

:: Proceed with installation? [Y/n] インストールしますか?

Will be output, so type y then enter

If you see ==> Image generation successful, you are successful.

Delete Package Cache|パッケージキャッシュの削除

Packages downloaded with pacman will be placed in the
/var/cache/pacman/pkg directory and the files will be kept there unless you manually remove them.

Even if the package is updated, the old version of the cache file will remain.

Therefore, if you do not manually delete the files on a regular basis, the amount of storage used will increase.

I think it's an important part of using Arch Linux, which is hard to notice. If you update the cache and clear the cache regularly, you can operate the server more stably.

Type pacman -Sc then enter. Clear the Archlinax cache

:: Do you want to remove all other packages from cache? [Y/n] キャッシュから他のすべてのパッケージを削除しますか?

Type y to enter

:: Do you want to remove unused repositories? 未使用のリポジトリを削除しますか?

Type y to enter

Install nano|テキストエディタのインストール

Install nano, the most popular text editor that you find intuitive and easy to use.

If you have another familiar editor, we would appreciate it if you could install it.

Type pacman -S nano to enter. Install nano.

:: Proceed with installation? [Y/n] is output. Type y to enter

colour setting|カラーの変更

The color is changed to improve the visibility of CLI. This action is optional.

Type nano /etc/pacman.conf and enter.

Delete the # from #Color in the editor to make it Color. The act of removing the # is called commenting out.

To undo your changes, add a # for Color in the editor and make it #Color.

Although it is an option, you can change the download animation by adding ILovecandy under # Misc options. This is a flavor element.

After making changes, press Ctrl(^) + s to save the changes

Ctrl(^) + x Exit nano with

Grant sudo privilege|sudo権限を付与

Give superuser privileges to general users. If you do not do this, ordinary users will not be able to rewrite files inside the root.

Type pacman -S sudo and enter.

Type EDITOR=nano visudo and enter.

Delete # in # % wheel ALL = (ALL) ALL in the editor to make % wheel ALL = (ALL) ALL

After making changes, press Ctrl(^) + s to save the changes

Ctrl(^) + x Exit nano with

Creating a general user|一般ユーザーの作成

Create a general user.

Type useradd -m -aG wheel {Your username} and enter.

useradd Tip| useradd 補足

Here, by adding -m, a folder of {Your username} is created under the home directory.

Add {Your username} to the wheel group with -aG wheel. This will put you in the #% wheel ALL = (ALL) ALL group, so you can add sudo privileges.

Even if you forget to add a group here, you can add or remove it later, but it is a hassle and it would be easier to register all at once in the useradd part.

Add password to general user|一般ユーザーにパスワードを追加

Type passwd {Your username} and enter.

Type {Type any password you want to} to enter.

Type {Again type any password you want to} and enter.

If you see passwd: password updated successfully Is successful

Type su {The user name you just created} and enter.

Change user account from administrator to general user

Type cd and enter.

Go to the document root for regular users.

Create .ssh|.ssh の作成

Brute Force Attack Make a lot of random username and password combinations anyway and prepare for ssh authentication to protect your server from attacks that constantly try to log in to web page or server login prompts such as SSH. This makes it more robust on the server side.

Currently, anyone in the world can connect to the server if they know the IP address and password. SSH authentication is a method of creating a private key and restricting the connection so that it can only be connected to a PC that has the private key.

SSH認証とは

Type mkdir .ssh and enter.

Type ls -a and enter.View all documents, including hidden files

.bash_logout .bash_profile .bashrc .cache .ssh I would appreciate if you can confirm that .ssh is output.

Type exit and enter. logout ssh connection

logout

Connection to ???.???.???.??? closed.

Please exit many times until is displayed.

Connection to ???.???.???.??? closed. You can log out.

Public key authentication settings|公開鍵認証の設定

Create a private key and public key in the local environment.

Almost all tutorials written on the net use RSA encryption to create a private key. Create the encryption key using the stronger Ed25519 cipher than that cipher.

This tutorial uses the Ed25519 cipher, which is the encryption technology used for stronger blockchains than ras authentication. .. This will give you a better protection of your server.

However, even with the RSA method, it is extremely difficult to use the machine specs of a PC for decryption, so I think that there is no particular focus on the encryption method.

ed25519認証 とは

Output of encryption key (optional)|暗号化キーの出力(任意)

Outputs code of 16 lowercase letters and uppercase letters, numbers, and symbols

cat /dev/urandom | tr -dc 'a-zA-Z0-9!@#$%^&*()_+?><~\;' | fold -w 16 | head -n 1

If you are wondering what the password for the encryption key should be, you may create it with this.

.ssh フォルダを作成

The .ssh folder created earlier is a folder inside VPS. This time, create a .ssh folder in the document root inside windows.

Type cd and enter.

Go to the document root for login users.

Type mkdir .ssh and enter.

Type ls -all and enter.View all documents, including hidden files

Check if .ssh is output. Those who have previously created .ssh files do not need this step.

Main options of ssh-keygen|ssh-keygenの主なオプション

-t|Method / Specify the encryption format of the created key from "rsa" (default), "dsa", "ecdsa", and "ed25519" -b|Specifies the number of bits / the number of bits of the key to be created (default is 2048 bits for RSA format) -a|Number of rounds / Specifies the number of KDF (Key Derivation Function) rounds when generating in the ed25519 format. If the number is large, the resistance to encryption will increase, but processing will take longer. -f|Specify file / file (specify the file to be created or read). However, the meaning changes depending on the options used together (usually a key file) -p|Change passphrase (interactively specify the original passphrase once and the new passphrase twice). Original passphrase can be specified with "-P" option, new passphrase can be specified with "-N" option -N|Passphrase / Specify a new passphrase -P|Specify passphrase / original passphrase -C|Comment / Specify comment (default is "user name @ host name". Use "-C" "to delete comment) -E|Format / Specify the format for displaying the fingerprint of the key with "sha256" (default) or "md5"

-F|Host name / specified host name is searched for and displayed from the "known_hosts" file saved with the key file (the known_hosts file can be specified with the -f option, and the corresponding fingerprint can be displayed with the -l option) -H|Update "known_hosts" file (known_hosts file can be specified with -f option, original file is saved with extension .old) -R|remove all keys belonging to the host name / specified host (known_hosts file can be specified with -f option) -r|Display the fingerprint corresponding to the host name / specified host (known_hosts file can be specified with the -f option)

ssh-keygen conversion related|ssh-keygen 変換関連

-i|Read the unencrypted private key file or public key file, convert it to the OpenSSH compatible format, and output it to the standard output. You can specify the format of the conversion source key) -e|Reads an OpenSSH format private key file or public key file and outputs it to the standard output in RFC 4716 format or in the format specified by the -m option (the source file is specified by the -f option or interactively) -m|Format / Specify the key format input with the "-i" option and the key format output with the "-e" option from "RFC4716" (default), "PKCS8" and "PEM" -y|Read OpenSSH format private key file and output OpenSSH format public key to standard output

ssh-keygen certificate related|ssh-keygen 証明書関連

-s|CA key / Sign public key with specified CA key -I|Specify the key used to certify the private / public key -h|create a host certificate instead of a user certificate when signing a key -D|Library / PKCS # 11 Specify the token library and download the public key (* 1) -n|Specifies the user name or host name to be included in the name / certificate. Multiple names can be specified -O|Options / Specify the options of the certificate to use when signing the key (see the "CERTIFICATES" section in "man ssh-keygen" for details) -V|Period / Specify the validity period when signing a certificate. Specify the expiration date and time with "YYYYMMDD" or "YYYYMMDDHHMMSS", or specify with ":" as a delimiter such as "start: end". "+" And "-" symbols can be used to indicate the period -z|Specify serial number / serial number to embed in certificate -L|Display the contents of the certificate -k|Generate a KRL (Key Revocation List) file (specify the output file with "-f", add it to the file with "-u", add the CA key path with "-s", Specify serial number with "-z") Specify the KRL file with -Q | -f and check whether the key is specified as revoked with KRL (execute with "-Q -f KRL file target file") / * 1 PKCS (Public-Key Cryptography) Standards) is a group of public key cryptographic standards. PKCS # 11 provides authentication support using hardware devices such as smart cards.

ssh-keygen others|ssh-keygen その他

-A|Generate a host key (/etc /ssh /ssh_host_key, /etc /ssh /ssh_host_dsa_key) (root authority required) -l|Display the fingerprint of the public key file -B|Display bubblebabble digest of public key file or private key file -q|Do not display message -v|Display detailed message

Type cd .ssh and Enter

Type ssh-keygen -t ed25519 -b 4096 -C win -f id_ed25519_winarchvps and enter.ed25519 create key in encrypted form

Enter passphrase (empty for no passphrase): パスワードを入力してください

Type {passwords will not forget} and enter

Again type {passwords will not forget} and enter.

+--[ED25519 256]--+
|E   ..o=*o.+o    |
|.   .oo+oo...    |
|....  o=..       |
| o+. o  =        |
|o .oo ooS.       |
|* ...+o oo       |
|oo.. o+o+o       |
| .   o+o+o       |
|      .o..       |
+----[SHA256]-----+

If such a mysterious AA (Ascii Art) comes out, it succeeds.

What does it mean? The human brain can't remember passwords one by one, so if you remember the shape in ASCII art as a diagram, the symbol will change when someone messes with the password, so it's easy to notice cracking, right? That is the measure.

Type ls and enter.

It is OK if there are two types of id_ed25519_winarchvps.pub id_ed25519_winarchvps

The one without .pub is the key, and the one with .pub is the keyhole.

It's safer to not upload, share, or delete anyone without a .pub online. If you delete it, you will never be able to connect to the server etc. that shared the secret key via the net. (2 losses

Type cat id_ed25519_winarchvps.pub and enter.

Copy ssh-ed25519 A1lAAI1NTE5AAABBafqZ6rAAWcfAAIKgbSpIw8AbpBD9Pu1X7PAAC3NzaCUj2ty1Vvjm win and make a note somewhere.

If you share your PC with someone|もしもPCを誰かと共有している場合は

For .ssh, set up to prohibit reading and writing by anyone other than the user who is logged in locally on your PC

If you don't share your PC with anyone, this may not be necessary.

Type cd .. and enter.Go back one level up.

Type chmod 700 .ssh and enter.Prevent other users from accessing .ssh files

make config file|コンフィグファイルの作成

Create a config file to reduce the effort required for ssh connection. This method requires the setting of this file.

Type nano .ssh/config to enter

Ssh connection as a general user|一般ユーザーにてssh接続

Now connect to VPS by ssh as a general user.

Type ssh {general user name you created}@???.???.???.??? then enter

Example|例

If you created useradd -m -aG wheel ya10-810 and general user ssh ya10-810@???.???.???.??? Will be.

{username}@???.???.???.???'s password: Will be displayed. Type the password set when creating a general user and enter {username}@???.???.???.???'s password: と表示されますので、 一般ユーザーを作成する時に設定したパスワードを入力してエンター

If you see [{username}@localhost ~]# you can successfully connect to ssh.

Type nano .ssh/authorized_keys and enter.Go back one level up.

Suggested to make a note ssh-ed25519 A1lAAI1NAA5AAABBafqZAAw8AbpBD9Pu1AA7PAAC3NzaCUjAAAcfAAIKgbSAA2ty1Vvjm win Copy and paste

After making changes, press Ctrl (^) + s to save the changes

Ctrl(^) + x Exit nano with

Type chmod 700 .ssh/ and enter.Access prohibition settings for users other than the currently logged-in user.

Type chmod 600 .ssh/authorized_keys and enter.Grant read / write permission

Limiting sshd_config connections to VPS|VPSへのアクセス制限

Set the access restrictions to VPS.

What we will do this time ・ Change the login port from 22 ・ Do not allow root login ・ Disallow login using a password

Type sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config-old and enter.Make a backup. (optional)

Type sudo nano /etc/ssh/sshd_config and enter.

[sudo] password for {username}: Will be displayed. Type the password set when creating a general user and enter

Please change to the following contents.

Will be changes|変更箇所

#Port 22Port 22222 ---------- PermitRootLogin yesPermitRootLogin no ---------- PasswordAuthentication yesPasswordAuthentication no ---------- ↓

After making changes, press Ctrl(^) + s to save the changes

Ctrl(^) + x Exit nano with

tip for port numbers|ポート番号についての補足

Change the connection port Be sure to remove #. Select a port number randomly from 49152 to 65535. The above uses 56789, but please change it arbitrarily.

Typical port numbers and protocols|代表的なポート番号とプロトコル

·TCP 20 : FTP (Data|データ) ·TCP 21 : FTP (control|制御) ·TCP 22 : SSH ·TCP 23 : Telnet ·TCP 25 : SMTP ·UDP 53 : DNS ·UDP 67 : DHCP(server|サーバ) ·UDP 68 : DHCP(client|クライアント) ·TCP 80 : HTTP ·TCP 110 : POP3 ·UDP 123 : NTP ·TCP 443 : HTTPS

Well known port numbers|よく知られているポート番号

Actually, the port itself exists from 0 to 65535, but among them, 0 to 1023 is called "well-known port number". These are managed by an organization called IANA.

Because it is well known, it has a characteristic that it is easily attacked, such as "well-known port number".

Of the port numbers used for communication in TCP / IP and UDP, this is the port number reserved for use by major services and protocols.

Major services are typically hard-coded port numbers, such as 80 for HTTP and 22 for SSH.

It is also possible to edit the configuration file for each service and change the standby port number. You may intentionally change the port number for security reasons, but basically, use the well-known port number.

Registered port number|レジスタードポート番号

1024 ~ 49151 This is also managed by IANA.

It is the port county that a particular application is supposed to use. IANA accepts registration and is open to the public.

Other port numbers|その他のポート番号

49152 to 65535 are port numbers that users can handle freely. There is no need to register with IANA.

As for the port number, "which service actually runs on which port?" Does not exist, so it can be arbitrarily managed and used as a substitute. We recommend that you select from other port numbers.

Type systemctl restart sshd and enter.The change is reflected by reloading sshd. Do this every time you change sshd (13 losses)

Type exit and enter. logout ssh connection

Connection to ???.???.???.??? closed. Please exit many times until is displayed.

Connection to ???.???.???.??? closed. You can log out.

Create a config file to reduce the effort required for ssh connection. This method requires the setting of this file.

Type cd and enter.Go to the windows document root hierarchy

Type nano .ssh/config and enter.

Host vps
 HostName ???.???.???.???
 Port 22222
 User {General user name you created あなたが作った一般ユーザー名}
 IdentityFile ~/.ssh/id_ed25519_winarchvps

Write the contents.

The host name is the number given when you created the VPS.

{General user name you created あなたが作った一般ユーザー名} Is the general username you created inside VPS.

After making changes, press Ctrl(^) + s to save the changes

Ctrl(^) + x Exit nano with

When connecting to VPS from the next time, type ssh vps then enter

Enter passphrase for key '/c/Users/admin/.ssh/id_ed25519_winarchvps': Is output as Enter the password set when creating id_ed25519_winarchvps

This concludes the tutorial on initializing a very annoying VPS server.

Thank you I'm glad if you can use it as a reference. Thank you for watching until the end.

English How to open vps server with Conoha VPS

日本語 conoha vps 初期設定 ssh接続方法

thank you

Thank you for watching until the end. I'm glad if you can use it as a reference.

Help me

We will continue to update useful information. If you don't mind, please donate. If you donate, I'll be happy to jump.