# Your new VPS is provisioned, what is the first thing you do once you connect?



## MannDude (Jun 25, 2013)

Curious to see how everyone responds.

For me, right after logging in via SSH for the first time I just immediately do:


apt-get update && apt-get upgrade -y
and then do whatever else I need to do for whatever I plan on using the VPS for.

What about you?


----------



## kaniini (Jun 25, 2013)

I just install whatever I want because unless my VPSes are with an external provider, they are built from scratch each time with the latest updates. 

Usually I start with build-essential or build-base package to bring in a C/C++ toolchain.


----------



## MartinD (Jun 25, 2013)

change the root password and reboot


----------



## D. Strout (Jun 25, 2013)

Either apt-get update/upgrade or put my public key on and disable password logins in SSH. One of the two, those always come first. Then installations of needed packages and putting data on.


----------



## nunim (Jun 25, 2013)

I'm surprised that no one has mentioned this yet..


free -m  && ps -aux
apt-get remove apache* bind9* sasl* samba* sendmail* exim*
apt-get update && apt-get upgrade
reboot
...
free -m
I usually run my setup script though, just does most of that and a little more like changing SSH ports, then I figure out what I'm going to do with that VPS...


----------



## Marc M. (Jun 25, 2013)

dd bs=1M count=128 if=/dev/zero of=test conv=fdatasync - will most likely be cached

dd bs=1M count=512 if=/dev/zero of=test conv=fdatasync - will most likely be cached

dd bs=1M count=1024 if=/dev/zero of=test conv=fdatasync - will possibly be cached

dd bs=1M count=2048 if=/dev/zero of=test conv=fdatasync - this is very unlikely to be cached entirely, run it 3 times and make sure you get consistent results.

Look for consistent results 

All joking aside, change your root password first, do basic house keeping, adjust security settings, update.


----------



## kaniini (Jun 25, 2013)

Marc M. said:


> dd bs=1M count=128 if=/dev/zero of=test conv=fdatasync - will most likely be cached
> 
> dd bs=1M count=512 if=/dev/zero of=test conv=fdatasync - will most likely be cached
> 
> ...


dd tests are not a scientifically useful benchmark.  if you're going to benchmark, do ioping instead, at least then you can test the latency guarantees of the underlying host.


----------



## Tux (Jun 25, 2013)

```
apt-get update
apt-get dist-upgrade
wget https://github.com/Xeoncross/lowendscript/raw/master/setup-debian.sh
chmod +x setup-debian.sh
./setup-debian.sh system
apt-get install rsyslog
sed -i "s/PermitRootLogin yes/PermitRootLogin no/g" /etc/ssh/sshd_config
sed -i "s/\#PasswordAuthentication yes/PasswordAuthentication no/g" /etc/ssh/sshd_config
service ssh restart
```


----------



## MannDude (Jun 25, 2013)

kaniini said:


> dd tests are not a scientifically useful benchmark.  if you're going to benchmark, do ioping instead, at least then you can test the latency guarantees of the underlying host.


I think he was joking


----------



## shawn_ky (Jun 25, 2013)

Change password, update, add my favorite text editor (joe)


----------



## tdc-adm (Jun 25, 2013)

Run minstall script.


----------



## D. Strout (Jun 25, 2013)

tdc-adm said:


> Run minstall script.


Aside from Apache (which I usually use), what does minstall (or a minimal template) remove?


----------



## perennate (Jun 25, 2013)

passwd

apt-get update; apt-get upgrade

apt-get install libboost-all-dev zip unzip build-essential libgmp3-dev libmysql++-dev screen emacs23-nox nmap mysql-client subversion libbz2-dev htop iftop fail2ban git php5-mcrypt language-pack-en tasksel php-pear
tasksel install lamp-server
pear install Net_SMTP Mail


----------



## OnePoundWebHosting (Jun 25, 2013)

change SSH port, root password, yum update, reboot


----------



## Maximum_VPS (Jun 25, 2013)

Change ssh port, disable root login, RSA key,yum update & upgrade,reboot.


----------



## mikho (Jun 25, 2013)

D. Strout said:


> Aside from Apache (which I usually use), what does minstall (or a minimal template) remove?


If you run the "clean-packages" this is what you will end up with: https://github.com/KnightSwarm/Minstall/blob/2.5.7/modules/clean-packages/debian/base


You can add/remove packages as you see fit from the custom file and it will be included.


So basicly you can save your own settings and have the same settings on every VPS that you like.


My first steps are minstall, change root password ... Then it depends on what I will use the VPS for.


----------



## Magiobiwan (Jun 25, 2013)

My first steps are usually package updates, then change root pass, then add my SSH keys. Then I run a setup script I've put together (as of recently) to install/uninstall things that I either need or don't need.


----------



## Aldryic C'boas (Jun 25, 2013)

```
mkfs.ext2 /dev/sda1
mkfs.ext3 /dev/sda3
mkswap /dev/sda2 && swapon /dev/sda2
mount /dev/sda3 /mnt/gentoo
```


----------



## johnlth93 (Jun 25, 2013)

mine would be echo 'my prepared source list' > /etc/apt/source.list then only apt-get update upgrade and stuffs


----------



## DalComp (Jun 25, 2013)

free -m

df -h

some dd

some speedtest

some ioping

occasionally, run serverbear instead

exit

Let it idle

Come back the next day if I still remember I have one.


----------



## Shados (Jun 25, 2013)

Aldryic C said:


> mkfs.ext2 /dev/sda1
> mkfs.ext3 /dev/sda3
> mkswap /dev/sda2 && swapon /dev/sda2
> mount /dev/sda3 /mnt/gentoo


Need moar Funtoo for dat git-backed portage tree.


----------



## D. Strout (Jun 25, 2013)

DalComp said:


> Come back the next day if I still remember I have one.


Too true. Too true.


----------



## GVH-Jon (Jun 25, 2013)

I install zPanel and then I stuff as much data on it as possible. Then I log into SSH and I type in rm -rf and then I log out. Then I jump out the window for being so stupid but I make sure I land on grass.

Just kidding

The first thing I do when I connect would be to do some security hardening.


----------



## drmike (Jun 25, 2013)

kaniini said:


> do ioping instead, at least then you can test the latency guarantees of the underlying host.


 

I'm a fan of looking at ioping also.   But, it really has problems when SSD or SSD caching is on the node.


----------



## thuvienvps (Jun 26, 2013)

free -m

top

ps aux

./bench.sh

serverbear bench

let it idle


----------



## Mun (Jun 26, 2013)

execute passwd in the console and change my password.


----------



## NodeBytes (Jun 26, 2013)

Considering I'm on dedi's... I build my own OVZ/KVM Vm's and install all the security I need before it's officially "provisioned" to the main live server.


----------



## H4G (Jun 27, 2013)

```
yum install nano
```


----------



## Lanarchy (Jun 27, 2013)

Change root password, make another account, add it to sudoers and prevent root from sshd


----------



## wlanboy (Jun 27, 2013)

Play around with it. Try everthing I did not want to do on my production vps.

The feeling you have a free trial because you are starting from zero and you can easily start from zero again is great.

Afterwards I do a reinstall and build up the system for which I have bought the vps for.


----------



## notFound (Jun 27, 2013)

service iptables stop
chkconfig iptables off

echo 'SELINUX=disabled' > /etc/selinux/config
echo 'SELINUXTYPE=targeted' >> /etc/selinux/config

mkdir ~/.ssh ; echo ssh-rsa .......== [email protected] >> .ssh/authorized_keys ; echo ssh-dss ......= [email protected] >> .ssh/authorized_keys

chmod 600 .ssh/authorized_keys

cat >> /etc/ssh/sshd_config <<END
Port 5---
TCPKeepAlive yes
ClientAliveInterval 30
ClientAliveCountMax 99999
PasswordAuthentication no
END

service sshd restart

sed -i 's/plugins=1/plugins=0/' /etc/yum.conf

yum -y update
yum -y install mlocate traceroute wget jwhois openssh-clients wget rsync bind-utils mtr syslog-ng htop iotop nohup vnstat tmux

echo "* * * * * root vnstat -u -i eth0" >>/etc/crontab

ln -sf /usr/share/zoneinfo/Europe/London /etc/localtime

Got a bit more but couldn't be asked to paste it all from my little script.


----------



## trexos (Jun 27, 2013)

1) passwd root
2) apt-get update && apt-get upgrade
3) apt-get install htop
4) reboot
5) benchmark stuff


----------



## serverian (Jun 27, 2013)

```
halt
```


----------



## sleddog (Jun 27, 2013)

At an SSH login:

1. Setup an iptables firewall, particularly for SSH.

2. Set a new root password.

3. Review installed services and remove those I won't be using.

4. Update.

5. Configure for the intended use.

6. Use


----------



## Kruno (Jun 27, 2013)

# yum update -y

# passwd root

# reboot


----------



## Aldryic C'boas (Jun 27, 2013)

serverian said:


> ```
> halt
> ```




```
hammerzeit
```


----------



## Naruto (Jun 27, 2013)

flood.pl 216.246.49.26 0 0 0


----------



## notFound (Jun 27, 2013)

Naruto said:


> flood.pl 216.246.49.26 0 0 0


Some idiot is going to actually try that, and you forgot it's meant to be usefulScript.pl.


----------



## Derek (Jun 27, 2013)

I usual execute a couple bash scripts that install the things I need at that moment.


----------



## 7ropics (Jun 27, 2013)

```
wget -O /dev/null - http://cachefly.cachefly.net/100mb.test
```


----------



## jcaleb (Jun 27, 2013)

buy and dont ever login


----------



## peterw (Jun 28, 2013)

Simple security 

Cleanup your OpenVZ Ubuntu image 

Set up VPN server on Debian based systems 

Mailserver with nullmailer


----------



## DamienSB (Jun 28, 2013)

dd if=/dev/zero of=test bs=6400k count=160k conv=fdatasync; unlink test


----------



## Corporal Clegg (Jun 29, 2013)

Add saltstack repo, install salt-minion and logout.

Run one command on salt-master hosted on a @prometeus biz vps - all done


----------



## EarthVPN (Jun 29, 2013)

Checking if Selinux was enabled.


----------



## Chronic (Jun 29, 2013)

ServerBear benchmarking -> Minstall -> Start working on whatever you planned to use it for, but stop halfway -> Idle.


----------



## simplenode (Jun 29, 2013)

Update then speedtest.


----------



## concerto49 (Jul 2, 2013)

Update, remove useless applications and then leave the session open.


----------



## Lanarchy (Jul 2, 2013)

Change root password, install half of the things that I was planning on using it for, forget about the VPS and not touch it again.


----------



## sv01 (Jul 2, 2013)

check memory, harddisk to make sure fit with what advertised.


free -m; df -h 
securing (a bit) /tmp

update and upgrade


apt-get update; apt-get upgrade
check .ssh/authorized_keys  yes always

check user on vps

then install software that I need.


----------



## stim (Jul 3, 2013)

I run my install script.


----------



## peterw (Jul 3, 2013)

sv01 said:


> check .ssh/authorized_keys  yes always


Are there any providers having templates with autorized keys?!


----------



## dmmcintyre3 (Jul 18, 2013)

For KVM, Xen, dedis, etc:


curl http://xx.xx.xx.xx/setup.sh|bash
or for OVZ:


curl http://xx.xx.xx.xx/setup-vz.sh|bash
I know, not too helpful.


----------



## SeriesN (Jul 18, 2013)

dmmcintyre3 said:


> For KVM, Xen, dedis, etc:
> 
> 
> curl http://xx.xx.xx.xx/setup.sh|bash
> ...


Now only if someone posted the content of those bash scripts . Hmmmm


----------



## dmmcintyre3 (Jul 19, 2013)

SeriesN said:


> Now only if someone posted the content of those bash scripts . Hmmmm



setup.sh


#!/bin/sh
rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
yum -y update
yum -y install nano mlocate traceroute jwhois logwatch openssh-clients wget rsync bind-utils mtr syslog-ng
yum erase -y postfix sendmail rsyslog
yum install exim cronie -y
service iptables stop
service ip6tables stop
chkconfig iptables off
chkconfig ip6tables off
>/etc/sysconfig/iptables
>/etc/sysconfig/ip6tables
setenforce 0
yum -y install ntp
ntpdate -u x2la01.hostigation.com
echo "23 */4 * * * root ntpdate -u x2la01.hostigation.com >/dev/null" >>/etc/crontab
echo "ntpdate -u x2la01.hostigation.com">>/etc/rc.local
echo "* * * * * root vnstat -u -i eth0" >>/etc/crontab
fi
ln -s /usr/bin/nano /usr/bin/pico
echo 'SELINUX=disabled' > /etc/selinux/config
echo 'SELINUXTYPE=targeted' >> /etc/selinux/config
echo 'compress' >> /etc/logrotate.conf
echo '*: root' >>/etc/aliases
echo 'root: [email protected]' >>/etc/aliases
newaliases
chkconfig crond on
chkconfig exim on
service exim start
service crond start
yum install vnstat -y
echo "Port 3409">>/etc/ssh/ssh_config
echo "Port 3409">>/etc/ssh/sshd_config
ln -sf /usr/share/zoneinfo/America/New_York /etc/localtime
ssh xx.xx.xx.xx /scripts/sshsetup.sh `hostname -s` `curl http://ifconfig.me/`
setup-vz.sh:


```
#!/bin/sh
 
 
if [ `cat /proc/user_beancounters | grep " privvmpages " | awk '{print $4}'` < '65280' ]
then
  echo "Low memory allocation limit on OVZ detected"
  sed -i 's/plugins=1/plugins=0/' /etc/yum.conf
fi
 
rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
yum -y update
yum -y install nano mlocate traceroute jwhois logwatch openssh-clients wget rsync bind-utils mtr syslog-ng
yum erase -y postfix sendmail rsyslog
yum install exim cronie -y
service iptables stop
service ip6tables stop
chkconfig iptables off
chkconfig ip6tables off
>/etc/sysconfig/iptables
>/etc/sysconfig/ip6tables
echo "* soft stack 256" >/etc/security/limits.conf
echo "* * * * * root vnstat -u -i venet0" >>/etc/crontab
ln -s /usr/bin/nano /usr/bin/pico
echo 'SELINUX=disabled' > /etc/selinux/config
echo 'SELINUXTYPE=targeted' >> /etc/selinux/config
echo 'compress' >> /etc/logrotate.conf
echo '*: root' >>/etc/aliases
echo 'root: [email protected]' >>/etc/aliases
newaliases
chkconfig crond on
chkconfig exim on
service exim start
service crond start
yum install vnstat -y
echo "Port 3409">>/etc/ssh/ssh_config
echo "Port 3409">>/etc/ssh/sshd_config
ln -sf /usr/share/zoneinfo/America/New_York /etc/localtime
ssh xx.xx.xx.xx /scripts/sshsetup.sh `hostname -s` `curl http://ifconfig.me/`
```


----------



## D. Strout (Jul 20, 2013)

peterw said:


> Are there any providers having templates with autorized keys?!


Actually, IIRC BuyVM has that file for the root user, at least on the OpenVZ templates. It might be blank, though.


----------



## kaniini (Jul 21, 2013)

D. Strout said:


> Actually, IIRC BuyVM has that file for the root user, at least on the OpenVZ templates. It might be blank, though.


We are debating adding the ability to preinstall a customer supplied keychain when they do an installation.  OVH does that on their servers, it's kind of a neat feature.


----------



## eva2000 (Jul 21, 2013)

Install my Centmin Mod script http://centminmod.com  



wget http://centminmod.com/download/centmin-v1.2.3-eva2000.03.zip
unzip centmin-v1.2.3-eva2000.03.zip
cd centmin-v1.2.3mod
chmod +x centmin.sh
./centmin.sh
then hit menu option #1


--------------------------------------------------------
Centmin Mod 1.2.3-eva2000.03 - http://centminmod.com
--------------------------------------------------------
Centmin Mod Menu 
--------------------------------------------------------
1). Centmin Install
2). Add Nginx vhost domain
3). NSD setup domain name DNS
4). Nginx Upgrade / Downgrade
5). PHP Upgrade / Downgrade
6). XCache Re-install
7). APC Cache Re-install
8). XCache Install
9). APC Cache Install
10). Memcached Server Re-install
11). MariaDB 5.2.x Branch Upgrade Only
12). MariaDB 5.2.x to MariaDB 5.5 YUM upgrade
13). Install ioping.sh vbtechsupport.com/1239/
14). SELinux disable
15). Install/Re-install imagick PHP Extension
16). Change SSHD Port Number
17). Multi-thread compression: pigz,pbzip2,lbzip2,p7zip etc
18). Suhosin PHP Extension install
19). Install FFMPEG and FFMPEG PHP Extension
20). NSD Re-install
21). Exit
--------------------------------------------------------
Enter option [ 1 - 21 ] 
--------------------------------------------------------


Then depending on site etc, enable Nginx PageSpeed ngx_pagespeed module http://centminmod.com/nginx_ngx_pagespeed.html  

Then the rest of the steps http://centminmod.com/getstarted.html


----------



## Francisco (Jul 21, 2013)

D. Strout said:


> Actually, IIRC BuyVM has that file for the root user, at least on the OpenVZ templates. It might be blank, though.


It's blank.

We create the stub folder & file as users hated having to do it on their own 

Francisco


----------



## Fizzadar (Jul 21, 2013)

1. Change SSH port, disable password auth, add my key (and any other needed keys)

2. Update w/ package manage

3. Disk IO test, Net IO test, CPU test

4. Setup strict iptables rules, block any un-needed traffic

5. Use VM as normal


----------



## WelltodoInformalCattle (Jul 21, 2013)

The first thing everyone should do is ensure that you're getting exactly what you ordered and that the provider hasn't tried to screw you over in someway.


----------



## InfiniteTech (Jul 21, 2013)

```
# yum -y upgrade
# shutdown -r now
```


----------



## peterw (Jul 22, 2013)

Don't want to name the provider, but yesterday my first thing was:


Informing previous owner that his whole vps was still alive
Reinstall vps


----------



## shawn_ky (Jul 22, 2013)

Ouch!  That had to be bad!


----------



## Jeffrey (Jul 23, 2013)

cat /proc/cpuinfo, free -m, apt-get update, or yum update.


----------



## sv01 (Jul 23, 2013)

yes they are  I've found 1 provider before, but I don't remember provider name 



peterw said:


> Are there any providers having templates with autorized keys?!


----------



## HostUS-Alexander (Jul 25, 2013)

Yum update -y; yum install * -y


----------



## JackDoan (Jul 26, 2013)

Login to Solus

Install Debian, because I always get CentOS no matter what I pick on the order form


```
apt-get update
apt-get upgrade
passwd root #use something like correcthorsebatterystaple
apt-get install sudo vim less screen apache2 php5 libapache2-mod-php5 php5-curl
uname -a
less /proc/cpuinfo
adduser jack -g sudo
su jack
```


----------



## oentech (Jul 27, 2013)

Firstly, I always run the "apt-get update/upgrade" command and install the WebMin panel (for ease of use).


----------



## Master Bo (Jul 28, 2013)

1. Restrict access by ssh to my IP only, disable access via all the other protocols/ports.

2. Create additional sudoer-type account

3. Allow if disallowed key-based authentication, make sure sudo works, dsiable root login and rstart the server.

All the security hardening/whatever goes after that.


----------

