Browse Source

Part 1, first revision.

main
cortices 2 years ago
commit
d9d32a5f1a
  1. 1
      .gitignore
  2. 73
      Readme.md

1
.gitignore

@ -0,0 +1 @@
.DS_Store

73
Readme.md

@ -0,0 +1,73 @@
# Mastodon instance setup instructions
## Part 1: Creating & accessing the server
### Prerequisites
1. Linux/Unix terminal environment (Linux, Mac, or Windows Subsystem for Linux).
2. Password manager (e.g. OnePassword) installed & setup.
### Steps
1. Register a new VPS. 4GB RAM & 2 CPU cores is recommended, but 2GB/1 core will work for a small instance. Install the LTS version of Ubuntu Server ("20.04 LTS", at time of writing). Take note of the IP or domain name provided to you for it by the hosting provider.
2. Think up a name for your server (as distinct from the name of the mastodon instance it will host). This sounds silly but helps a lot with remembering things.
3. Decide on a username you will use to administer the server. It can be anything as long as it’s not ‘root’.
4. Open a terminal.
5. Make sure you know your package manager. On Mac this would be homebrew (3rd party) (see https://brew.sh) on Ubuntu/Debian/WSL it would be apt.
6. Install up-to-date openssh package with your package manager:
1. `sudo apt install openssh` OR
2. `brew install openssh && brew link openssh`
7. Generate a new SSH key for accessing your server
1. `ssh-keygen -t ecdsa -f ~/.ssh/{serverUsername}@{servername}_ecdsa`
2. Follow the prompts, adding a passphrase. Store the passphrase in your password manager. This may seem like a convoluted process to use a password to log in the the server like you can just do anyway, but I promise it’s tons more secure — you need both the password *and* the secret key file we’re creating.
8. SSH into your server with the temporary root account & password
1. `ssh root@{server domain or IP}`
9. Now you’re logged in, create the user you’ll be using from now to administer.
1. `adduser {serverUsername} sudo`
2. Follow the prompts but leave the random fields as default/blank. Set a randomly generated secure password, and also store it in a password manager.
10. Exit SSH with `exit`
11. Upload your new authentication key:
1. `ssh-copy-id {serverUsername}@{server domain/IP} ~/.ssh/{the key you made}`
2. When asked for a password, provide the one you just created recently, not the root one.
12. Test that public key authentication works.
1. `ssh {serverUsername}@{server} -i ~/.ssh/{key file}`
2. You should be asked for the key passphrase, and *not* the login password for the user. Yay, secure authentication!
3. `exit` from the server again.
13. Open ~/.ssh/config in a code editor
1. `touch ~/.ssh/config`
2. `chmod 600 ~/.ssh/config`
3. Open the file in a code editor and insert the following:
````
Host {server name (not domain)}
HostName {server domain/IP}
IdentityFile ~/.ssh/{key file}
User {serverUsername}
````
14. Try to SSH using the new host config:
1. `ssh {servername}`
15. Now we’ve confirmed you can effectively log in as your custom user with SSH key, it’s time to disable SSH password authentication and root user login. This protects you from 99% of hacking attempts.
1. Still on the server, open /etc/ssh/sshd_config in a command line editor such as `nano` or `vim`.
2. Find the line with `PasswordAuthentication` and change the value to `no`, making sure it’s not commented out.
3. Find the line with `PermitRootLogin` and change that to `no` as well.
16. Run `systemctl restart ssh`. You will be disconnected by the server.
17. Re-SSH into the server to show that it still works with only public key authentication.
Loading…
Cancel
Save