Linux Server Setup

# Linux Server Setup

## First login (root)
```bash
# Update system
apt update && apt upgrade -y

# Create non-root user
adduser deploy
usermod -aG sudo deploy

# Copy SSH key to new user
rsync --archive --chown=deploy:deploy ~/.ssh /home/deploy
```

## SSH hardening
```bash
# Generate key locally
ssh-keygen -t ed25519 -C "server-key"
ssh-copy-id deploy@YOUR_SERVER_IP
```
```bash
# /etc/ssh/sshd_config
Port 2222                    # change default port
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
MaxAuthTries 3
ClientAliveInterval 300

systemctl restart sshd
```

## UFW firewall
```bash
ufw default deny incoming
ufw default allow outgoing
ufw allow 2222/tcp      # SSH (your custom port)
ufw allow 80/tcp        # HTTP
ufw allow 443/tcp       # HTTPS
ufw enable
ufw status verbose
```

## fail2ban (brute force protection)
```bash
apt install fail2ban
cat > /etc/fail2ban/jail.local << 'EOF'
[sshd]
enabled = true
port = 2222
maxretry = 5
bantime = 3600
findtime = 600
EOF
systemctl enable --now fail2ban
fail2ban-client status sshd
```

## Swap (for low-RAM VPS)
```bash
fallocate -l 2G /swapfile
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile
echo '/swapfile none swap sw 0 0' >> /etc/fstab
# Reduce swappiness
echo 'vm.swappiness=10' >> /etc/sysctl.conf
```

## Timezone & locale
```bash
timedatectl set-timezone Asia/Shanghai
localectl set-locale LANG=en_US.UTF-8
```

## Automatic security updates
```bash
apt install unattended-upgrades
dpkg-reconfigure --priority=low unattended-upgrades
```

## Useful monitoring commands
```bash
htop                          # process monitor
df -h                         # disk usage
free -h                       # memory
ss -tlnp                      # listening ports
journalctl -f                 # system logs
netstat -tulpn                # network connections
last                          # login history
```