netarky.com

How to set up your Arch Linux VPS

Updated 18 Nov 2013

Why Arch Linux? * Getting started * Some terminal commands to keep handy * Log on to your VPS * Create a new superuser * Configure SSH port and disable root login * Update Arch Linux * Installing software on Arch Yaourt

 

Why Arch Linux?

Arch Linux is a barebones Linux distro, with very few desktop or server features pre-installed. (There is no Graphical User Interface, for example.) Because of this, Arch is a very lightweight operating system, taking up very little of your VPS' precious resources. You can install only the software that you need, as you need it.

Arch Linux is also great for online documentation and community support. So if you get stuck, wiki.archlinux.org is a good place to start, or try the online forums.

Arch is a rolling-release distribution. This means that you never have to perform elaborate system rebuilds or installations to upgrade to the newest version of the operating system. Every time you update your system (say, once a week) you will be running the very latest version of Arch. Updates usually take a matter of seconds.

 

Getting started

You should already have your new VPS account with Arch Linux as your operating system of choice. With the IP address and root password provided, you can log into your VPS as the root user from the command line.

Note that the root password to access your VPS is probably not the same as the password to access the VPS Control Panel provided by your hosting company. You can usually reset the root password right from your Control Panel.

In this context, "command line" means using a program called an SSH client (or terminal). SSH stands for Secure Shell. An SSH terminal enables you to log on remotely to your server, through an encrypted connection, and control the server as if you were physically at it, through a text-based interface. The SSH terminal on your local machine can do this by interacting with the SSH server installed on your remote VPS.

Windows users will need to download and install an SSH client like Putty. Mac OSX users can use the pre-installed terminal called, wait-for-it, Terminal.

 

Some terminal commands to keep handy

commandexplanation
cdchange directory
clearclear the terminal history
lslist directory contents
mkdirmake a new directory
pacman -S package_nameinstall a package
pacman -Syu package_nameSync, refresh the package database, and upgrade your entire system
pacman -Rs package_nameremove a package
nanoopen a file using the Nano text editor
rmremove a file or directory
sshSSH login
man lsshow the manual for the ls command
man sshshow the manual for the ssh command

 

Log on to your VPS

Login as the root user, substituting 123.45.67.890 for the IP address of your VPS:

ssh root@123.45.67.890 (then hit ENTER)

Skip this next part in yellow if it doesn't apply to you.

If you're using Terminal on a Mac and have recently reinstalled the operating system of your VPS having been previously logged in, you may be denied:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
6f:35:03:55:06:33:2b:12:f8:8b:a8:bb:e1:03:c5:e1.
Please contact your system administrator.
Add correct host key in /Users/username/.ssh/known_hosts to get rid of this message.
Offending key in /Users/username/.ssh/known_hosts:1
RSA host key for 123.45.67.890 has changed and you have requested strict checking.
Host key verification failed.

The easiest way to proceed right now is to delete the known_hosts file (on your local machine), so that it gets rebuilt by Terminal. Change directory to /Users/username/.ssh using the command:

cd /Users/username/.ssh

(Substitute username as appropriate.)

Remove the known_hosts file:

rm known_hosts
cd

(cd takes you back to the root directory.)

Try logging in again:

ssh root@123.45.67.890

You should get something like this (here I'm using Terminal on a Mac):

The authenticity of host '123.45.678.90 (123.45.678.90)' can't be established.
RSA key fingerprint is 6f:35:03:55:06:33:2b:12:f8:8b:a8:bb:e1:03:c5:e1.
Are you sure you want to continue connecting (yes/no)?

Type yes and hit ENTER.

Warning: Permanently added '123.45.678.90' (RSA) to the list of known hosts.
Password:

Now enter the root password of your VPS, and...

Have a lot of fun...

You're logged in to your Arch Linux VPS! To celebrate, change the root password using passwd:

passwd
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully

 

Create a new superuser

The super user called 'root' is too easy to guess and has total system control. By creating another user (with super user privileges) and then blocking root access, your VPS will be a bit more secure against unauthorised access. Create a new user called 'john':

useradd john

You have just added a new local user called john.

A local user is a user who has direct access to the system. In other words, the user can log in to your VPS and access system services, depending on defined privileges. All your local users are kept in Arch's /etc/passwd file.

Change john's password:

passwd john

As of yet, only the root user has all of the administrative capabilities on the virtual server. You are going to give john root privileges too. This is done in what's called the sudo configuration file. Edit the sudo configuration file using the command:

visudo

Vi is a pre-installed command line text editor, but it does not recognize arrow keys. Move down using j, up with k, left with h, and right with l.

Find the section called "User privilege specification". It will look like this:

# User privilege specification
root ALL=(ALL) ALL

You can begin editing the text by pressing "a", and delete text by pressing ESCAPE and then x. Add the following line right after, granting all the permissions to your new user:

john ALL=(ALL) ALL

Press ESCAPE and then SHIFT+zz to save and exit back to the command line.

When you perform any root tasks with the new user, you will need to use the word sudo before the command. This is a helpful command for 2 reasons:

  1. it prevents the user making any system-destroying mistakes;
  2. it stores all the commands run with sudo to the file /var/log/secure which can be reviewed later if needed.

For the moment though, you're still logged in as root.
 

Configure SSH port and disable root login

Nano is a simple command line text editor that's very newbie-friendly and installed by default in Arch. You can use the arrow keys to navigate through text. Open the SSH configuration file for editing using Nano:

nano /etc/ssh/sshd_config

Find the following entries and change the information where applicable. Be sure to uncomment the lines by deleting the preceding hash #.

Port 3456
...
PermitRootLogin no

Port: Although port 22 is the default, you can change this to any number between 1025 and 65536. In this example, I am using port 3456. Choose and make a note of the new port number. You will need it to log in in the future and to configure your firewall.

Why do this? Port 22 is the standard port for connecting to SSH services. Malicious scanners are relatively unsophisticated scripts that port scan large blocks of IP addresses one at a time to see if port 22 is open. When they find one that is, they will launch some sort of attack on it (brute force, dictionary) to recover the password and gain control over the server. There is therefore some low-level security provided by changing port number, but only for this type of opportunistic attack. Perhaps the best reason for doing this is that your server will save on the computing overhead from having to respond to repeated requests on port 22 from scanners.

PermitRootLogin: change this from yes to no to stop future root login. You will only be logging in as the new super user john.

Hit CTRL+o and then ENTER to save the modifications you just made and then CTRL+x to quit Nano and get back to the command line.

Restart the server's SSH service, and it will implement the new ports and settings.

systemctl restart sshd

If you get:

Warning: Unit file of sshd.service changed on disk, 'systemctl --system daemon-reload' recommended.

Then do as suggested:

systemctl --system daemon-reload

To test the new settings (do not log out of root yet!), open a new terminal window and login as your new user.

Don't forget to include the new port number. (That's what the -p is for.)

ssh -p 3456 john@123.45.67.890

Your command prompt should now say:

[john@yourhostname ~]$

Once you know you can log in to your VPS as your new user, you can exit out of root. On your original terminal window as root, type:

logout

Then you can close that window.

 

Update Arch Linux

Logged in as your new user, the first thing to do is a system update. Arch uses a package management program called pacman to easily manage updates. Sync, refresh the package database, and upgrade your entire system with:

sudo pacman --sync --refresh --sysupgrade

Or, same thing, but quicker:

sudo pacman -Syu
Notice the use of sudo now that you're no longer the root user. sudo is required for commands which require root privileges. The use of sudo may periodically prompt you for your user password. If you get a "permission denied" error after issuing a command, it could be because you forgot to sudo it.

If you are prompted to upgrade pacman itself at this point, respond by pressing Y, and then reissue the sudo pacman -Syu command when finished.

Arch is a rolling-release distribution. This means the user doesn't have to reinstall or perform elaborate system rebuilds to upgrade to the newest version. Issuing pacman -Syu periodically keeps the entire system up-to-date. At the end of this upgrade, the system will be completely current.

Arch's developers will provide important information about required configurations and modifications for known issues. The Arch Linux user is expected to consult these places before performing an upgrade. The easiest way to keep in touch with developments is by subscribing to the feed on Arch's homepage at www.archlinux.org.

Source: wiki.archlinux.org/index.php/Arch_Linux_System_Maintenance

 

Installing software on Arch

Before installing any programs, there are some prerequisites to take care of. This means installing the build essentials, which are needed to compile packages on Arch Linux.

sudo pacman -S base-devel abs

This command asks pacman to install ABS, the Arch Build System, and base-devel, a collection of compiling tools. These tools allow the creation and installation of Arch Linux packages. Read more about ABS here.

Arch Linux packages are created by first writing a PKGBUILD file, which is a script describing a package and containing:

Where do you find Arch Linux packages to install?

Essential and popular software can be found in the Official Repositories, readily accessible via pacman. Read more about Arch's official repositories here.

Other software may be found in the Arch User Repository (AUR). This is a community-driven repository for Arch users. It contains package descriptions (PKGBUILDs) that allow you to compile a package from source using the command makepkg and then install via pacman. A good number of new packages that enter the official repositories start in the AUR. In the AUR, users are able to contribute their own package builds (PKGBUILD and related files). The AUR community has the ability to vote for or against packages in the AUR. If a package becomes popular enough (provided it has a compatible license and good packaging technique) it may be entered into the official [community] repository (and therefore be directly accessible by pacman or abs).

Users can search for and download PKGBUILDs from the AUR Web Interface.

Source: wiki.archlinux.org/index.php/Arch_User_Repository

 

Yaourt

There exists a community-contributed wrapper for pacman called Yaourt (Yet AnOther User Repository Tool). Yaourt simplifies the search, compilation and installation of Arch packages by adding access to the AUR and automating the build and install process. You can install Yaourt using pacman like this:

sudo pacman -S yaourt

You'll need to sync Yaourt with the AUR:

yaourt -Syy

You can then search the AUR or Arch's official repositories' packages like so:

yaourt package-name

Yaourt provides interactive prompts for installation. Or, if you know the exact package name:

yaourt -S package-name

Yaourt uses the same syntax as pacman, but also adds further options. Yaourt does not require sudoing - it will ask you for your password as required. Read more about Yaourt here.