mikr13/secure-server-setup-skills
Overview
This skill hardens SSH access on VPS servers by enforcing key-based authentication, disabling root login, and creating non-root sudo users. It implements safe, test-first changes to sshd_config and provides step-by-step checks to avoid locking yourself out. The goal is to reduce brute-force and credential risks while maintaining operational access.
How this skill works
The skill creates a non-root user with sudo privileges, generates or installs public SSH keys, and configures the SSH daemon to refuse password and root logins. It updates core sshd_config options (PermitRootLogin, PasswordAuthentication, AllowUsers, Protocol, etc.), validates the configuration with sshd -t, and guides a safe restart. It also includes recommended firewall and monitoring suggestions.
When to use it
- Initial VPS provisioning to establish secure access
- Replacing password authentication with SSH keys
- Responding to security audit findings about SSH settings
- Reducing exposure to brute-force and credential attacks
- Implementing least-privilege access for server administration
Best practices
- Create and test a non-root sudo user before changing SSH settings
- Generate and use ed25519 keys with a strong passphrase when possible
- Always test new key login in a separate terminal and keep an existing session open
- Run sudo sshd -t to validate syntax before restarting the service
- Restrict access with AllowUsers or AllowGroups and update firewall rules if you change the SSH port
Example use cases
- Set up a deployer user with key-only SSH access on a fresh VPS
- Harden an existing server after a security scan flagged root or password logins
- Migrate a team from password SSH to centrally managed key pairs
- Lock down SSH to only specific admin accounts and disable unused features like X11 forwarding
- Combine with fail2ban and firewall rules to reduce noise and automated attacks
FAQ
Use your hosting provider’s console or VNC to access the instance, revert the changes in /etc/ssh/sshd_config, and restart sshd. Always keep one working session open while testing to prevent lockout.
Which key type should I use?
Use ed25519 for modern, compact, and secure keys. Use rsa -b 4096 only for older compatibility when ed25519 is unavailable.
Can I disable password auth immediately?
No. First create a non-root user, install and test SSH key authentication in a new terminal, then disable password authentication and restart sshd after validating the config.
3 skills
This skill hardens SSH on VPS by enforcing key authentication, disabling root login, and creating non-root sudo users to prevent unauthorized access.
This skill configures automatic security updates on Ubuntu/Debian servers to patch vulnerabilities and reduce manual maintenance.
This skill helps you implement automated off-server backups with retention, encryption, and restoration procedures for quick VPS disaster recovery.