Best Practices for Linux and Minecraft Hosting

So, you just got your new Linux server and only know the basics to it, great! It's always nice to see people learning Linux.

Protip: Get into good habits early, prevents having to correct bad habits later IE using root to login.

Update your system!:
Sometimes when you get a server (dedicated or VPS) the software running on it could be outdated. Updating is easy and will make sure you have the latest features and security fixes.

For Ubuntu/Debian based distribution:
For CentOS/RHEL based distribution:
Those commands will update all of your systems packages/apply distribution security patches thus making you more secure both OS side and application side.
Add your own user:
The second thing you must always do is add your own user account. Using purely root is the biggest mistake all new admins make. root is the single most powerful account on your system and if someone compromises it, you might as well wave goodbye to it all.
So for me it'd be:
Depending on your exact setup you may or may not be asked to set a password at account creation. If you are not you can add one with

This will let you change/add the password for the user account you just created, so for example, for me it would be:
Add yourself to sudo:
Now you're probably thinking "So if I can't login as root, how am I to do actions like update or add new packages?" The answer is sudo. Sudo allows you to change to another user, run applications as other users and so on.
So, first we need to install sudo, if it's not already installed.

For Ubuntu/Debian based distribution:
For CentOS/RHEL based distribution:
Now that you've installed sudo, you'll need to add yourself to the sudoers, this is the easy part.

So for me it'd be:
If you run a Debian based distribution, you'll need to restart the sudo service for this to take affect, just do: service sudo restart

Quick tutorial to sudo!

When you're logged into your user you'll want to change users a lot (trust me, it's a godsend) for that you'll want to use sudo -su, for example:
This will change your shell to the system username: minecraft
All things you run while under sudo -su will be run AS THAT USER, so if you say run java, the process will be under the user minecraft!

So say you want to get to root, this is even easier:
That's it, running that command will elevate you to a root shell and allow you to essentially login as root without logging in a root!

If you wish to leave a sudo -su/sudo -s'd shell and get back to your normal user account, just run the command:
It'll bring you back to your own shell.

SSH Keys

You are a bad source of entropy. Passwords are not particularly secure, even if you utilize fail2ban or similar software. For better security, you'll want to use SSH keys.

As you've probably already have git installed, I'll spare you some time.

If on Windows, open your command prompt and run
This will generate a 2048 bit RSA key for use with your server. It is strongly recommended that you add a strong passphrase. You must not share the keyfile with anyone - protect it as you would your password.

In most cases, the command will tell you where the private and public keys are stored. Use the concatenate command (cat) to output your public key file, It should look a bit like this:

Now that you've generated your keys, it's now time to tell the server what they are. Login to your server, and cd into the ~/.ssh directory. In some cases, you'll need to create the directory (use the mkdir command).

Let's create the authorized_keys file and add our public key:
Set proper permissions:
And you're done! Logout and login without typing your password to see if your key has been successfully installed. If it logs you in without asking for a passphrase, success!

Now it's time to disable password authentication.

The simplest way is to run these commands:
Alternatively, you could edit the file yourself and change PasswordAuthentication to no, and UsePAM to no as well.
That's it for SSH keys. Read on to find out how to further lock down SSH.

Modify your SSHd config:
Now you're probably thinking "Why would I need to do this? It works, right?" and you'd be right, however a nice touch always is changing a few basic things to boost your security.
First of all disable root.
You have no idea how many times I have to tell people, disable the root account, you have sudo so why would you need to login as root?

First of all, open up your sshd config: Once you've done that, look for the words If it says , change it to What this will do is disable SSH logins to the user root, you have sudo -s, so who cares, you certainly don't .

Next step in the same file is to change the port.
This is purely optional but it does prevent a lot of annoying bruteforce logs in your /var/log/auth.log
Look for , it should be somewhere at the top of the file.
Change it to some memorable number; for examples sake, 2421, all you change it to is , it's as simple as that.


IF YOU DO CHANGE THE PORT, REMEMBER IT. YOU'LL NEED IT TO LOG INTO SSH AGAIN.

Then once you've done all that just simply do:

For Ubuntu/Debian based distribution: For CentOS/RHEL based distribution: This will reload your configs!

Help! I just logged out and now I can't log in again as root!

As I went over before, you disabled root! Just login as the new user you created, once you do that if you need to get to say the root user, just do This concludes this tutorial, I'll make another post on the more advanced more Minecrafty stuff.