Pre-requisite:
Create your hosting account. Requires Name, Phone Number, Credit Card, Email address. You must verify the email with a 6 digit code.
PuTTY with Pageant is configured (Install PuTTY for SSH )
You could use Linux client + ssh-agent instead
Log in and create a new cloud server:
Check that your local SSH agent has loaded your private key. Copy the public key (use Puttygen if you need to).
Sign in to the Hetzner console: https://console.hetzner.com/
Click "Add an SSH key".
Paste the public key , select "Set as default key", and click "Add SSH key". Click Cancel when finished.
Optional: Navigate to CLOUD > Firewalls.
Remove the rule allowing ICMP Protocol.
Add a rule allowing TCP protocol, port 443 (HTTPS).
Add a rule allowing UDP protocol, port 443 (HTTP3).
Add a rule allowing UDP protocol, port 4500 (VPN).
Scroll down and enter a name (i.e. firewall-web).
Click "Create Firewall".
Nagivate to CLOUD > Servers.
Click "Add Server".
Select "Cost-Optimized", "x86", "Helsinki". This is currently the only way to get the $5 per month plan.
Select "Debian" operating system image.
If you select an App, Ubuntu will probably be used instead. Instructions below assume Debian 13.
For Networking, remove "Public IPv4". That will save $0.60 per month and save you from port-scanning.
The SSH key you added earlier should be already selected.
Optional: Click the firewall added earlier.
Scroll to the end and set the server Name to the domain name (domain.xyz).
Click "Create & Buy now".
Server is ready after 1 minute
Click "..." and select "Enable Protection", click "Enable protection".
Click the "Public IP" to copy the IPv6 address. This will have to be modified, removing the /64 and replacing with 1
If you are not adding the server IP address to public or private DNS, add it to your hosts file.
On Windows: %WINDIR%\System32\Drivers\etc\hosts
This is also used by WSL2 the next time it reboots
On Linux: /etc/hosts
Example:
2001:db8:1234:5678::1 MyServer
Connect to the new server to being configuration and perform initial setup
Create a new SSH session to the IPv6 address; remove the /64 which was copied, and append 1 after the ::
Accept the new SSH thumbprint: yes
Log in as root
If you made any mistakes provisioning the server, you can "Power Off" and "Rebuild" the server.
Confirm the IP address:
ip -6 addr show scope global
Enable APT software sources and automatic updates
apt update
apt install unattended-upgrades apt-listchanges -y
dpkg-reconfigure unattended-upgrades
Press Enter to accept
Install apparmor and check the status; it should be active (exited) with some profiles in enforce mode
apt -y install apparmor apparmor-utils apparmor-profiles
systemctl start apparmor
aa-status
Confirm the system clock synchronization (should be yes)
timedatectl timesync-status
systemctl status systemd-timesyncd
Create a local user account in the sudo group, with no password login:
useradd -m -s /bin/bash -G sudo yourname
su - yourname
ssh-keygen # Enter passphrase, or don't
vi .ssh/authorized_keys
Paste your public key using shift-right-click; note that vim in Debian requires the shift key when pasting, unlike the shell
:x
exit
apt install libpam-ssh-agent-auth
vi /etc/pam.d/sudo
# Set up user limits from /etc/security/limits.conf.
session required pam_limits.so
# Authenticate via SSH agent first
auth sufficient pam_ssh_agent_auth.so file=/etc/security/authorized_keys
@include common-auth
@include common-account
@include common-session-noninteractive
cp ~yourname/.ssh/authorized_keys /etc/security/
vi /etc/sudoers.d/91-ssh-agent
Defaults:%sudo env_keep += "SSH_AUTH_SOCK"
Connection > Data:
Auto-login username: yourname
Terminal-type string: xterm-256color
SSH > Auth
Attempt authentication using Pageant: Enabled
Attempt keyboard-interactive auth: Disabled
Allow agent forwarding: Enabled
Session
Host Name: Server public IPv6 address
Saved Session: MyServer
Click Save
Click Open to test the login.
To test privilege escalation:
sudo whoami