{"id":719,"date":"2025-06-08T09:08:31","date_gmt":"2025-06-08T07:08:31","guid":{"rendered":"https:\/\/blog.koeckeis-fresel.net\/?p=719"},"modified":"2025-06-11T07:27:08","modified_gmt":"2025-06-11T05:27:08","slug":"how-to-choose-a-good-virtual-private-server-hosted-by-hetzner-de","status":"publish","type":"post","link":"https:\/\/blog.koeckeis-fresel.net\/?p=719","title":{"rendered":"How to install a virtual private server hosted by hetzner.de (get 20\u20ac credit for your first server)"},"content":{"rendered":"\n<p>My servers are hosted at <a href=\"https:\/\/hetzner.cloud\/?ref=7NRhCBgXxWdx\" target=\"_blank\" rel=\"noreferrer noopener\">hetzner.de (20\u20ac referal link \ud83d\ude42<\/a>).<\/p>\n\n\n\n<p><strong>When you use the link above you gain a Hetzner Cloud credit worth \u20ac 20.00.<\/strong> <\/p>\n\n\n\n<p>They have a really good service and a lot of configuration options. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Short guide<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Register your account using the <a href=\"https:\/\/hetzner.cloud\/?ref=7NRhCBgXxWdx\" target=\"_blank\" rel=\"noreferrer noopener\">referal-link<\/a> and create your first server<\/li>\n\n\n\n<li>Add your SSH-keys to the default configuration\n<ul class=\"wp-block-list\">\n<li>create SSH-Keys if you did not yet create them using<br><code>ssh-keygen -t ed25519 -a 256<\/code><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Add a Firewall configuration before creating the server<\/li>\n\n\n\n<li>Create a new rule&nbsp;<strong>ICMP<\/strong>\n<ul class=\"wp-block-list\">\n<li>Any IPv4, Any IPv6 &gt; Protocol ICMP<\/li>\n\n\n\n<li>this enables ping for your server \u2013 you will need it for debugging in the future<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Create a new rule&nbsp;<strong>trusted<\/strong>\n<ul class=\"wp-block-list\">\n<li>add your current IP-address and select TCP and Port any<\/li>\n\n\n\n<li>add your current IP-address and select UDP and Port any<\/li>\n\n\n\n<li>this enables administrative access to your server for setup and before going live<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Select a location close to your customers<\/li>\n\n\n\n<li>Select your OS Image<\/li>\n\n\n\n<li>Select a shared vCPU and AMD server &#8211; they have better SSL performance for your webserver<\/li>\n\n\n\n<li>Add your IPv4 and IPv6 addresses<\/li>\n\n\n\n<li>Select your SSH keys your stored previously for direct access after installation<\/li>\n\n\n\n<li>Select the firewall rules: <strong>ICMP<\/strong> and <strong>trusted<\/strong><\/li>\n\n\n\n<li>Enable Backups<\/li>\n\n\n\n<li>Use this URL for cloud-config: <a href=\"https:\/\/tinyurl.com\/mrx9uz6n\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/tinyurl.com\/mrx9uz6n<\/a><\/li>\n\n\n\n<li>Use the FQDN of your server for deployment &#8211; the FQDN will also be set inside the server<\/li>\n\n\n\n<li>After installation: set the reverse DNS name for your server<\/li>\n\n\n\n<li>After installation: add a Volume for your data<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Step by step instructions<\/h2>\n\n\n\n<p>Here is a small checklist on how to configure the right VPS for your project<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Preparations<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Add SSH-keys for instant access<\/h4>\n\n\n\n<p>Add your own SSH-keys to the server deployment so you get instant access as root using SSH.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Add firewall configurations before deployment<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Create a new rule <strong>ICMP<\/strong>\n<ul class=\"wp-block-list\">\n<li>Any IPv4, Any IPv6 &gt; Protocol ICMP<\/li>\n\n\n\n<li>this enables ping for your server &#8211; you will need it for debugging in the future<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Create a new rule <strong>trusted<\/strong>\n<ul class=\"wp-block-list\">\n<li>add your current IP-address and select TCP and Port any<\/li>\n\n\n\n<li>add your current IP-address and select UDP and Port any<\/li>\n\n\n\n<li>this enables administrative access to your server for setup and before going live<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Create a new rule <strong>SSH<\/strong>\n<ul class=\"wp-block-list\">\n<li>Any IPv4, Any IPv6 &gt; Protocol TCP and Port 22<\/li>\n\n\n\n<li>this enables SSH administrative access to your server. Enable it after configuring fail2ban on your server.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Create a new rule <strong>HTTP<\/strong>\n<ul class=\"wp-block-list\">\n<li>Any IPv4, Any IPv6 &gt; Protocol TCP and Port 80<\/li>\n\n\n\n<li>Any IPv4, Any IPv6 &gt; Protocol TCP and Port 443<\/li>\n\n\n\n<li>Any IPv4, Any IPv6 &gt; Protocol UDP and Port 80<\/li>\n\n\n\n<li>Any IPv4, Any IPv6 &gt; Protocol UDP and Port 443<\/li>\n\n\n\n<li>You wonder why I enable UDP for HTTP traffic? Read <a href=\"https:\/\/en.wikipedia.org\/wiki\/HTTP\/3\">this wikipedia-article on HTTP\/3<\/a> for background-information. Your server should use QUIC for better performance. QUIC uses UDP.<\/li>\n\n\n\n<li>enable this rule after you finished setting up your webserver<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Create a new server<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Select location of your server<\/h4>\n\n\n\n<p>Select a location near to your customers so the latency will be low.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Select your OS Image<\/h4>\n\n\n\n<p>Select your preferred OS system image. These are the available images as of June 2025:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ubuntu<\/li>\n\n\n\n<li>Fedora <\/li>\n\n\n\n<li>Debian<\/li>\n\n\n\n<li>CentOS<\/li>\n\n\n\n<li>Rocky Linux<\/li>\n\n\n\n<li>AlmaLinux<\/li>\n\n\n\n<li>openSUSE<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Select Type of server<\/h4>\n\n\n\n<p>You can choose between a <strong>shared vCPU<\/strong> server or a <strong>Dedicated CPU<\/strong>.<\/p>\n\n\n\n<p>For your test-deployment you can choose the shared vCPU. <\/p>\n\n\n\n<p>As we will also use a WAF for our webserver you should select at least <\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>cpx21 &#8211; 3 AMD CPUs &#8211; 4GB RAM &#8211; 80GB system-drive <\/strong><\/li>\n<\/ul>\n\n\n\n<p>The dedicated CPUs have a 15-20% performance gain compared to the vCPUs. Only use it if you need a dedicated performance.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Compare SSL performance on AMD, ARM and Intel CPUs for webservers<\/h4>\n\n\n\n<p>use <code>openssl speed -mr &gt; ssltest-myserver.txt<\/code> on the servers and compare the performance.<\/p>\n\n\n\n<p><strong>My own tests showed better performance on AMD compared to Intel vCPUs.<\/strong><\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Add the IPv4 and IPv6 addresses to your server<\/h4>\n\n\n\n<p>IPv6 addresses are for free &#8211; for IPv4 addresses you have to pay a small fee<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Select your SSH-keys for access<\/h4>\n\n\n\n<p>Now you select your SSH keys for public-key auth. These keys are copied to <code>\/root\/.ssh\/authorized_keys<\/code> so you can easily access your server after installation.<\/p>\n\n\n\n<p>If you don&#8217;t have SSH keys you should create them now using:<br><code>ssh-keygen -t ed25519 -a 256<\/code><\/p>\n\n\n\n<p>After creation upload the <strong>id_ed25519.pub<\/strong> file <\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Use a Volume for your data after installation<\/h4>\n\n\n\n<p>Do not add a volume during installation. After Installation you can add a Volume for your file-data (i.e nextcloud-data or mailserver-data). This allows you to move the volume to another virtual server when you choose to get a higher performance server.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Select the firewall-rules for access<\/h4>\n\n\n\n<p>For the deployment select the firewall rules <strong>ICMP<\/strong> and <strong>trusted<\/strong> we created earlier. We do not want to open more ports until we finish installation of our server.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Enable Backups<\/h4>\n\n\n\n<p><strong>YES &#8211; you really want backups<\/strong>. But this is an <strong>opt-in<\/strong> so you have to select it manually.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Cloud config<\/h4>\n\n\n\n<p>Add the following URL to your cloud config. With this script you will <\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>update the installed packages<\/li>\n\n\n\n<li>install rsyslog, fail2ban and logrotate<\/li>\n\n\n\n<li>set a default <code>\/etc\/fail2ban\/jail.local<\/code> with incremental blocking times<\/li>\n\n\n\n<li>edit bash history settings<\/li>\n\n\n\n<li>create a swapfile<\/li>\n<\/ul>\n\n\n\n<p>shortened: <a href=\"https:\/\/tinyurl.com\/mrx9uz6n\" target=\"_blank\" rel=\"noreferrer noopener\"><code>https:\/\/tinyurl.com\/mrx9uz6n<\/code><\/a><br><strong>or<\/strong><br>direct: <a href=\"https:\/\/raw.githubusercontent.com\/Michal-Koeckeis-Fresel\/server-deployment\/refs\/heads\/main\/linux\/cloudinit\/cloudinit-debian.yaml\"><code>https:\/\/raw.githubusercontent.com\/Michal-Koeckeis-Fresel\/server-deployment\/refs\/heads\/main\/linux\/<\/code><\/a><code><a href=\"https:\/\/raw.githubusercontent.com\/Michal-Koeckeis-Fresel\/server-deployment\/refs\/heads\/main\/linux\/cloudinit\/cloudinit-debian.yaml\" target=\"_blank\" rel=\"noreferrer noopener\">cloudinit<\/a><\/code><a href=\"https:\/\/raw.githubusercontent.com\/Michal-Koeckeis-Fresel\/server-deployment\/refs\/heads\/main\/linux\/cloudinit\/cloudinit-debian.yaml\"><code>\/cloudinit-debian.yaml<\/code><\/a><\/p>\n\n\n\n<p>Check out the scripts on <a href=\"https:\/\/github.com\/Michal-Koeckeis-Fresel\/server-deployment\/tree\/main\/linux\/cloudinit\" target=\"_blank\" rel=\"noreferrer noopener\">my github.com-repo (Link)<\/a><\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Set the hostname<\/h4>\n\n\n\n<p>You can choose any name for the server. I recommend setting it to the future FQDN. During installation the FQDN will be set in the guest-OS so you should use it for the servername.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">After pressing &#8220;buy&#8221;-button \ud83d\ude42<\/h2>\n\n\n\n<p>After you deploy the server you have to wait a few minutes until the server is ready. The server will boot to default configuration, then execute the cloud-init script and reboot. This takes approximately 2 minutes.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Set the reverse DNS name after installation<\/h3>\n\n\n\n<p>Go to the network interfaces and set the reverse DNS name. This should be the same name as your hostname.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Add a Volume for your data<\/h3>\n\n\n\n<p>Store your data in a separate volume &#8211; in case of a server crash you can mount that volume easily on another server<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Deploy your applications and enable firewall rules <\/h2>\n\n\n\n<p>Install your applications and test them. When you are done with the deployment you can go Live and enable the HTTP firewall rules.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>this is an installation instruction to set up your virtual private server at hetzner.de<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"advanced_seo_description":"","jetpack_seo_html_title":"How to install a virtual private server hosted by hetzner.de","jetpack_seo_noindex":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[16,1,2],"tags":[41],"class_list":["post-719","post","type-post","status-publish","format-standard","hentry","category-deployment","category-general","category-http","tag-hetzner"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_likes_enabled":true,"jetpack-related-posts":[{"id":847,"url":"https:\/\/blog.koeckeis-fresel.net\/?p=847","url_meta":{"origin":719,"position":0},"title":"Install SafeLine WAF on Hetzner VPS even faster with cloud-init script on Debian 12","author":"Michal","date":"2025-06-10","format":false,"excerpt":"As you know my servers are hosted at hetzner.de - use this Link to get a 20\u20ac start credit for your first servers. Now we will install a new virtual server with preparations for SafeLine WAF on Hetzner server. Preparations Select Debian 12 as your system! Follow the steps in\u2026","rel":"","context":"In &quot;debian&quot;","block_context":{"text":"debian","link":"https:\/\/blog.koeckeis-fresel.net\/?cat=8"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":860,"url":"https:\/\/blog.koeckeis-fresel.net\/?p=860","url_meta":{"origin":719,"position":1},"title":"Deploy BunkerWeb within minutes (docker on debian 12)","author":"Michal","date":"2025-06-20","format":false,"excerpt":"As you know my servers are hosted at hetzner.de - use this Link to get a 20\u20ac start credit for your first servers. Now we will install a new virtual server with preparations for BunkerWeb WAF on Hetzner server. Preparations Select Debian 12 as your system! Use the FQDN as\u2026","rel":"","context":"In &quot;debian&quot;","block_context":{"text":"debian","link":"https:\/\/blog.koeckeis-fresel.net\/?cat=8"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":792,"url":"https:\/\/blog.koeckeis-fresel.net\/?p=792","url_meta":{"origin":719,"position":2},"title":"What is a Web Application Firewall (WAF)","author":"Michal","date":"2025-06-09","format":false,"excerpt":"What is a WAF A Web Application Firewall (WAF) is a security tool that monitors, filters, and blocks HTTP\/HTTPS traffic between web applications and the internet. It acts as a protective barrier specifically designed to defend web applications from various cyber attacks. When should I use a WAF - is\u2026","rel":"","context":"In &quot;http&quot;","block_context":{"text":"http","link":"https:\/\/blog.koeckeis-fresel.net\/?cat=2"},"img":{"alt_text":"Traffic flow from client to protected server","src":"https:\/\/i0.wp.com\/blog.koeckeis-fresel.net\/wp-content\/uploads\/WAF-traffic-scaled.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.koeckeis-fresel.net\/wp-content\/uploads\/WAF-traffic-scaled.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.koeckeis-fresel.net\/wp-content\/uploads\/WAF-traffic-scaled.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.koeckeis-fresel.net\/wp-content\/uploads\/WAF-traffic-scaled.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blog.koeckeis-fresel.net\/wp-content\/uploads\/WAF-traffic-scaled.png?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blog.koeckeis-fresel.net\/wp-content\/uploads\/WAF-traffic-scaled.png?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":838,"url":"https:\/\/blog.koeckeis-fresel.net\/?p=838","url_meta":{"origin":719,"position":3},"title":"How to install SafeLine WAF within minutes","author":"Michal","date":"2025-06-09","format":false,"excerpt":"If you want to install the SafeLine WAF, here are some scripts to speed up your deployment. You must run the script as root as we need to install some packages from the official docker repository. I know - the official SafeLine installer already will install the needed packages. But\u2026","rel":"","context":"In &quot;debian&quot;","block_context":{"text":"debian","link":"https:\/\/blog.koeckeis-fresel.net\/?cat=8"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":880,"url":"https:\/\/blog.koeckeis-fresel.net\/?p=880","url_meta":{"origin":719,"position":4},"title":"HTTPS Certificate Validation: Overview","author":"Michal","date":"2025-07-26","format":false,"excerpt":"When you visit a secure website (HTTPS), your browser needs to verify that the website's security certificate is legitimate and hasn't been compromised. This is like checking if an ID card is still valid and hasn't been reported stolen. There are three main methods websites use to prove their certificates\u2026","rel":"","context":"In &quot;general&quot;","block_context":{"text":"general","link":"https:\/\/blog.koeckeis-fresel.net\/?cat=1"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.koeckeis-fresel.net\/wp-content\/uploads\/comparison_table-1.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.koeckeis-fresel.net\/wp-content\/uploads\/comparison_table-1.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.koeckeis-fresel.net\/wp-content\/uploads\/comparison_table-1.png?resize=525%2C300&ssl=1 1.5x"},"classes":[]},{"id":886,"url":"https:\/\/blog.koeckeis-fresel.net\/?p=886","url_meta":{"origin":719,"position":5},"title":"RSA 2048? Do not use anymore","author":"Michal","date":"2025-07-26","format":false,"excerpt":"RSA 3072-bit vs ECC Certificates What's Happening Germany's BSI now requires RSA 3072-bit minimum (since January 2024) RSA 3072-bit = 128-bit security level The Problem with RSA 3072 Much larger certificate files (3x bigger than RSA 2048) Slower encryption\/decryption operations Higher CPU usage and battery drain Increased network overhead The\u2026","rel":"","context":"In &quot;general&quot;","block_context":{"text":"general","link":"https:\/\/blog.koeckeis-fresel.net\/?cat=1"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/blog.koeckeis-fresel.net\/index.php?rest_route=\/wp\/v2\/posts\/719","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.koeckeis-fresel.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.koeckeis-fresel.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.koeckeis-fresel.net\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.koeckeis-fresel.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=719"}],"version-history":[{"count":74,"href":"https:\/\/blog.koeckeis-fresel.net\/index.php?rest_route=\/wp\/v2\/posts\/719\/revisions"}],"predecessor-version":[{"id":848,"href":"https:\/\/blog.koeckeis-fresel.net\/index.php?rest_route=\/wp\/v2\/posts\/719\/revisions\/848"}],"wp:attachment":[{"href":"https:\/\/blog.koeckeis-fresel.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=719"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.koeckeis-fresel.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=719"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.koeckeis-fresel.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=719"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}