Are One-Click Install Apps "safe to use"?

August 17, 2018 1.7k views
One-Click Install Apps Security

Hello,

I usually spin up new Droplets for services, provision them with a script/manual actions to tighten security, and then manually install applications.

Today, for the first time really, I've been looking at the One-Click Install App library and realised this could cut some time out of the provisioning process.

However, while there is information around using the library, I can't find any firm details or advice regarding security.

A few questions, if anyone can help:

  • Are One-Click Install App images "safe to use" by default?
  • What are the default security settings for these images?
  • Anything in particular to be aware of when using them?
  • Is there any official advice/best practices for provisioning/security, after creating a Droplet from an image?
  • What's the intended use for these images? Are they meant to be used for production use, without necessarily requiring user modification of the base distribution image, or should they be reserved for quick development/experimentation?

Thank you in advance for any responses.

1 Answer
ryanpq MOD August 17, 2018
Accepted Answer

Hi. I am the Software Engineer here at DO who maintains our one-click images.

Are One-Click Install App images "safe to use" by default?

Our one-clicks vary in their production readiness. One-clicks that provide a turn-key service (like WordPress) usually include a pre-configured firewall and WordPress also includes fail2ban with the WordPress plugin. Other images like Ruby on Rails or Docker provide the key components needed to get started with the language or platform they provide.

What are the default security settings for these images?

One-clicks are intended to provide a fairly standard installation, similar to what you would get if you followed one of our tutorials on setting up the stack. Where services are exposed publicly on launch firewalls or other addons may be included.

Anything in particular to be aware of when using them?

Yes. When you launch a one-click, most of them include a custom MOTD that is displayed when you log in via SSH or the console. This will include any specifics related to that particular one click that you should be aware of such as the location of generated passwords (such as for MySQL), file locations and additional software that has been installed. We will soon be updating these to a more standardized format.

Is there any official advice/best practices for provisioning/security, after creating a Droplet from an image?

Nothing that is specific to one-clicks but this guide covers recommended first steps on Ubuntu 16.04 which our one-clicks are currently all based on. A similar tutorial is available for 18.04 once our one-clicks migrate to the newer Ubuntu LTS release later this year.

What's the intended use for these images? Are they meant to be used for production use, without necessarily requiring user modification of the base distribution image, or should they be reserved for quick development/experimentation?

One-clicks are generally intended to be a short-cut, providing pre-installed versions of popular software stacks. Originally most of these images simply provided the installation of the packages provided by the upstream distribution but over time basic security precautions have been added. We recommend using one-clicks as a starting point. If you are creating a lot of droplets for production use I would recommend doing one of the following if you find that additional security measures or packages are wanted for the image you are using:

  • Provide commands do do additional setup in a user-data script passed when you create the droplet. These commands will be run on the first boot.

  • Alternately you could spin up a droplet from a one-click image, customize it as needed and create a snapshot image to use for additional droplets.

For good security it is usually recommended to go with providing absolute minimum access wherever possible. A "least privledges" philosophy. By blocking any access not needed and restricting access to the bare minimum you can help ensure a secure system.

One-clicks, while taking security in mind do not follow this philosophy in their creation. One-clicks are focused on standardization with common practice and ease of use and access is secured when it is considered a direct risk.

More generally I would say that on any system you plan to administer to ensure you verify the security in place and adjust as needed to meet your needs or further restrict access.

by Mitchell Anicas
When you start a new server, there are a few steps that you should take every time to add some basic security and give you a solid foundation. In this guide, we'll walk you through the basic steps necessary to hit the ground running with Ubuntu 16.04.
  • Thank you for such a detailed response; this really addresses my queries.

    I think the takeaway for me is to experiment a bit more; I'll try spinning up some of the images I'm interested in and inspect each one to see how it meets my requirements.

Have another answer? Share your knowledge.