Hello,
I usually spin up new Droplets for services, provision them with a script/manual actions to tighten security, and then manually install applications.
Today, for the first time really, I’ve been looking at the One-Click Install App library and realised this could cut some time out of the provisioning process.
However, while there is information around using the library, I can’t find any firm details or advice regarding security.
A few questions, if anyone can help:
Thank you in advance for any responses.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Sign up for Infrastructure as a Newsletter.
Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
Hi. I am the Software Engineer here at DO who maintains our one-click images.
Our one-clicks vary in their production readiness. One-clicks that provide a turn-key service (like WordPress) usually include a pre-configured firewall and WordPress also includes fail2ban with the WordPress plugin. Other images like Ruby on Rails or Docker provide the key components needed to get started with the language or platform they provide.
One-clicks are intended to provide a fairly standard installation, similar to what you would get if you followed one of our tutorials on setting up the stack. Where services are exposed publicly on launch firewalls or other addons may be included.
Yes. When you launch a one-click, most of them include a custom MOTD that is displayed when you log in via SSH or the console. This will include any specifics related to that particular one click that you should be aware of such as the location of generated passwords (such as for MySQL), file locations and additional software that has been installed. We will soon be updating these to a more standardized format.
Nothing that is specific to one-clicks but this guide covers recommended first steps on Ubuntu 16.04 which our one-clicks are currently all based on. A similar tutorial is available for 18.04 once our one-clicks migrate to the newer Ubuntu LTS release later this year.
One-clicks are generally intended to be a short-cut, providing pre-installed versions of popular software stacks. Originally most of these images simply provided the installation of the packages provided by the upstream distribution but over time basic security precautions have been added. We recommend using one-clicks as a starting point. If you are creating a lot of droplets for production use I would recommend doing one of the following if you find that additional security measures or packages are wanted for the image you are using:
Provide commands do do additional setup in a user-data script passed when you create the droplet. These commands will be run on the first boot.
Alternately you could spin up a droplet from a one-click image, customize it as needed and create a snapshot image to use for additional droplets.
For good security it is usually recommended to go with providing absolute minimum access wherever possible. A “least privledges” philosophy. By blocking any access not needed and restricting access to the bare minimum you can help ensure a secure system.
One-clicks, while taking security in mind do not follow this philosophy in their creation. One-clicks are focused on standardization with common practice and ease of use and access is secured when it is considered a direct risk.
More generally I would say that on any system you plan to administer to ensure you verify the security in place and adjust as needed to meet your needs or further restrict access.