Hello,
Welcome to DigitalOcean! I hope you like it. For any help you need, don’t hesitate to ask anything. =)
@jsamuelsp provided a great answer, but I’ll add few more points.
1) Do I need to create new SSH keys for every droplet or do I use the same one I just created for this droplet?
No you don’t, you can use one key.
Only negative downside is that if you lose your key (it gets leaked), attacker that got key can access all your resources that used key. But even if you go with multiple keys, if you lose all keys, attacker can access all resources.
So you need to pay high attention to security of that (single) key. Store them at secure location. There are many articles on the Internet explaining best practices. I can recommend you to read following question/answer:
What is the best practice: separate ssh-key per host and user VS one ssh-key for all hosts? ~ Security StackExchange.
2) I’m not sure how to get it so I can use PHP, any pointers?
You have two possible choices:
- Set up stack manually
- Use Control Panel solution
1) Setting up stack manually gives you most control over server.
You have can set up LAMP stack, which stands for Linux-Apache-MySQL-PHP, or LEMP stack, Linux-nginx (engine X)-MySQL-PHP.
Difference is in web server, LAMP comes with most popular web server - Apache, while LEMP comes with Nginx.
As for web site and beginner, I recommend going with LAMP. Biggest reason is popularity.
Apache has biggest community, there are many many resources to get started/help with it. Nginx is also good there, but you’ll find help for Apache much easier then for Nginx.
For other things, there are somewhat same. You’ll get the same results. Nginx could be easier on resources (mostly RAM), but not something noticeable.
For example Nginx shines with Load Balancing and Proxy Passing. In this cases, you want to use Nginx, but you don’t need it at this point.
About PHP, both stacks come with latest PHP7 (on Ubuntu 16.04; if you go with Ubuntu 14.04, you’ll have PHP5). It would be best to go with PHP7, but check and test is your app supporting it.
DigitalOcean has great resources on setting it up:
How To Install Linux, Apache, MySQL, PHP (LAMP) stack on Ubuntu 16.04
How To Install Linux, Nginx, MySQL, PHP (LEMP stack) in Ubuntu 16.04.
2) Set up Control Panel to manage server.
That can help you maintain server easier. You will get a some GUI, and you’ll have possibility to manage your server from browser.
Recommendations for Control Panel:
ServerPilot. ServerPilot is a great CP. I would mostly recommend it because it support and is optimized for DigitalOcean. Surprisingly, there are no DO tutorials for it, but they have great docs base on their site.
VestaCP - How To Install VestaCP and Set Up a Website on Ubuntu 14.04
Ajenti V - How To Install the Ajenti Control Panel and Ajenti V on Ubuntu 14.04
To go manual way or control panel really depends on you. If you want to learn around web servers, how to maintain them, or maybe even be sysadmin, you will benefit on long con with manual way. You’ll learn around servers, security and much more. You’ll have more possibilities once you get around it. If you just want to get it working and add something from time to time, Control Panel would probably be best.
My personal advice: Look around security practices for CP solution you choose. With CP, you’re exposing server management interface to web. If someone gets your username/password, it can break into your server and do whatever it wants. Strong username/password combination can be enough, be research around it.
3) What security setup do i need to do for my server to stop hacks etc…
This one strongly depends on your application.
On server side you don’t have hard job. Use strong passwords and keep your SSH key secure!
Keep your server updated. On SSH side, disable both PasswordAuthentication and RootLogin.
To disable Root login, create non-root user account and add SSH key to it too. Initial Server Setup with Ubuntu 16.04 covers it in details.
To disable PasswordAuth/RootLogin on Ubuntu, open SSH config with your favorite text editor:
- sudo nano /etc/ssh/sshd_config
Find line PasswordAuthentication
. Make sure it’s not commented (that it doesn’t have #
in front of line) and set it to no
:
/etc/ssh/sshd_config
PasswordAuthentication no
Same applies for PermitRootLogin
. Make sure it’s not commented (that it doesn’t have #
in front of line) and set it to no
:
/etc/ssh/sshd_config
PermitRootLogin no
WARNING: Before disabling PasswordAuthentication make sure you can login without password, using your SSH key! Before disabling PermitRootLogin make sure you created non-root account as described in above tutorial and that you can login on it without password, using SSH key!!!*
You can also install Fail2Ban. Once you disable PasswordAuthentication on SSH, you don’t really need it, but you can go install it anyways.
How To Protect SSH with Fail2Ban on Ubuntu 14.04.
Make sure permissions are set correctly on your HTML directory.
About application security… If you are using WordPress, make sure you have up-to-date WP, plugins and themes. Most headache with WordPress comes with many not secure plugins and themes. Don’t use many plugins, use only needed ones.
If you made your application or got developer to do so, make sure you followed some best practices. On PHP side, it’s not recommended to use mysqli if you use MySQL for database. Instead use PDO.
Also if you use MySQL pay attention to queries and make sure they aren’t prone to SQL Injection. Don’t use root
user from PHP to access MySQL, create special user for it and pay attention to privileges.
You can find many articles for above if you need it, if you need help, someone from community or me can also write down some practices.
For better site performance, DDoS protection, you can use some CDN solution. There are many solutions and I could recommend CloudFlare, which also offers free package.
4) best software for mac?
Sorry, I’m not using OS X.
5) Is it possible for me to give a portion of my droplet to clients so that they can log in and edit their own websites?
Yes you can. In this case, Control Panel usage could be best idea. If you want to give some users access to Droplet console, so they can manage Droplet, create user account and SSH key for them.
If you plan on working with others on your Droplet, you can look around teams too:
DigitalOcean Teams.
How to Use Team on DigitalOcean.
Depending on your needs, you can only let them use SFTP and enable .htaccess
files for them. No need for CP, or something like that. Let them access only their website and that’s it.
I don’t see users need to play around server settings.
6) What happens if I go over my limit. Will DO automatically just scale it for me to the next droplet size?
No, DigitalOcean will not scale you automatically. You have to do it manually.
Few important points:
If you reach bandwidth limit, for now, nothing will happen. Because, you can’t see how much you used bandwidth, DigitalOcean is not charging for bandwidth overages for now.
This will change in future, once DigitalOcean implement better bandwidth control, you’ll be charged $0.02 per GB over bandwidth limit.
If you use more RAM memory then you have, you’re risking of your app/web server to be killed. If web server gets killed, your web site will not be accessible. This what you have to look manually on server.
You can look for memory and CPU stats for your Droplet from DigitalOcean Control Panel too.
DigitalOcean will soon implement new and improved Monitoring system so it could be easier for you.
You can also set up some Logging software if you want better monitoring. DigitalOcean has great tutorial base on this - Logging tutorials
1) If my droplet goes down or crashes, is it possible to get it to automatically create a new one with all the same stuff so that it can switch over? Or is there a better way to handle downtime?
Not automatically. But if you are good with scripting, you can utilize DigitalOcean API and create Droplet from Snapshot/Backup if one gets broken.
You must be careful, if you create new Droplet, it’ll get new IP address. That means that you have to update all A records on domain and that can impact on downtime until DNS propagation (update) is finished.
Here comes handy Floating IPs. IP that you can switch from Droplet to Droplet.
I would not recommend creating new Droplet once you get problem. Find root of problem and fix it. By creating new Droplet, you get nothing, just one more problem.
Monitoring and logging will help you know when server goes down and why. So it’s important to set up right solution.
2) Is connecting via terminal with the SSH secure when I am on public wifi locations?
Yes it’s secure. @jsamuelsp explained this already.
I would just add, that SSH port (22) could be disabled on some Public WiFi(s). So if you encounter problems accessing, it could be due that it’s disabled on that WiFi.
If you need any more help, feel free to ask.
I hope you like DigitalOcean as we do here. =]