Initial setup and advice needed.

December 14, 2016 424 views
Apache Security Getting Started Ubuntu 16.04

Hi everyone

I am new to this community as well as DO. Hello all :)

** Disclaimer: Total Noob at this. *

I decided to go with my own server as my current (shared) managed server providers were terrible at support, kept having downtime and also I just wanted some more control.

As it stands. I have created my droplet and I have created some SSH keys and also connected to the droplet via terminal.

I have then created a directory var/www/domain.com/public_html as this is very similar to my last set up where I could FTP to that location.

Right, so now I am stuck and hoping you wonderful people would be able to help me answer these few questions:

1) Do I need to create new SSH keys for every droplet or do I use the same one I just created for this droplet?

2) I'm not sure how to get it so I can use PHP, any pointers?

3) What security setup do i need to do for my server to stop hacks etc...

4) best software for mac?

5) Is it possible for me to give a portion of my droplet to clients so that they can log in and edit their own websites?

6) What happens if I go over my limit. Will DO automatically just scale it for me to the next droplet size?

I am also about go travelling so I would also like to know:

1) If my droplet goes down or crashes, is it possible to get it to automatically create a new one with all the same stuff so that it can switch over? Or is there a better way to handle downtime?

2) Is connecting via terminal with the SSH secure when I am on public wifi locations?

Feel free to point me to tutorials and other links, I am not afraid of doing some research but I am finding the jargon is not helping me get to where I need to be to answer these questions.

Much appreciated for your time.

2 Answers

Hi, congratulations on running your own cloud server!

1) Do I need to create new SSH keys for every droplet or do I use the same one I just created for this droplet?

You should use the same SSH keys for each droplet. Think of your private SSH key as identifying you. There's just one you. (Some people like to use a different key from each computer they use.)

2) I'm not sure how to get it so I can use PHP, any pointers?

The easiest way to host PHP sites on a DigitalOcean server is to use a server management tool like ServerPilot. That works to host all types of PHP sites, including but not limited to WordPress.

3) What security setup do i need to do for my server to stop hacks etc...

For server security, if you're manually configuration the server on your own, you'll want to spend a lot of time researching and learning about how to secure your server. You'll essentially be learning to be a sysadmin. There are good tutorials provided by DigitalOcean. Alternatively, you can let a tool like ServerPilot handle the server security for you.

For extra website security, you can use a tool like CloudFlare's WAF. That said, the majority of website compromises are due to insecure WordPress plugins and themes. So, if you're using WordPress, the absolute best thing you can do for security is to keep your plugins updated and to use as few plugins as possible.

4) best software for mac?

For file transfer (SFTP), Cyberduck is a great choice.

5) Is it possible for me to give a portion of my droplet to clients so that they can log in and edit their own websites?

You can do that by running each client's sites under a different system user and giving each client access to the server with their system user. Note that the same concepts apply if you're manually configuring your server or using a control panel to manage your server.

6) What happens if I go over my limit. Will DO automatically just scale it for me to the next droplet size?

DigitalOcean won't automatically resize your server. The best thing to do is keep an eye on your server resources and not push your server to the limit so you don't run into any issues. You can estimate the number of sites you can run on your server and if you keep it under that estimate, you should be good. You'd only want to resize your server to a larger one if you notice resource usage is getting high or you're adding more sites over time and know you need to be using a larger server.

1) If my droplet goes down or crashes, is it possible to get it to automatically create a new one with all the same stuff so that it can switch over? Or is there a better way to handle downtime?

There's no automated way to do that. At least, there's no simple automated way that anything but advanced sysadmins should attempt as the risk of problems that complexity introduces is quite high.

Ultimately, if you use a good server management tool, don't make any customizations as "root" (leave everything up to the server management tool), and don't put more sites on the server than you know the server can handle, you'll have amazing speed and stability.

2) Is connecting via terminal with the SSH secure when I am on public wifi locations?

It is. The first time you connect to your server over SSH, you'll get a notice to accept your server's fingerprint. Then you should never get asked that again whenever you connect to your server. So, when connecting from a public wifi location, as long as you aren't getting warnings that your server's fingerprint is different when you try to connect, there's no risk of a man-in-the-middle attack.

Hello,
Welcome to DigitalOcean! I hope you like it. For any help you need, don't hesitate to ask anything. =)
@jsamuelsp provided a great answer, but I'll add few more points.

1) Do I need to create new SSH keys for every droplet or do I use the same one I just created for this droplet?

No you don't, you can use one key.
Only negative downside is that if you lose your key (it gets leaked), attacker that got key can access all your resources that used key. But even if you go with multiple keys, if you lose all keys, attacker can access all resources.

So you need to pay high attention to security of that (single) key. Store them at secure location. There are many articles on the Internet explaining best practices. I can recommend you to read following question/answer:
What is the best practice: separate ssh-key per host and user VS one ssh-key for all hosts? ~ Security StackExchange.

2) I'm not sure how to get it so I can use PHP, any pointers?

You have two possible choices:

  1. Set up stack manually
  2. Use Control Panel solution

1) Setting up stack manually gives you most control over server.
You have can set up LAMP stack, which stands for Linux-Apache-MySQL-PHP, or LEMP stack, Linux-nginx (engine X)-MySQL-PHP.

Difference is in web server, LAMP comes with most popular web server - Apache, while LEMP comes with Nginx.

As for web site and beginner, I recommend going with LAMP. Biggest reason is popularity.
Apache has biggest community, there are many many resources to get started/help with it. Nginx is also good there, but you'll find help for Apache much easier then for Nginx.

For other things, there are somewhat same. You'll get the same results. Nginx could be easier on resources (mostly RAM), but not something noticeable.
For example Nginx shines with Load Balancing and Proxy Passing. In this cases, you want to use Nginx, but you don't need it at this point.

About PHP, both stacks come with latest PHP7 (on Ubuntu 16.04; if you go with Ubuntu 14.04, you'll have PHP5). It would be best to go with PHP7, but check and test is your app supporting it.

DigitalOcean has great resources on setting it up:
How To Install Linux, Apache, MySQL, PHP (LAMP) stack on Ubuntu 16.04
How To Install Linux, Nginx, MySQL, PHP (LEMP stack) in Ubuntu 16.04.

2) Set up Control Panel to manage server.
That can help you maintain server easier. You will get a some GUI, and you'll have possibility to manage your server from browser.

Recommendations for Control Panel:
ServerPilot. ServerPilot is a great CP. I would mostly recommend it because it support and is optimized for DigitalOcean. Surprisingly, there are no DO tutorials for it, but they have great docs base on their site.
VestaCP - How To Install VestaCP and Set Up a Website on Ubuntu 14.04
Ajenti V - How To Install the Ajenti Control Panel and Ajenti V on Ubuntu 14.04

To go manual way or control panel really depends on you. If you want to learn around web servers, how to maintain them, or maybe even be sysadmin, you will benefit on long con with manual way. You'll learn around servers, security and much more. You'll have more possibilities once you get around it. If you just want to get it working and add something from time to time, Control Panel would probably be best.

My personal advice: Look around security practices for CP solution you choose. With CP, you're exposing server management interface to web. If someone gets your username/password, it can break into your server and do whatever it wants. Strong username/password combination can be enough, be research around it.

3) What security setup do i need to do for my server to stop hacks etc...

This one strongly depends on your application.

On server side you don't have hard job. Use strong passwords and keep your SSH key secure!
Keep your server updated. On SSH side, disable both PasswordAuthentication and RootLogin.
To disable Root login, create non-root user account and add SSH key to it too. Initial Server Setup with Ubuntu 16.04 covers it in details.

To disable PasswordAuth/RootLogin on Ubuntu, open SSH config with your favorite text editor:

  • sudo nano /etc/ssh/sshd_config

Find line PasswordAuthentication. Make sure it's not commented (that it doesn't have # in front of line) and set it to no:

/etc/ssh/sshd_config
PasswordAuthentication no

Same applies for PermitRootLogin. Make sure it's not commented (that it doesn't have # in front of line) and set it to no:

/etc/ssh/sshd_config
PermitRootLogin no

WARNING: Before disabling PasswordAuthentication make sure you can login without password, using your SSH key! Before disabling PermitRootLogin make sure you created non-root account as described in above tutorial and that you can login on it without password, using SSH key!!!*

You can also install Fail2Ban. Once you disable PasswordAuthentication on SSH, you don't really need it, but you can go install it anyways.
How To Protect SSH with Fail2Ban on Ubuntu 14.04.

Make sure permissions are set correctly on your HTML directory.

About application security... If you are using WordPress, make sure you have up-to-date WP, plugins and themes. Most headache with WordPress comes with many not secure plugins and themes. Don't use many plugins, use only needed ones.

If you made your application or got developer to do so, make sure you followed some best practices. On PHP side, it's not recommended to use mysqli if you use MySQL for database. Instead use PDO.
Also if you use MySQL pay attention to queries and make sure they aren't prone to SQL Injection. Don't use root user from PHP to access MySQL, create special user for it and pay attention to privileges.
You can find many articles for above if you need it, if you need help, someone from community or me can also write down some practices.

For better site performance, DDoS protection, you can use some CDN solution. There are many solutions and I could recommend CloudFlare, which also offers free package.

4) best software for mac?
Sorry, I'm not using OS X.

5) Is it possible for me to give a portion of my droplet to clients so that they can log in and edit their own websites?

Yes you can. In this case, Control Panel usage could be best idea. If you want to give some users access to Droplet console, so they can manage Droplet, create user account and SSH key for them.
If you plan on working with others on your Droplet, you can look around teams too:
DigitalOcean Teams.
How to Use Team on DigitalOcean.
Depending on your needs, you can only let them use SFTP and enable .htaccess files for them. No need for CP, or something like that. Let them access only their website and that's it.
I don't see users need to play around server settings.

6) What happens if I go over my limit. Will DO automatically just scale it for me to the next droplet size?

No, DigitalOcean will not scale you automatically. You have to do it manually.
Few important points:
If you reach bandwidth limit, for now, nothing will happen. Because, you can't see how much you used bandwidth, DigitalOcean is not charging for bandwidth overages for now.
This will change in future, once DigitalOcean implement better bandwidth control, you'll be charged $0.02 per GB over bandwidth limit.

If you use more RAM memory then you have, you're risking of your app/web server to be killed. If web server gets killed, your web site will not be accessible. This what you have to look manually on server.
You can look for memory and CPU stats for your Droplet from DigitalOcean Control Panel too.
DigitalOcean will soon implement new and improved Monitoring system so it could be easier for you.

You can also set up some Logging software if you want better monitoring. DigitalOcean has great tutorial base on this - Logging tutorials

1) If my droplet goes down or crashes, is it possible to get it to automatically create a new one with all the same stuff so that it can switch over? Or is there a better way to handle downtime?

Not automatically. But if you are good with scripting, you can utilize DigitalOcean API and create Droplet from Snapshot/Backup if one gets broken.

You must be careful, if you create new Droplet, it'll get new IP address. That means that you have to update all A records on domain and that can impact on downtime until DNS propagation (update) is finished.
Here comes handy Floating IPs. IP that you can switch from Droplet to Droplet.

I would not recommend creating new Droplet once you get problem. Find root of problem and fix it. By creating new Droplet, you get nothing, just one more problem.
Monitoring and logging will help you know when server goes down and why. So it's important to set up right solution.

2) Is connecting via terminal with the SSH secure when I am on public wifi locations?
Yes it's secure. @jsamuelsp explained this already.
I would just add, that SSH port (22) could be disabled on some Public WiFi(s). So if you encounter problems accessing, it could be due that it's disabled on that WiFi.

If you need any more help, feel free to ask.
I hope you like DigitalOcean as we do here. =]

by Justin Ellingwood
Fail2ban is a daemon that can be run on your server to dynamically block clients that fail to authenticate correctly with your services repeatedly. This can help mitigate the affect of brute force attacks and illegitimate users of your services. In this guide, we'll show demonstrate how to install and configure fail2ban to protect SSH and Nginx on an Ubuntu 14.04 server.
Have another answer? Share your knowledge.