Sorry if the phrasing in the title is confusing, it’s worded the best way I could given my limited knowledge of running a server. I’ve setup my server and added a few small websites to learn more about servers. I did everything under the root username and everything works fine. It’s my understanding that I should be using a non root user, and there are many great guides on here for setting that up. My question is after following one of those, would any processes or things be running in root that should not be running in root? I’m essentially only running fail2ban, nginx and the firewall just blocking all ports except what is required.
If all is fine, I’ll just go follow one of the tutorials to setup a sudo user and add SSH keys to that account (different from root user would be best practice I’m guessing) and follow whatever other recommendations are suggested in the official guide for this distro.
I’m just wondering if there is a security or other best practice downside to having done everything starting out in root, or if it’s fine and I should consider myself lucky I didn’t accidentally delete the server or mess something up badly etc! Obviously in the future, I’ll pay more attention to best practices when setting up the server.
Oh and just a quick edit. I’m only hosting fully static websites with HTML/JS/CSS so no php/databases are installed and will never be on this droplet.
Thanks in advance for the guidance!
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Click below to sign up and get $200 of credit to try our products over 60 days!
Absolutely. One of the main reasons you wouldn’t want to run anything as the root user is if your system is compromised (via one of said applications), the attacker basically has complete access to your machine. No sudo access= decreased potential of catastrophic damage.
You may also want to disable password based authentication on your system as a whole and strictly use key files for authentication. Check out https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-ubuntu-16-04 as this tutorial covers how to install NGINX and also has a link out to our tutorial on creating user accounts.