Discover Centmin Mod today
Register Now

DigitalOcean What is the procedure the expert will do right after creating new droplet?

Discussion in 'Virtual Private Server (VPS) hosting' started by rc112, Feb 12, 2018.

  1. rc112

    rc112 Member

    124
    14
    18
    Sep 22, 2017
    Ratings:
    +15
    Local Time:
    4:23 AM
    Hi I am moving to DO from GCP. After reviewing DO docs, it occurred to me the questions as the title.

    DO advices 1) create SSH key 2) create a new user with root privilege 3) disable root SSH. And after all that, should I go installing centminmod and follow GETTING STARTED GUIDE? Centminmod will take care of firewall, right? Thanks so much in advance.
     
  2. Jon Snow

    Jon Snow Active Member

    328
    53
    28
    Jun 30, 2017
    Ratings:
    +76
    Local Time:
    5:23 PM
    Nginx 1.13.9
    MariaDB 10.1.31
    Centminmod comes with a firewall, yes. I read that @eva2000 said Centminmod was built with root users in mind for usage, so I would rather not disable root access.
     
    • Like Like x 1
    • Agree Agree x 1
  3. eva2000

    eva2000 Administrator Staff Member

    33,663
    7,453
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,458
    Local Time:
    6:23 AM
    Nginx 1.13.x
    MariaDB 5.5
    Centmin Mod installs CSF Firewall CSF Firewall - CentminMod.com LEMP Nginx web stack for CentOS also see step 4 & 5 of Getting Started Guide.

    There's a difference between disabling direct root user login and disabling root user itself. The correct suggestion usually is to disable direct root user login which still allows the root user to exist just they can't directly login and instead need a sudo user to login and then elevate privileges and switch to root user once logged in as sudo user. Centmin Mod was created for root user essentially so it's required to have root user run centmin.sh menu options. But ssh key authentication is supported and works fine with Centmin Mod. Just read below info first.

    The ssh keys instead of password login is another suggestion but most guides only tell you how to use and create ssh key login. None really tell you if you loose your ssh key's private key you won't be able to log in and are at the mercy of each web hosts recovery and/or out of band console access to your server. If web host doesn't have such, then you won't be able to access your server and web host won't be able to access or help you access it. So be 100% sure you know how to recover and re-access your server via SSH if you loose your ssh keys.

    Before you look into ssh key only (+disable password authentication), make sure your web host is setup with features that allow you to regain access to your server if you ever loose your ssh key's private key and that you know how to use those features to regain access.

    If you don't know how to use those features, setup a test instance/VPS with that web host and test it out. If you're with web host with hourly billed VPSes like Linode, DigitalOcean, and Vultr then it is relatively cheap to test out for a few hours on a test VPS.

    Here's a example text you can use to ask your web host to be sure

    There's numerous how to use ssh key login guides online, but not many go beyond that to explain what to do if you loose your ssh private key and are unable to use password logins. And that can come down to your web host and what measures they have in place i.e. out of band console access etc and recovery ISO/cds available.

    And some relevant guides with different web hosts about setting up SSH key authentication and also about recovery as well general need to know info.

    DigitalOcean



    Has out of band console access

    Linode



    Has out of band console access called Lish

    Vultr



    Has out of band console access

    OVH


    RamNode


    Others


     
    • Like Like x 1
  4. rc112

    rc112 Member

    124
    14
    18
    Sep 22, 2017
    Ratings:
    +15
    Local Time:
    4:23 AM
    Hi @eva2000 Thank you always for such detailed info.

    I can use SSH key with DO droplets now and also take the security measures suggested by DO like 1) create SSH key 2) create a new user with root privilege 3) disable root SSH. Then, what is the best practice you will do after these? Installing Centmin Mod stack or configuring or installing anything else? I am new to server management/ optimization, so I would like to know what steps the experts like you will do? Thanks again.
     
  5. eva2000

    eva2000 Administrator Staff Member

    33,663
    7,453
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,458
    Local Time:
    6:23 AM
    Nginx 1.13.x
    MariaDB 5.5
    Centmin Mod 123.09beta01 and higher have a tools/addsudousers.sh script created to properly setup sudo users for elevation to root user. You can add a new sudo user i.e. george via below commands
    Code (Text):
    cd /usr/local/src/centminmod/tools
    ./addsudousers.sh george
    


    every step outlined in Getting Started Guide as per official install guide.
     
    • Like Like x 1
  6. rc112

    rc112 Member

    124
    14
    18
    Sep 22, 2017
    Ratings:
    +15
    Local Time:
    4:23 AM
    @eva2000 Yes, I look deeper into those. I feel relieved to know what is right to do. Thanks again.
     
..