<div dir="ltr">I was going to ask do you guys have a set of scripts you'd be willing to share? Also purely just interest, how many VPS machines has everyone got.</div><div class="gmail_extra"><br><div class="gmail_quote">On 30 July 2015 at 13:36, Michael Crilly <span dir="ltr"><<a href="mailto:michael@mcrilly.me" target="_blank">michael@mcrilly.me</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><p dir="ltr">On top of Les' suggestions, I'd recommend you also disable weak ciphers and use ECDH. Also, install fail2ban to automatically block automated brute forcing attacks against SSH - they can fill up your disk space with syslog entries, thus DOSing your server. </p><div class="HOEnZb"><div class="h5">
<div class="gmail_quote">On 30 Jul 2015 10:23 pm, "Les Pritchard" <<a href="mailto:les.pritchard@gmail.com" target="_blank">les.pritchard@gmail.com</a>> wrote:<br type="attribution"><blockquote style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid" class="gmail_quote"><div dir="ltr">Yes, I'd agree with Mike on that. If you're creating the VPS manually you could use a temporary password for root, then create a standard user and disable the root.<div><br></div><div>If you can, I'd also recommend locking down SSH to specific IPs or at least ranges.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 30 July 2015 at 13:17, Michael Crilly <span dir="ltr"><<a href="mailto:michael@mcrilly.me" target="_blank">michael@mcrilly.me</a>></span> wrote:<br><blockquote style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid" class="gmail_quote"><p dir="ltr">The initial root login is designed to give you an easy way in so you can configure the system, locking down root login and removing that key from the system (after adding additional users and allowing them to sudo to root.)</p>
<p dir="ltr">Think of that initial SSH key as a deployment key - login once with it, then use Ansible to setup your system with new users and various other state. </p>
<p dir="ltr">Cheers,</p>
<p dir="ltr">Mike. </p>
<div class="gmail_quote"><div><div>On 30 Jul 2015 9:50 pm, "Stuart Burns" <<a href="mailto:stuart.james.burns@gmail.com" target="_blank">stuart.james.burns@gmail.com</a>> wrote:<br type="attribution"></div></div><blockquote style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid" class="gmail_quote"><div><div><div dir="ltr"><div>Hi Everyone,</div><div> </div><div>I am just in the process of moving over some sites to DO and I thought I would start using the stored SSH key system you can use when deploying your droplets. It works fine, no issues. Just I dont really feel comfortable logging in as root directly. Years of non root logins make me feel itchy about this.</div><div> </div><div>What does everyone else think? (I know you can alter and someone trying to crack a proper PKI implementation may have a long wait!) I was more concerned with it being out the box functionality.<br clear="all"><br>Regards</div><div> </div><div>Stuart</div>
</div>
<br></div></div>_______________________________________________<br>
Chester mailing list<br>
<a href="mailto:Chester@mailman.lug.org.uk" target="_blank">Chester@mailman.lug.org.uk</a><br>
<a href="https://mailman.lug.org.uk/mailman/listinfo/chester" rel="noreferrer" target="_blank">https://mailman.lug.org.uk/mailman/listinfo/chester</a><br>
<br></blockquote></div>
<br>_______________________________________________<br>
Chester mailing list<br>
<a href="mailto:Chester@mailman.lug.org.uk" target="_blank">Chester@mailman.lug.org.uk</a><br>
<a href="https://mailman.lug.org.uk/mailman/listinfo/chester" rel="noreferrer" target="_blank">https://mailman.lug.org.uk/mailman/listinfo/chester</a><br>
<br></blockquote></div><br></div>
<br>_______________________________________________<br>
Chester mailing list<br>
<a href="mailto:Chester@mailman.lug.org.uk" target="_blank">Chester@mailman.lug.org.uk</a><br>
<a href="https://mailman.lug.org.uk/mailman/listinfo/chester" rel="noreferrer" target="_blank">https://mailman.lug.org.uk/mailman/listinfo/chester</a><br>
<br></blockquote></div>
</div></div><br>_______________________________________________<br>
Chester mailing list<br>
<a href="mailto:Chester@mailman.lug.org.uk">Chester@mailman.lug.org.uk</a><br>
<a href="https://mailman.lug.org.uk/mailman/listinfo/chester" rel="noreferrer" target="_blank">https://mailman.lug.org.uk/mailman/listinfo/chester</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature">Stuart Burns <br>E: <a href="mailto:stuart.james.burns@gmail.com" target="_blank">stuart.james.burns@gmail.com</a><br>M: [redacted]<br><br></div>
</div>