[Chester LUG] Digitalocean users.. a question

Stuart Burns stuart.james.burns at gmail.com
Thu Jul 30 12:38:10 UTC 2015


I was going to ask do you guys have a set of scripts you'd be willing to
share? Also purely just interest, how many VPS machines has everyone got.

On 30 July 2015 at 13:36, Michael Crilly <michael at mcrilly.me> wrote:

> On top of Les' suggestions, I'd recommend you also disable weak ciphers
> and use ECDH. Also, install fail2ban to automatically block automated brute
> forcing attacks against SSH - they can fill up your disk space with syslog
> entries, thus DOSing your server.
> On 30 Jul 2015 10:23 pm, "Les Pritchard" <les.pritchard at gmail.com> wrote:
>
>> Yes, I'd agree with Mike on that. If you're creating the VPS manually you
>> could use a temporary password for root, then create a standard user and
>> disable the root.
>>
>> If you can, I'd also recommend locking down SSH to specific IPs or at
>> least ranges.
>>
>> On 30 July 2015 at 13:17, Michael Crilly <michael at mcrilly.me> wrote:
>>
>>> The initial root login is designed to give you an easy way in so you can
>>> configure the system, locking down root login and removing that key from
>>> the system (after adding additional users and allowing them to sudo to
>>> root.)
>>>
>>> Think of that initial SSH key as a deployment key - login once with it,
>>> then use Ansible to setup your system with new users and various other
>>> state.
>>>
>>> Cheers,
>>>
>>> Mike.
>>> On 30 Jul 2015 9:50 pm, "Stuart Burns" <stuart.james.burns at gmail.com>
>>> wrote:
>>>
>>>> Hi Everyone,
>>>>
>>>> I am just in the process of moving over some sites to DO and I thought
>>>> I would start using the stored SSH key system you can use when deploying
>>>> your droplets. It works fine, no issues. Just I dont really feel
>>>> comfortable logging in as root directly. Years of non root logins make me
>>>> feel itchy about this.
>>>>
>>>> What does everyone else think? (I know you can alter and someone trying
>>>> to crack a proper PKI implementation may have a long wait!) I was more
>>>> concerned with it being out the box functionality.
>>>>
>>>> Regards
>>>>
>>>> Stuart
>>>>
>>>> _______________________________________________
>>>> Chester mailing list
>>>> Chester at mailman.lug.org.uk
>>>> https://mailman.lug.org.uk/mailman/listinfo/chester
>>>>
>>>>
>>> _______________________________________________
>>> Chester mailing list
>>> Chester at mailman.lug.org.uk
>>> https://mailman.lug.org.uk/mailman/listinfo/chester
>>>
>>>
>>
>> _______________________________________________
>> Chester mailing list
>> Chester at mailman.lug.org.uk
>> https://mailman.lug.org.uk/mailman/listinfo/chester
>>
>>
> _______________________________________________
> Chester mailing list
> Chester at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/chester
>
>


-- 
Stuart Burns
E: stuart.james.burns at gmail.com
M: [redacted]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/chester/attachments/20150730/e92a818f/attachment.html>


More information about the Chester mailing list