[Chester LUG] Digitalocean users.. a question

Michael Crilly michael at mcrilly.me
Thu Jul 30 12:42:21 UTC 2015


Learn to use Ansible to configure your systems. No one uses shell scripts
anymore unless they're stuck in 2009 :P
On 30 Jul 2015 10:38 pm, "Stuart Burns" <stuart.james.burns at gmail.com>
wrote:

> I was going to ask do you guys have a set of scripts you'd be willing to
> share? Also purely just interest, how many VPS machines has everyone got.
>
> On 30 July 2015 at 13:36, Michael Crilly <michael at mcrilly.me> wrote:
>
>> On top of Les' suggestions, I'd recommend you also disable weak ciphers
>> and use ECDH. Also, install fail2ban to automatically block automated brute
>> forcing attacks against SSH - they can fill up your disk space with syslog
>> entries, thus DOSing your server.
>> On 30 Jul 2015 10:23 pm, "Les Pritchard" <les.pritchard at gmail.com> wrote:
>>
>>> Yes, I'd agree with Mike on that. If you're creating the VPS manually
>>> you could use a temporary password for root, then create a standard user
>>> and disable the root.
>>>
>>> If you can, I'd also recommend locking down SSH to specific IPs or at
>>> least ranges.
>>>
>>> On 30 July 2015 at 13:17, Michael Crilly <michael at mcrilly.me> wrote:
>>>
>>>> The initial root login is designed to give you an easy way in so you
>>>> can configure the system, locking down root login and removing that key
>>>> from the system (after adding additional users and allowing them to sudo to
>>>> root.)
>>>>
>>>> Think of that initial SSH key as a deployment key - login once with it,
>>>> then use Ansible to setup your system with new users and various other
>>>> state.
>>>>
>>>> Cheers,
>>>>
>>>> Mike.
>>>> On 30 Jul 2015 9:50 pm, "Stuart Burns" <stuart.james.burns at gmail.com>
>>>> wrote:
>>>>
>>>>> Hi Everyone,
>>>>>
>>>>> I am just in the process of moving over some sites to DO and I thought
>>>>> I would start using the stored SSH key system you can use when deploying
>>>>> your droplets. It works fine, no issues. Just I dont really feel
>>>>> comfortable logging in as root directly. Years of non root logins make me
>>>>> feel itchy about this.
>>>>>
>>>>> What does everyone else think? (I know you can alter and someone
>>>>> trying to crack a proper PKI implementation may have a long wait!) I was
>>>>> more concerned with it being out the box functionality.
>>>>>
>>>>> Regards
>>>>>
>>>>> Stuart
>>>>>
>>>>> _______________________________________________
>>>>> Chester mailing list
>>>>> Chester at mailman.lug.org.uk
>>>>> https://mailman.lug.org.uk/mailman/listinfo/chester
>>>>>
>>>>>
>>>> _______________________________________________
>>>> Chester mailing list
>>>> Chester at mailman.lug.org.uk
>>>> https://mailman.lug.org.uk/mailman/listinfo/chester
>>>>
>>>>
>>>
>>> _______________________________________________
>>> Chester mailing list
>>> Chester at mailman.lug.org.uk
>>> https://mailman.lug.org.uk/mailman/listinfo/chester
>>>
>>>
>> _______________________________________________
>> Chester mailing list
>> Chester at mailman.lug.org.uk
>> https://mailman.lug.org.uk/mailman/listinfo/chester
>>
>>
>
>
> --
> Stuart Burns
> E: stuart.james.burns at gmail.com
> M: [redacted]
>
>
> _______________________________________________
> Chester mailing list
> Chester at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/chester
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/chester/attachments/20150730/95c2356c/attachment.html>


More information about the Chester mailing list