Setting up a VPS
For this website I decided to use a VPS instead of using a shared host or a PaaS like Heroku. I figured that I need to keep my system administrator skills up to date, and there is no better way to do this (as someone who works from home) than to run everything myself. Running a VPS is also much more affordable than using Heroku, so that's another win.
As for shunning shared hosts, the reason I didn't go down that route is simply because I'm tired of using cPanel or any UI, because I am much more comfortable on a command-line interface. Oddly enough, I find that cPanel (and its ilk) make things more difficult for me to understand, possibly because I overthink how to perform a simple task.
For my VPS I chose DigitalOcean because they are new on the block, use SSDs, and very cost-effective (not to mention I received a coupon from them via Twitter worth 2 free months). So far I am very impressed by them. I have had no problem getting setup and running with a VPS. The only issue I have with them (at the moment) is: after you login successfully you are taken back to their front marketing page, and not your account page. And I can't find an easy link to the account page, so it's very confusing. Instead I need to click the Login button again and it will go to the account page (plus tell me that I'm already logged in…duh).
After I created a new Ubuntu 13.04 system, I setup the VPS following their guide to:
- change root password
- create sysadmin user
- give user sudo permissions
- lock down ssh (deny root login, allow only the correct users to login)
I then logged out as the root user (I always feel dirty when logged in as that user) and logged in as the sysadmin user. I copied over my ssh keys so that I never have to type in my password (except for sudo operations, which are fairly rare).
root@vps$ logout me@home$ ssh sysadmin@vps sysadmin@vps$ mkdir ~/.ssh sysadmin@vps$ vi authorized_keys <copy the id_rsa.pub key from my machine and paste it into the text editor> <save and exit>
On my home machine I configured my ssh client to use an alias for the VPS as well as automatically use the sysadmin user.
me@home$ vi ~/.ssh/config Host myvps User sysadmin HostName <IP ADDRESS OF VPS>
I then was fed up with the default vi that Ubuntu provides (seriously, Canonical, you still ship with vi-tiny?). I then installed vim
sudo apt-get install vim
Yeah, it's just that simple.
I then set my bash shell client to use vi as the output. This is completely optional for anyone reading this, but I love the ability to use vi commands on my client. It saves me from having to remember basic bash commands to navigate the command line (Ctrl-A to go to the beginning of the line, I think?).
sysadmin@vps$ set -o vi sysadmin@vps$ vi .bash_profile set -o vi <save and exit>
The last thing to do is to install fail2ban, which prevents attackers from constantly hitting the same service (like ssh) repeatedly. Instead, after a set number of tries (according to the rules of the program) the IP address is banned using iptables (by default) for a set period of time (default: 10 minutes). That means you, as the sysadmin, don't need to worry about setting up your own iptable rules and instead worry about why the attackers keep hitting you on that service. To install fail2ban, I followed the guide from DigitalOcean. This guide will work for any VPS provider, the only stipulation is that it is written in the context of using Ubuntu.
One final note on using fail2ban: at a certain point you are asked to set your home IP address to the program's ignore list, so that you don't accidentally ban yourself from your server. The best thing to do here is to use a hostname and not an IP address because (most likely) you are at home and on a dynamic IP address, which means your IP address could change at any time. That could potentially lock you out of your own server.
Instead of setting a dynamic IP address into fail2ban (or any other service, for that matter), sign up for an account at DynDNS. DynDNS will provide you with a hostname that maps directly to your dynamic IP address, and on your machine you run a background service that automatically updates your DynDNS hostname with your new IP address whenever it changes. That way you can take your laptop to a coffeeshop and still retain the same hostname. Pretty cool.
That's it for setting up a VPS. I'm not going to go into setting up a web server, database, or anything like that in this article because it all depends on your needs. For me, I am installing a simple nginx server to run some static websites, so it is a fairly easy operation for me.