Make an account on https://www.digitalocean.com/ (or use google account). Sign in and go straight to “Droplets” in the sidebar.
Here choose the newest LTS version of Ubunutu. Which is at the time of writing 18.04. Take the smallest packet with 1GB of ram and 5$/month.
If you are not doing a real server for use just skip backups and block storage. They will cost extra. Take the closest server to you or your customers. We don’t need additional options for this one. You can add them later if you need.
SSH keys should be created for maximum security. You can make them on windows with Puttygen https://putty.org/. When generating keys move your mouse around to make a cryptographic key. Save the public and private key with a password. Paste the publickey string to Digitalocean SSH keys. After that just choose a host name if you like and click create
Then open the actual putty program (not puttygen). In putty put your droplet IP in the first screen.
Putting login as root in putty connections/data
And give the private SSH key. In connections/ssh/auth
Then just clicked open and were in! (or give the ssh decryption password if needed). After logging in you should make a new sudo user and lock the root user.
$ sudo adduser Akseli $ sudo adduser Akseli sudo $ sudo adduser Akseli admin $ sudo adduser Akseli adm
And to disable the root user put like told in https://help.ubuntu.com/14.04/serverguide/user-management.html
$ sudo passwd -l root
Side note ssh user?
Now that the root password is locked I tried to go in with newly created “Akseli” user but putty said that ssh key refused. So I tried root again and it let me in. I guess that you can still sign in with root with ssh key? I’m not sure how to sign in now with Akseli using only ssh. So in this blog we will just change the user to Akseli with “$ su Akseli”
Installing firewall and update
To update everything to the latest version run and enable firewall
$ sudo apt update && sudo apt upgrade -y $ sudo ufw enable
Then we need to open ports for SSH and apache webserver with sudo ufw allow (you can also use “ssh”, “http” instead of numbers.
$ sudo ufw allow 22 $ sudo ufw allow 80 $ sudo ufw enable
$ sudo apt install apache2 -y
Make public_html folder in your home folder. (not in root user)
$ mkdir public_html
Enable user folders in Apache
$ sudo a2enmod userdir
Change the default website folder to your own folder you just created with
$ sudoedit /etc/apache2/sites-available 000-defaut____ (press tab to to choose the right file)
And restart apache with
$ systemctl restart apache2
Side note 2 users?
I wrote systemctl restart apache2 and this happened
Adding domain to your server
We use free subdomains on https://freedns.afraid.org. just log in go to subdomains section add the name you want and paste your server Ip in it. Easy as that.
ATTACKS ATTACKS ATTACKS!
If you go in to syslogs in var/log/syslog you see your precious little apache server gets attacked almost immediately. You can checkout where the originate from with https://www.geoiptool.com/
Adding letsencrypt SSL to the website
I’m following the tutorial on https://certbot.eff.org/lets-encrypt/ubuntubionic-apache for the certbot letsencrypt automation and renewal.
$ sudo apt-get update $ sudo apt-get install software-properties-common $ sudo add-apt-repository ppa:certbot/certbot $ sudo apt-get update $ sudo apt-get install python-certbot-apache $ sudo certbot --apache
After the last command it will ask you questions like your email and what is your domain you want to put the ssl certificate on.
After that we need to go back to the firewall to open the https port 443 with
$ sudo ufw allow https $ sudo ufw enable
For automatic letsencrypt renewals you should run
$ sudo certbot renew --dry-run
Sources: Assignment: http://terokarvinen.com/2017/aikataulu-%e2%80%93-linux-palvelimet-ict4tn021-7-ti-ja-6-to-alkukevat-2018-5-op I did assignment parts a)-i) and N) Hosting site: https://www.digitalocean.com/ Putty: https://putty.org/ Lock root user: https://help.ubuntu.com/14.04/serverguide/user-management.html Free (sub)domain: https://freedns.afraid.org GeoIP: https://www.geoiptool.com/ Letsencrypt: https://certbot.eff.org/lets-encrypt/ubuntubionic-apache