Notes on spinning up a new dokku server on DO. Inspired by this blog post by Bryan Kennedy.
This will install the Dokku and its dependencies, but with the your ass in the wind, so to speak. Insecure.
Handy tool to throw offenders of our policies in jail (bad ssh logins, etc.).
apt-get install fail2ban
First, change the root password.
passwd
We're not going to use root, are we? So let's make a sudo user we can use to log in.
useradd myuser
useradd myuser sudo
Pick a new password for myuser which will be used when running sudo commands.
passwd myuser
Put the password somewhere safe.
Copy the keys we chose when we spun up the droplet to be usable by the new user.
mkdir -p /home/myuser/.ssh
chmod 700 /home/myuser/.ssh
cp /home/dokku/.ssh/authorized_keys /home/myser/.ssh/authorized_keys
Add the following to /etc/ssh/sshd_config.
PermitRootLogin no
PasswordAuthentication no
Then restart ssh.
service ssh restart
Dokku/Docker adds a bunch of custom rules to iptables and I've found it best to not mess with it. Using ufw seems to be the way to go.
ufw allow 22
ufw allow 80
ufw allow 443
ufw enable
Use logwatch to get email notifications when things happen in the servers logs that you should know about.
apt-get install logwatch
Then add the following line to /etc/cron.daily/00logwatch.
/usr/sbin/logwatch --output mail --mailto [email protected] --detail high
Remove the default line while you're in there since it has been replaced with more detail.
/usr/sbin/logwatch --output mail