Author Topic: VPS  (Read 3885 times)

0 Members and 1 Guest are viewing this topic.

Online The Latinist

  • Cyber Greasemonkey
  • Technical Administrator
  • Stopped Going Outside
  • *****
  • Posts: 5975
VPS
« on: May 26, 2018, 09:51:44 PM »
So I've long had a couple of domains that I've had on shared hosting for around $4/month just to host some files and images and the like.  I've put up various personal webpages over the years, but nothing serious.  Every time I've tried to do anything with my domains, though, I've found the limitations of shared hosting frustrating as I can't really get into the nuts-and-bolts of administering the server.  And having spent some time setting up a Raspberry Pi as a VPN/print/file/etc. server, I've been itching to move my domains to something I have more control over.  I've also been playing with Django, and my current shared host doesn't support Django web apps.

So I finally decided to spin up an unmanaged VPS to test it out.  I did some research and settled on vultr.com because of reviews and because of the flexibility of their plans.  I started out with their cheapest plan: 1 Virtual Core / 512 MB RAM / 20 GB SSD storage / 500 GB bandwidth for $2.50/month. I pay $0.50/mo for daily backups. It's billed on an hourly basis, which is very fair, and I can upgrade or downgrade my plan at any time.  I've been really satisfied with the speed of the server.  Disk writes are more than adequate at around 600 MB/s.  I just did a bandwidth test: Download: 2585.90 Mbit/s, Upload: 1306.37 Mbit/s. Not too shabby.

I've been having a blast setting it up. I've set up SSH with public key logins, configured UFW and Fail2Ban, installed and configured Apache with two virtual hosts, spent a couple of days hardening the web server with SSL, configuration changes, etc.  And I've now transferred my two domains to this new server (E-mail is still hosted elsewhere), moved over all of the files I was hosting on the shared server, archived those files and set up ReWrite rules to silently redirect any links lying around the Internet to the new locations in the archive folder.  And I probably done a dozen other things I haven't remembered to mention.  Next on the to-do list is to set up a VPN to use when I'm on public WiFi in place of the one I've had on my Raspberry Pi.

Anyone have any suggestions for things I must do on/with/to my new VPS?
I would like to propose...that...it is undesirable to believe in a proposition when there is no ground whatever for supposing it true. — Bertrand Russell

Online The Latinist

  • Cyber Greasemonkey
  • Technical Administrator
  • Stopped Going Outside
  • *****
  • Posts: 5975
Re: VPS
« Reply #1 on: May 29, 2018, 11:07:26 PM »
Set up an openvpn server.  Used angristan's install script to automate some things (after reading the whole script through carefully).  Had a problem getting DNS to work until I found in a tutorial on DigitalOcean that I needed to set UFW's DEFAULT_FORWARD_POLICY to "ACCEPT."  That fixed the issue.  The VPN is blazing fast (as far as I can tell, it's not slowing me down at all, and my ping times are 17ms vs 16 ms without to the same server.

I have to say that, as satisfied as I am with vultr for my VPS, I'm really impressed with DigitalOcean's documentation.  They've got some damned fine tutorials on there.
I would like to propose...that...it is undesirable to believe in a proposition when there is no ground whatever for supposing it true. — Bertrand Russell

Online The Latinist

  • Cyber Greasemonkey
  • Technical Administrator
  • Stopped Going Outside
  • *****
  • Posts: 5975
Re: VPS
« Reply #2 on: June 07, 2018, 04:17:25 PM »
I've not been idle.  I've since set up SMTP with postfix and IMAP with dovecot, moved my E-mail forwarding from NameCheap to my VPS, set up TSL authentication for both servers using Let'sEncrypt certificates, added Fail2Ban rules for both servers, etc.  I've also configured SPF, DKIM, and DMARC records to my DNS to help prevent SPAM (with my previous setup on NameCheap I was receiving quite a few bounced SPAM messages being sent supposedly from my domain).
I would like to propose...that...it is undesirable to believe in a proposition when there is no ground whatever for supposing it true. — Bertrand Russell

Online The Latinist

  • Cyber Greasemonkey
  • Technical Administrator
  • Stopped Going Outside
  • *****
  • Posts: 5975
Re: VPS
« Reply #3 on: June 08, 2018, 10:49:00 AM »
I spent two and a half hours troubleshooting my SMTP server/TLS/firewall/anything else I could think of last night before I finally realized that my home ISP is filtering port 25.  The thing was working all along!  I'm now on the phone trying to get the port filtering turned off so I can actually use my mail server from home.
I would like to propose...that...it is undesirable to believe in a proposition when there is no ground whatever for supposing it true. — Bertrand Russell

Offline moj

  • beer snob
  • Reef Tank Owner
  • *********
  • Posts: 9655
Re: VPS
« Reply #4 on: June 08, 2018, 12:10:42 PM »
I went the other way and use vmware's workstation pro to build servers on my laptop. for a VPS, setting up some bots on it could be cool. I've been wanting to experiment with those more just haven't gotten around to it.

Online The Latinist

  • Cyber Greasemonkey
  • Technical Administrator
  • Stopped Going Outside
  • *****
  • Posts: 5975
Re: VPS
« Reply #5 on: June 08, 2018, 12:16:35 PM »
I went the other way and use vmware's workstation pro to build servers on my laptop. for a VPS, setting up some bots on it could be cool. I've been wanting to experiment with those more just haven't gotten around to it.

Yeah, I'm interested in setting up some bots to automate tasks for me.  That's a summer project.  The reason I've switched to a VPS from my Raspberry Pi is that I was not confident enough in its reliability to run Internet-facing servers on it.  I don't want down-time on my E-mail, server, for instance.
I would like to propose...that...it is undesirable to believe in a proposition when there is no ground whatever for supposing it true. — Bertrand Russell

Online The Latinist

  • Cyber Greasemonkey
  • Technical Administrator
  • Stopped Going Outside
  • *****
  • Posts: 5975
Re: VPS
« Reply #6 on: June 08, 2018, 12:21:28 PM »
Alright, here's something weird.  Last night when I was testing port 25 and first suspected that my ISP was filtering it, I tried to openssl into my server on port 25 over my work VPN (SSL on 443), but ran into the same problem.  That's why I concluded that the issue was on the server end, not on mine.  But now that my ISP has unblocked port 25, I can suddenly openssl into the server through my work VPN, too.  So what's the deal: can my ISP filter ports forwarded inside an SSL-encrypted tunnel?
I would like to propose...that...it is undesirable to believe in a proposition when there is no ground whatever for supposing it true. — Bertrand Russell

Online The Latinist

  • Cyber Greasemonkey
  • Technical Administrator
  • Stopped Going Outside
  • *****
  • Posts: 5975
Re: VPS
« Reply #7 on: June 09, 2018, 02:14:46 AM »
You know, I didn't really need port 25 opened anyway.  Or I shouldn't have if I'd configured my server correctly.  I didn't realize that clients shouldn't be connecting to port 25 anyway, but to the submission port 587.  Port 25 should only be used for relaying messages between servers.  Now that I have the submission service correctly configured with required TLS and AUTH on 587, I can set port 25 back to optional TLS and no AUTH and close the port back up.

This is why I'm doing this stuff: I learn so much as I go, especially from my mistakes.
I would like to propose...that...it is undesirable to believe in a proposition when there is no ground whatever for supposing it true. — Bertrand Russell

Online The Latinist

  • Cyber Greasemonkey
  • Technical Administrator
  • Stopped Going Outside
  • *****
  • Posts: 5975
Re: VPS
« Reply #8 on: June 24, 2018, 12:52:06 AM »
Status Update:

SSH w/RSA-only auth; sudo user; disabled root, PAM; F2B w/recidive; apache2 w/TLS; E-mail with Postfix & Dovecot, Maildir, TLS, SPF, DKIM, DMARC; OpenVPN with TLS & RSA-only auth.

I'm hosting Web and E-mail (mostly forwarding) for two domains. I'm using a multi-domain Let'sEncrypt certificate for TLS and have configured a daemon to auto-renew.

I just learned that the Apache's DocumentRoot (actually, all served files) should really be in /srv rather than /var/www (var is still used for the default because package managers are not supposed to touch /srv).  So I've moved that to /srv/domain.tld/www. I settled on that scheme because I wanted to keep things separated by virtual domains and I wanted the ability to place further service-specific subdirectories in each (e.g., /srv/domain.tld/ftp) for future use.

My next project, I think, will be installing and configuring git.  I've got pretty much no experience with git, and it seems like a tool I should be using.
I would like to propose...that...it is undesirable to believe in a proposition when there is no ground whatever for supposing it true. — Bertrand Russell

Offline PANTS!

  • One leg at a time.
  • Poster of Extraordinary Magnitude
  • **********
  • Posts: 10704
  • What seals? I auditioned for this job.
Re: VPS
« Reply #9 on: June 24, 2018, 09:53:05 AM »
I may do this now that amazon is blocking both my router and software VPNs.
Now where I come from
We don't let society tell us how it's supposed to be
-Uptown, Prince 👉

Here comes the future and you can't run from it
If you've got a blacklist I want to be on it
If no one seems to understand
Start your own revolution and cut out the middleman

Online The Latinist

  • Cyber Greasemonkey
  • Technical Administrator
  • Stopped Going Outside
  • *****
  • Posts: 5975
Re: VPS
« Reply #10 on: June 24, 2018, 10:35:02 AM »
I may do this now that amazon is blocking both my router and software VPNs.

If you decide to do so, look at vultr’s one-click OpenVPN install.  Also take a look at the snapshot feature; once you get it configured the way you want, snapshot it.  Then you can destroy it when you’re not using it and spin it back up in less than a minute when you need it. Since you pay by the hour, you save lots.  And all you’ll need to change on the client side when you spin it back up is the IP address.  Also useful if you approach your bandwidth cap, as you start with a fresh cap each time you spin it up.
I would like to propose...that...it is undesirable to believe in a proposition when there is no ground whatever for supposing it true. — Bertrand Russell

 

personate-rain