A good stack/software for a VPS

Discussion in 'DevOps' started by Apex, Nov 6, 2017.

  1. Apex

    Apex The time has come

    Joined:
    Jul 8, 2017
    Messages:
    59
    Likes:
    56
    Degree:
    0
    Until now I had my websites in a shared hosting that cost me about $ 7 per month, but due to some limitations and some other small problem, I decided to move to a VPS. I've seen Linode's VPS, and I think the $ 10 plan is the right one for me right now.

    It'll be the first server I install and configure manually, so any suggestion would be helpful. My idea is to install Linux (maybe Ubuntu), Nginx, PHP and MySQL. I've some experience with Linux and the command terminal, so my biggest problem will be the choice of the components to install and configure.

    The first thing I need is to find a good free control panel. I've been looking at Vesta CP and it looks good, although I don't know if there is anything better.

    I would also like to create emails of the type contact @domain.com. From what I read, Postfix with Dovecot can be a good option.

    ¿Any suggestions?
     
    Calamari likes this.
  2. SmokeTree

    •  
    •  
    SmokeTree Developer/Linux Consultant

    Joined:
    Sep 23, 2014
    Messages:
    175
    Likes:
    277
    Degree:
    1
    You don't need a control panel for what you mentioned. You just need to know what commands to use to install what you want and how to edit the config files (always make backups of course). For example, you can install MySQL server like this (using Ubuntu as an example):

    Code:
    apt-get update
    apt-get install mysql-server
    mysql_secure_installation
    
    For Nginx:
    Code:
    apt-get update
    apt-get install nginx-extras
    
    If you're going to be investing time into learning a control panel, wouldn't that time be better spent learning the few commands required to set things up? All the control panel is doing is running the commands behind the scenes and the second you want to do something the cpanel can't do, you're basically screwed or at best having to hack something together to appease the cpanel gods.

    For email, I've been using Postfix, Dovecot and Amavis (spam/virus checking and other things) since about 2005 or so for various clients. For the email account admin, ViMbAdmin is pretty solid (https://www.vimbadmin.net/). For webmail, there are several choices but I personally like RainLoop (https://www.rainloop.net/).

    To be honest, email is one of the hardest things to set up correctly because there are a lot of moving parts and lots of things to configure. You might be able to get by with one of those "mail server in a box" things like http://www.iredmail.org/ but I've yet to hear of anything that "just works".

    Hope this helps. If you decide to go the command line route and you run into snags, feel free to send me a PM.
     
  3. Darth

    Darth

    Joined:
    Sep 3, 2015
    Messages:
    162
    Likes:
    77
    Degree:
    0
    easyengine.io
    HIGHLY recommended
     
    Apex likes this.
  4. Calamari

    •  
    •  
    Calamari

    Joined:
    Oct 6, 2014
    Messages:
    680
    Likes:
    805
    Degree:
    3
    I just want to reinforce what @SmokeTree said for you.

    Take the time to learn the commands you'll need. Just about any idiot can learn to do it by following the tutorials on digital ocean. I'm one of those idiots so I know you can do it too.
     
    SmokeTree and Apex like this.
  5. Apex

    Apex The time has come

    Joined:
    Jul 8, 2017
    Messages:
    59
    Likes:
    56
    Degree:
    0
    First of all, thanks for your suggestions.

    I thought you had to install a control panel to manage various aspects of the server, but I see that I was wrong. Also, I imagine that without CP the server will also have less load.

    I need to have everything that concerns email working properly. If I've to dedicate a few hours or days to install and configure everything well, I've no problem doing it.

    At the moment I think I prefer to learn to install and configure everything myself. If I depend on packages that do it automatically, the day I've a problem I'll suffer the consequences.

    I'll do that. I'm the kind of person who always wants to have everything under control :D
     
    Calamari and SmokeTree like this.
  6. Bastion

    Bastion Neophyte

    Joined:
    Jan 16, 2015
    Messages:
    21
    Likes:
    20
    Degree:
    0
    If I could throw this in for the Linux pros: anything you can say regarding the most critical security precautions to take with your own box?

    I have SSH locked down pretty well, setup non-root users, and update regularly. Beyond that...?

    Does anyone that manages their own box still pay someone to monitor it?
     
  7. SmokeTree

    •  
    •  
    SmokeTree Developer/Linux Consultant

    Joined:
    Sep 23, 2014
    Messages:
    175
    Likes:
    277
    Degree:
    1
    Sounds like you're covering the bases with SSH. I'm assuming you're restricting SSH access to keypair only with no root login allowed? If so, great start there. The next thing I'd configure would be a firewall. If you're used to iptables you can set things up that way but honestly, you're much better off going with UFW (https://help.ubuntu.com/community/UFW) because it will take care of both IPV4 and IPV6 for you and is actually just an abstraction layer for iptables anyway. Here's a pretty standard firewall config, which will allow SSH, HTTP and HTTPS and set the default incoming policy to deny.

    Code:
    ufw default deny incoming
    ufw default allow outgoing
    ufw allow 22/tcp
    ufw allow 80/tcp
    ufw allow 443/tcp
    
    Definitely take a look at the link I pasted above for UFW before setting anything in stone. After the firewall, take a good look at file permissions, especially on files/directories served by Apache/Nginx. I wrote a bit about file permissions and some other security related things here (https://www.buildersociety.com/threads/day-24-site-security-online-privacy.1361/).

    And finally for monitoring the general well-being of the server, you really can't beat Netdata (https://my-netdata.io/).
     
    Apex and Bastion like this.
  8. Apex

    Apex The time has come

    Joined:
    Jul 8, 2017
    Messages:
    59
    Likes:
    56
    Degree:
    0
    I've been installing and configuring the server all afternoon. At the moment I have a WordPress running like a charm, much faster than in my current hosting. The change from Apache to Nginx is very noticeable.

    Tomorrow I will dedicate the day to try to configure the mail server.
     
    SmokeTree and Calamari like this.
  9. Steve

    •  
    Steve

    Joined:
    Dec 29, 2016
    Messages:
    36
    Likes:
    30
    Degree:
    0
    Mail servers are a pain in the arse. You will save yourself a bunch of hassel is you use google apps for business, office 365 essentials or some other 3rd party mail service instead.
     
    Darth and Apex like this.
  10. Calamari

    •  
    •  
    Calamari

    Joined:
    Oct 6, 2014
    Messages:
    680
    Likes:
    805
    Degree:
    3
    I don't want to deter you but...

    Setting up email is something best left to an experienced admin.

    As far as security goes you've covered the basics and will likely be just fine with those. The only important thing that I think hasn't been mentioned is getting the WordPress file and directory permissions set properly.

    Edit: oops. Permissions have been mentioned already by @SmokeTree I'll leave this reply here anyway just to reinforce how important it is.
     
    Last edited: Nov 7, 2017
    Apex likes this.
  11. turbin3

    •  
    •  
    turbin3

    Joined:
    Oct 9, 2014
    Messages:
    487
    Likes:
    904
    Degree:
    2
    Running a mail server. Not even once. :wink: They're damn tough to setup correctly, as others stated. On top of that, at that point, you're now a target, and you have to manage it, deal with security, etc. There's enough of a security concern in just managing a Wordpress site as-is, let alone handling email on top of that.

    If it's any indicator, I'm the type that is extremely OCD about this sort of stuff. So definitely on the same page as far as the need to "control" all aspects. Thing is, it's a lot of extra cognitive load and stress too, which control freaks like us probably don't need a whole lot more of... :wink:

    Might be worth consider third party options, depending on your sending needs. If you don't mind supporting evil, there's always "G Suite". It is quick and easy, to be sure. Also, there's lots of security-focused options like Protonmail, Kolab, and quite a few others that are cheap. If you need bulk sends, couple that with something like SparkPost, and you're off to the races.

    For starting out with a first Linux server, one thing I usually recommend for a lot of beginners is sticking to what you can find the most documentation for. In this case, and especially considering Linode (they have some great guides), Ubuntu would be a great choice. Ubuntu 16.04 LTS if you can. Guides for just about anything can be found, so you can get by at first with a whole lot of copy/pasta. :wink:

    I'm by no means an expert on Linux-based security. That said, here's the highlights of what I've found to be useful:
    • SSH Key
      • Use a 4096 bit RSA key, because why not.
      • Password protect the key, maybe with a crazy generated password you'll have to copy paste.
      • For the paranoid, generate your keys with a KDF, like PBKDF2, and use a high iteration count. The way this works, it increases security by slowing down the decryption process. Brute force means nothing if each attempt takes seconds...or minutes to process. Most do not need this, but feel free to journey down the rabbit hole and join me. LOL
    • Change & Restrict
      • Change your SSH port to something other than 22 or 2222. Make sure to update UFW or whatever firewall you use to deny 22 afterwards. "Hiding" is not a replacement for good security, but might as well use it as yet another layer of defense.
      • IP restrict your SSH port to only your known IP's you'll be using. Just an option, and not foolproof, but might as well if you can.
      • Set directory permissions properly for your SSH key directories on the server.
      • Allow only specific user(s) from specific IP's to login with SSH.
      • If you have more than one user SSH'ing to your servers, you can lock specific users into specific directories. Idea being, they're restricted to only those directories. This involves ChrootDirectory and sshd_config.... It's kind of an involved process and not fun to setup.
    • Disable
      • Root login
      • SSH password login (can still have SSH key passwords, just means no user/pw login instead of key)
      • 1 of 2 SSH listening protocols (IPv4 or IPv6, choose one to use, disable the other)
    • Remove
      • Unneeded services and software.
      • This includes services that are "listening" by default.
      • Idea is, close as many unneeded ports as possible, remove software so it isn't there to be exploited in the first place.
      • Ex: Have nothing using or dependent on PHP? Uninstall PHP! Same goes for stuff like mailservers. If you don't need it, get rid of it.
    • Use an intrusion prevention system (IPS)
      • Fail2Ban is a good one.
      • Set a long ban time, low number of max retries.
      • Setup "jails" (Fail2Ban) and whitelist your IP.
      • Configure your desired logging and notification behavior.
      • Implement something to detect and handle port scan attempts. Example. You might make a custom SSH port to try and "hide", but all someone has to do is fire up nmap or any other port scanner and fire requests/pings at tons of ports on your server, until they get the right response. There are programs that can monitor your logs for this behavior and auto-ban those IP's.
    • Use a firewall
      • UFW is a nice one, if you're on Ubuntu or Debian and some others.
      • You can use Iptables, but this gets tedious quick.
      • On Ubuntu/Debian, install iptables-persistent. This can be used to persist your iptables rules through a reboot, so you're still covered through startup.
      • Allow incoming/outgoing traffic from only the specific ports you want (Ex: 80 and 443), and deny all for all other ports.
    • Backups
      • No install or config is foolproof. Take advantage of backups, snapshots, or whatever. Particularly with VPS', there are usually good options for this, so you can spin up a clone fast if one goes down or gets hacked.
    • Use SELinux
      • Probably one of the most misunderstood tools, but it's useful, if you use it. The idea is putting roadblocks around any possible lateral attack vector.
      • Start with Permissive mode. The idea being, SEL is logging but passive. Run your normal programs and services, monitor logs, and figure out problem areas.
      • Once you think you've identified the problems, create custom policies/rules to address them, then switch to Enforcing.
      • You may have to switch between modes, as you may have a few hiccups in tuning your policies.
     
    Casper, nigeb, Apex and 2 others like this.
  12. Apex

    Apex The time has come

    Joined:
    Jul 8, 2017
    Messages:
    59
    Likes:
    56
    Degree:
    0
    Well, the truth is that the whole issue of email is a problem, since it's vital in the day to day of my websites.

    I've seen RackSpace, and it seems to offer domain email accounts for $ 2, while Google's option is $ 5 per account. Has anyone tried Rackspace?
     
  13. eliquid

    •  
    eliquid SERPWoo.com

    •  
    Joined:
    Nov 26, 2014
    Messages:
    460
    Likes:
    1,087
    Degree:
    2
    I also second and third what others have said.

    Email is a pain to get right
     
  14. Steve

    •  
    Steve

    Joined:
    Dec 29, 2016
    Messages:
    36
    Likes:
    30
    Degree:
    0
    How many different accounts do you need?

    Certainly with Google suite, an account is a separate mailbox and login, but each account can have multipe email addresses. So if its just you running the show, you can have 1 account for $5 a month yet still have multiple different email addresses
     
  15. Joe

    Joe

    Joined:
    Apr 25, 2015
    Messages:
    104
    Likes:
    68
    Degree:
    0
    I'll add my vote to "too much hassle".
    For outgoing I use SendGrid.com, and for incoming I use Zoho.com. Both offer free tiers.
     
  16. Apex

    Apex The time has come

    Joined:
    Jul 8, 2017
    Messages:
    59
    Likes:
    56
    Degree:
    0
    At this time I need 3 email accounts, each one for a different domain. For that reason I asked about RackSpace, because if each account costs $2 the total would be $6, instead of $15.
     
  17. SmokeTree

    •  
    •  
    SmokeTree Developer/Linux Consultant

    Joined:
    Sep 23, 2014
    Messages:
    175
    Likes:
    277
    Degree:
    1
    Just putting this out here. I have set up no less than 50 email servers over the past 10-15 years or so, 5 servers just this year, all running Postfix (Linux only, no M$ Exchange mess). Not just the standard install that uses Unix accounts for email addresses (very bad idea), I'm talking about having virtual email accounts stored in MySQL as described here: (https://help.ubuntu.com/community/PostfixCompleteVirtualMailSystemHowto).

    This is business-grade email, not the "GoDaddy shared hosting that's sub-par for anything serious" equivalent. The question is, if I were to offer this service in the BuSo Marketplace, is that something that some of you would be interested in? This setup would give you unlimited email accounts/aliases, filters (sieve style) and even the capability to run email for multiple domains if needed (more advanced config required for that).
     
    turbin3 likes this.
  18. Apex

    Apex The time has come

    Joined:
    Jul 8, 2017
    Messages:
    59
    Likes:
    56
    Degree:
    0
    I've successfully installed and configured an SSL with Let's Encrypt, so the only thing I've left to solve is the mail.

    I'll search Rackspace reviews to see if it's what I need, and if not, I'll try to change the 2 least necessary accounts for Gmail accounts and use the most important one with G Suite, because really only one of these 3 websites generates income.

    In my case, I probably couldn't afford it, but I'm sure many other BuSo users would be really interested in that service.
     
    SmokeTree likes this.
  19. Steve

    •  
    Steve

    Joined:
    Dec 29, 2016
    Messages:
    36
    Likes:
    30
    Degree:
    0
    I cant say i have actually tried it, but it looks like you only need 1 account, with some domain aliases setup:

    https://support.google.com/a/answer/182452?hl=en
     
  20. Calamari

    •  
    •  
    Calamari

    Joined:
    Oct 6, 2014
    Messages:
    680
    Likes:
    805
    Degree:
    3
    I actually assumed the same thing and figured having your own email server was something only big companies could afford. When @SmokeTree quoted me a price to set up a private email server for me I was pleasantly surprised. I much prefer the one time expense over

    I've been using the email he set up for me for about about a year now and I still love it.

    I had been bouncing between free emails like gmail and outlook and was always worried about my privacy and the next time one of them would get hacked.

    Earlier just this month I read on Hacker News that every single yahoo email account was hacked in 2013. Not sure why we are just hearing about this in 2017...

    I also really wanted to get as far away from Google products as I could. I literally don't want them scanning my emails and collecting my private info to build a database about me so they can target me with ads or whatever else they plan to do with my info in the future.

    Other than my emails being mine and mine alone and the likelihood of me being hacked dropping to near zero, I really like some of the features of the email software.

    Other than it being easy to use and the screen not being cluttered with ads or links to news stories, my favorite is that I can add as many domains and accounts to each domain as I want. When I set up a new site it just takes minutes for me to create an email for the domain.

    One concern I had was if the emails would actually get through or end up in spam. I haven't had a problem with people receiving my emails yet and I've sent a lot of emails over the last year. There's some things he had set up to make the server or domain more trustworthy in the eyes of the recipients email. You'll have to ask him about it though as it's way over my pay grade.
     
    real and Bastion like this.
  21. Apex

    Apex The time has come

    Joined:
    Jul 8, 2017
    Messages:
    59
    Likes:
    56
    Degree:
    0
    Finally, I've solved the email problem with Zoho, and for free.

    And the server seems to be doing quite well. Screenshot of a newly transferred site:

    [​IMG]

    I just have to adjust some details for greater performance and security and everything will be ready.
     
    Calamari likes this.
  22. Apex

    Apex The time has come

    Joined:
    Jul 8, 2017
    Messages:
    59
    Likes:
    56
    Degree:
    0
    What do you recommend for backups? Linode has its own automatic backup system, but from what I see it has no option to download them.