A couple of things that I'd like to see in this script:
1. Go ahead and apply all of the software updates. The RAX Ubuntu images are behind on a lot of security updates.
apt-get -q upgrade
apt-get -q dist-upgrade
reboot (at the end)
2. While you're at it, enable automatic security-related upgrades. It's likely that the user of your service is less technical and not Linux-saavy. Let's keep their cloud server from being owned.
3. Force public key auth (disable password auth) on their OpenSSH server and (preferably) disable root logins entirely. Create a user account for them if needed, with sudo access.
4. Set up IPtables as default-deny with holes punched for OpenVPN and OpenSSH.
5. Configure OpenSSH to listen on port 443 in addition to 22. Some hotspots block port 22. Almost nobody blocks port 443/tcp. This is super-handy if you're ever working from some place with a restrictive or filtering firewall. SOCKS over SSH is awesome, especially when you're dealing with censorship or malevolence at the DNS level. I used this technique when I was in the Army and our Army housing had horrible DNS servers that censored a lot of legitimate sites.
6. I would prefer you not ask for people's cloud provider API keys. This has huge potential for abuse. Instead, give them a script that they can run on any Mac or Linux box that takes the root password and IP and provisions their server for them.
I suppose I should make a PR for you; maybe later this weekend
We agree with all but the last point. We do provide the script but sadly most people using this won't know how to run such a script. We tried to make it as easy as possible.
Great points otherwise, would love to see a PR. :) thanks for the feedback!
I'd also install fail2ban. I looked at the auth logs for my DigitalOcean VM, and it's amazing how many bots/people try to log into it, even though it doesn't contain anything necessarily valuable.
1. Go ahead and apply all of the software updates. The RAX Ubuntu images are behind on a lot of security updates.
2. While you're at it, enable automatic security-related upgrades. It's likely that the user of your service is less technical and not Linux-saavy. Let's keep their cloud server from being owned.3. Force public key auth (disable password auth) on their OpenSSH server and (preferably) disable root logins entirely. Create a user account for them if needed, with sudo access.
4. Set up IPtables as default-deny with holes punched for OpenVPN and OpenSSH.
5. Configure OpenSSH to listen on port 443 in addition to 22. Some hotspots block port 22. Almost nobody blocks port 443/tcp. This is super-handy if you're ever working from some place with a restrictive or filtering firewall. SOCKS over SSH is awesome, especially when you're dealing with censorship or malevolence at the DNS level. I used this technique when I was in the Army and our Army housing had horrible DNS servers that censored a lot of legitimate sites.
6. I would prefer you not ask for people's cloud provider API keys. This has huge potential for abuse. Instead, give them a script that they can run on any Mac or Linux box that takes the root password and IP and provisions their server for them.
I suppose I should make a PR for you; maybe later this weekend