

Ask HN: VPS management for the absolute beginner - AgentConundrum

I have a new site that I want to build, something that I as a programmer wish existed. While there is no way this site would ever reach StackOverflow levels of success, I do hope that it will have a broad appeal and become decently successful - I'm optimistic, anyway.<p>I'm going to start with a shared host, possibly sticking with the company which hosts my blog since I know them well enough, but I don't think shared hosting is a good long term solution.<p>As such, I've been checking out Slicehost as a good "next-stage" host. The problem is that I would be completely out of my element with a VPS. I only have limited experience with Linux (I've tried it a few times on my laptop, but always ran into issues that made me give up on it - usually wireless issues), and while I'm pretty sure I could get the basics setup, I worry that I'd leave things horribly insecure or that I just couldn't handle maintenance issues.<p>Obviously, my idea may flop entirely, but I'd rather not get caught with my pants down if I ever got to the stage where a VPS becomes a necessity.<p>So, are there any good tutorials / (e-)books / articles describing how to get to know your VPS, or any other issues I should be concerned with.<p>An ounce of prevention, etc.<p>Thanks!
======
ubuntuftw
I was in a similar position about nine months ago. I was on a shared server,
and now I'm rocking a VPS with a pretty good confidence level. Here's what I
did.

First, I picked a Linux distribution. I went with Ubuntu because of ease of
use.

Second, I ordered a copy of "The Official Ubuntu Server Book"
([http://www.amazon.com/Official-Ubuntu-Server-
Book-2nd/dp/013...](http://www.amazon.com/Official-Ubuntu-Server-
Book-2nd/dp/0137081332/ref=sr_1_1?ie=UTF8&s=books&qid=1280639886&sr=8-1)) and
read it from cover to cover. In some cases, I had to read chapters several
times to completely understand it, but because I did that and took copious
notes, I feel pretty good about things now. P.S. If you do read a book, take
notes. I refer to them almost everyday.

Finally, I picked a VPS provider. I tried Slicehost, VPS.net, and Dreamhost,
but finally settled on Linode. I picked them because I heard great things
about them, and they haven't let me down. Back then, it was something like
386mb of RAM for $19.95. Now, they're even better. They offer 512mb for the
same price! With Slicehost, you only get 256mb for that price. At VPS.net,
it's 376mb. So Linode is the best deal, hands down.

Oh and Linode has an excellent user library with how-to articles on doing
EVERYTHING. <http://library.linode.com/>

Hope that helps some!

~~~
AgentConundrum
Thanks for the recommendations. I hadn't really looked a lot into which VPS to
use yet; I saw a post recently which linked me to Slicehost, so I checked it
out without really having yet had the chance to do much comparison yet.

I just skimmed over the linode library that you linked, and I am impressed. I
was going to ask you for more information about installing _and securing_
Apache (nothing against ngenix; I just have more experience with Apache),
MySQL, and PHP, but it seems they've beaten me to the punch. Though, if you do
have recommendations for any of that, please do pass that along. More
information is always appreciated.

~~~
ubuntuftw
I do! A killer tip too.

The Linode tutorials teach you one way of installing Apache, PHP, and MySQL...
but there is another.

If you're using Ubuntu and you run the command "sudo tasksel", that'll launch
a program that lets you pick from a bunch of preconfigured options. Need a
LAMP server? Just "sudo tasksel" and select LAMP. Need a mail server? Same
thing. Need an SSH server? Well, you get the idea.

In the past, I've had problems getting Apache, PHP, and MySQL to play nicely
when installed manually, so this can sometimes be helpful.

As far as security tips: 1\. Use password-protected SSH keys to login as
opposed to just using a password. SSH is the protocol you will use to manage
your VPS. It is also what you should use (instead of FTP, which is insecure)
to transfer files. 2\. Use UFW (it's short for uncomplicated firewall) to
block all traffic by default and allow only necessary ports (80 for HTTP, 22
for SSH, etc). UFW is one GREAT reason to use Ubuntu. With other
distributions, you have to use iptables to setup a firewall, which is
incredibly complicated. UFW is easy as pie. 3\. Run the command "sudo
mysql_secure_installation" to secure your MySQL server 4\. Keep the software
on your VPS up to date. Run the commands "sudo aptitude update" and "sudo
aptitude safe-upgrade" to do this.

~~~
tasaro
As far as making installations easier, you can also check out Linode
StackScripts: <http://www.linode.com/stackscripts/>

The LAMP and LEMP (nginx instead of apache) stacks are two of the most
popular.

------
maxdemarzi
If you're looking at slicehost, then you must know they have step by step
instructions to get you setup at <http://articles.slicehost.com/> This should
get you pretty far.

You can always ask the community for help if you need and worse case turn to
<http://www.admingeekz.com/> ,
<http://www.geniusweb.com/system_administration> ,
<http://www.supportpro.com/administration.php> or some other hourly/per case
type of sysadmin service.

~~~
AgentConundrum
Actually I didn't know about those articles. I browsed through the site rather
casually and focused mostly on specs and prices first. I didn't think to check
the "community" link (expecting it to be forums, which wasn't exactly what I
wanted) until you prompted me to go look for your link.

The information there seems great to get started. Many appreciations to you.

------
mixmax
Good question. I'm somewhat in the same boat as you, and I've found Linodes
tutorials good.

Check them out here: <http://library.linode.com/beginners-guide/>

~~~
AbyBeats
An offtopic question if you dont mind.When should we think of switching from a
VPS to a fully dedicated server?I have a forum with around 3k members and
vBullentin and the forum will grow further rather fast in next two months.

~~~
lsc
if you are buying your own hardware, you should consider it when you need 8GiB
ram or spend more than $100/month, and absolutely jump when you need 32GiB ram
or spend more than $500/month. (note, this changes if you only need the server
for a month or two)

The thing is, hosting a small server is probably going to cost you around
$100/month anyhow, so if you can get by with a vps that costs less than that,
do so.

A small server with a core2duo and 8GiB ram is maybe $500 in parts.
Considering that it'll last for at least three years, that's not much, if you
think you'll have a server for a while.

If you are renting your dedicated server, then obviously, money doesn't matter
to you, or you are planning on only keeping the server for a month or two, and
you shouldn't listen to me, because I don't know what that is like.

------
scorpioxy
You're forgetting something. A shared host is inadequate for a bunch of
applications not just because of the number of visitors. It might also be that
it's too restricted for you.

If you need to run some form of daemon for example, or some custom app in the
background. Anything that requires more control over the environment, you
won't find in a shared host.

I use and like both the linode and slice host libraries.

~~~
AgentConundrum
Very true.

I already have a shared host for my crappy little blog, so I was just going to
develop this new thing in a restricted subdomain to see if I could get it to
become what I want. I figured could create a minimum viable product there,
maybe have a bit of a private beta to figure out if anyone wants to use the
damn thing, then shove it on a VPS.

That said, I noticed after I made this post that both Slicehost and Linode are
month-to-month no commitment type deals, so once the site/app (what qualifies
to be called a "webapp" exactly anyway?) is sort of ready, I'll likely just
throw $20 at the problem and start on the VPS and see where it goes.

------
js4all
Don't do that, if you are unexperienced with linux. Most people don't realize
that, when running a VPS, they become an administrator with all the
responsibilities. If your VPS gets hacked, it is a danger for the whole net.

My advice, go for a managed solution.

~~~
lsc
I sortof agree? if you don't know and /don't want to know/ how to be a
SysAdmin, don't get an unmanaged VPS. use shared hosting if you don't have
much money and fully managed VPSs or dedicated servers if you have a lot.
(Note, /good/ fully managed servers should cost many times over what unmanaged
solutions cost. that sort of thing is expensive to do well.)

but, if you want to learn, and are willing to put in the time, I think a VPS
is a good place to start. Dealing with compromised hosts (at the very least,
shutting them down) is priced in to unmanaged VPS prices.

~~~
AgentConundrum
I wasn't really considering jumping directly to the VPS plan at first. I think
as far as getting the site actually running, and proving itself as a concept,
I can leave it on a relatively cheap shared host for a while.

My concern became that if I ever outgrew the shared host, which can happen for
any number of reasons (bandwidth, needing to configure things in certain ways,
etc.), I might not be able to afford to go full managed due to expense. I'm
not expecting miracles for this thing financially, as it's just a minor itch I
thought could do with some scratching, so full managed might never feel viable
to me.

To be honest, becoming a sysadmin was never a big concern of mine, but I
wouldn't go so far as to say I "don't want to know" how to do the job. I'm
perfectly willing to learn, which is precisely why I created this post.

If I ever do get a VPS, it still won't be until at least a couple months from
now, which gives me a reasonable amount of time to learn enough not to
embarrass myself and to provide a decent foundation to learn more as I need
to.

My top priority with this, and I hope I've made this clear in my comments here
(I know I made it clear in my x-post to reddit) is that I want to be sure the
system is secure. That is _the_ reason I'm asking for help here, as I never
had a doubt that I could get the system to a working state, but I don't have
the expertise yet to know when I've left something in an insecure state, and
that's exactly why I asked this question: to close that gap before it becomes
a real problem.

~~~
lsc
/nothing/ is completely secure.

I think off-site (and inaccessible) backups are the first thing you should
think when you think about 'security' - after that, it's a relative thing.

the basics (after backups) are

1\. disable anything you don't need (firewalls are part of this... at the very
least, the default RHEL firewall closes off almost everything. that way, if
you have some poorly configured service running that you don't need, it's less
of a big deal 'cause it's not accessible from the Internet.

2\. use reasonable passwords. My opinion is that if you can remember it, it's
not a good password, but I'm pretty paranoid. at the very least avoid
dictionary words (including 'leet' dictionary words) include mixed case and
punctuation. If you can use keys instead of passwords, that's even better.
Personally, I always disable remote root login with a password. use a key if
you must remotely login with root, but most of the time logging in as you and
using sudo or su is sufficient.

3\. stay on the security or announce mailing list for every bit of software
you have exposed to the internet, and upgrade when there are holes.

3\. is where your distro comes in. if all the software you use is provided by
your distro, and you check the security mailing list every day, you are ahead
of most people.

With those three basics, well, you aren't 100% covered, but you have a good
start.

~~~
AgentConundrum
2 and 3 seem relatively obvious to me. The mailing list part of 3 was new to
me, as I wasn't really aware they existed, but keeping things up to date and
upgrading when they're not seemed pretty common sensey.

Regarding #1 though: How do I know what I can and can't turn off? Obviously
turning off Apache or something like that is wrong, but there could be less
obvious things I may miss.

For the things that need to stay on (and I'm mainly focusing on the AMP in
LAMP with this), are they generally good-to-go out of the box with minimal
"extraordinary" configuration, or are there good resources to securing them
that I should be reading? I guess what I'm asking is, beyond following the
slicehost/linode tutorials, how much do I really need to know and where can I
find it.

Beyond all of this, I'll address your first point regarding the inherent
incomplete security of things: While you can't make anything 100% secure, you
should still try your best to prove that statement wrong. Plugging all "known"
holes in your security is still a lot better than being ignorant of them.

~~~
lsc
>Plugging all "known" holes in your security is still a lot better than being
ignorant of them.

Know that the moment an advisory is out, the bad guys are using automated
tools to scan for vulnerable hosts. Plugging known holes is the minimum
standard; otherwise you will be compromised in days if not hours.

the vast majority of malicious activity is completely automated, each
compromised system being used to compromise other systems. This means that
there is a truly staggering number of attackers, and that you will be attacked
even if you have nothing of value to take.

this is why watching the security mailing lists for your software is
important; even a weekly upgrade schedule may not be enough.

The rest of the sysadmin jazz, eliminating unused programs and stuff like that
are really shortcuts to reducing the number of programs who's security
problems are your problems. There are holes we don't know about in everything,
so the fewer programs you depend on not having holes, the better off you are.

It's good practice to sit there with 'ps' and google and figure out what every
process does and how the system responds when a process is killed (especially
important if you are on a linux box with an aggressive overcommit and not
enough swap, and thus oom-killer issues.)

~~~
AgentConundrum
This is all really good information. Thanks.

------
listic
Can anyone please give me tips on configuring Pure-FTPd? The thing I need at
this stage is just to make a dedicated file hosting from my low-end VPS to
relieve my existing project on a shared hosting. For this, I gather, I need to
install (1) nginx (2) pure-ftpd and configure it to give write acess to some
user to the root directory of nginx.

(1) I achieve by just doing 'yum install nginx' on CentOS. (2) installs the
similar way, but whatever I do, I just can't log in with ftp. I guess I need
to configure virtual users also, so that I won't have to make a separate unix
user for each ftp user that I might need, and keep them ftp users in a
separate ftp config file.

------
petervandijck
A server on Amazon (dedicated) is only about 70$/month, is that an option as
well? Pretty much no maintenance, just restart if it crashes.

~~~
regularfry
You've been downvoted without an explanation as to why that's not a useful
suggestion.

The problem is that if you take a "just restart it if it crashes" approach,
the service will be very unreliable, and you're not allowing for analysing
what went wrong. In fact, taking this approach, Amazon's EC2 images are a
really bad option, because you lose any chance of gathering diagnostic info as
soon as you switch them off - all the data vanishes at that point.

Secondly, if you're going for a long-running VM, Amazon's machines are _very_
expensive for what they are; I pay roughly a third of what Amazon charge for
mine. If you're using them as base load rather than on-demand peak smoothing,
you're doing it wrong.

