My so-called sudo life: month 8: peaches & pits

Dear Fedi friends,

The past week has been filled with dramatic twists in #MySoCalledSudoLife.

If you follow my GoToSocial Fediverse account (@elena@aseachange.com) you may have witnessed the rollercoaster ride that was getting a third VPS - with OVH - and having it shut down by the company less than 24 hours later because of idiotic moves (read: lax security for Docker) by newbie me. Then followers who work for OVH came to my rescue and everything was restored. It was very dramatic.

I had been meaning to write a recap post of everything that happened and the lessons I learned but I don’t have the mental energy to revisit the saga.

I had an epiphany: what if I wrote a post every month focusing on the most important lessons I learned in my self-hosting journey? I find it important to document everything I do - wins and fails - so that hopefully I can help other self-hosting newbies. I thought it could be a good idea to frame this in the style of “sharing peaches and pits” - basically the high points (peaches) and low points (pits) in my self-hosting explorations.

So, I bring you the inaugural post in “My so-called sudo life: month 8: peaches & pits.”

This first post may feel a little disjointed as I will not group peaches and pits together, but rather do things in chronological order, given all the drama I experienced this month.

🍑 peach no.1: the sense of possibility you feel when you sign up for a new VPS. I got a 6-month plan for a basic VPS via OVH in order to learn Docker, as Ghost now requires moving from Ghost CLI to a Docker container system in order to turn on ActivityPub and have tailored metrics. I didn't want to install Docker on one of my existing VPSs in case I did something stupid that could have damaged my running software. So I got the new VPS, installed fail2ban on it, then went about installing Docker with commands and followed the security settings outlined in the Docker documentation (creating TLS certificates) to protect the server. Exciting stuff!

🌰 pit* no.1 (*there are not pit emojis, so excuse the use of chestnuts for this): when I woke up the next morning, I found an email from OVH addressed to “Mr. Rossini” (huh?) that informed me that my server was hacked and it was consequently turned off and shut down. I had paid for a 6 month plan but in the back-and-forth with customer service representatives, I was informed that “because I violated their terms of service” (with my ineptitude) I could not get a refund for the remaining months I had paid for. Technically I had been using the VPS for less than a day. 30€ for 4 hours of use. Well, you live and you learn.

🍑 peach no.2: I wrote about this misadventure on my GoToSocial account and received many supportive messages. Special props to devs who didn’t judge me for my recklessness. Two OVH employees reached out via DM offering to help. It seemed like my case was hopeless… but then a day later I received a DM stating that my account was reactivated - and I got an email as well, informing me of the reversal in the company’s decision. I couldn’t believe it!

🌰 pit no.2: not so much an unpleasant experience but... I found the mistake that triggered the VPS shutdown. If we disregard the fact that I didn’t change the ssh port right off the bat (borderline criminal, I know)… nor did I turn off password authentication (bad, very bad), I found incriminating evidence of my ineptitude when OVH reactivated my account. I rushed to immediately uninstall Docker via CLI. No problem there. But then when I ran “ls” to list the files left in my root folder, I found the folder “docker certs” and all the TLS certificates I had created to protect the Docker daemon socket. Of course it hadn’t been protected, I had created them and left them in the root folder (outside of Docker)!

🍑 peach no.3: I’ve gotten an accelerated education in Linux security, notably changing SSH ports, creating keys with OpenSSH, turning off password authentication and things are finally clicking for the first time. I owe this enlightenment to Veronica aka Linux Mom, whose Linux tutorials are brilliantly accessible to newbies. Veronica has perfected a way to talk to us so that we can understand - and most importantly use - essential Linux commands. Her video “OpenSSH for absolute beginners” (warning: YouTube link) was simply illuminating. As a little token of my gratitude I ended up buying a yearly subscription to Veronica’s videos via her Patreon (PSA: remember to support independent creators).

🌰 pit no.3: during the VPS saga I ended up signing up for a new basic VPS on Hetzner… thinking that it would be a replacement for the one nuked by OVH. So now I have FOUR VPSs. I’m the most clueless newbie you know with that many servers, ha! Days after my purchase I saw a tutorial showing that during setup I could have had Hetzner install Docker for me (instead of picking a distro). Too late, sigh. Again, you live, you learn. For the life of me I can’t figure out how to turn on Firewalls in Hetzner, something that could help with Docker. No video tutorials make it clear… probably because there are none by Veronica. Oh well, I will figure this out (I hope).

My new mantra is: I know very little about self-hosting… but I know more than I did yesterday.

Top 3 things I learned this month:

1. changing ssh ports
2. creating SSH keys on my local machine and copying the public key to a server
3. disabling password authentication

You may be wondering: wait, you learned about this on month EIGHT of self-hosting?!? Yes my friends, I know. I also shudder at this. It’s as if I’ve been driving a car without a permit for eight months. I know, I know. I will never again be so lax with server security. Fail2Ban gave me peace of mind, but I learned my lessons and now I know how essential these other steps are.

Onwards and upwards!

Elena

💓 Did you enjoy this post? Share it with a friend!
👫 Follow me on Mastodon. All my other links are available here: elena.social
📽️ If you'd like to support my work, you could buy or rent my documentary The Illusionists on the globalization of beauty:

The Illusionists

THE ILLUSIONISTS is an award-winning documentary about the globalization of beauty and the dark side of advertising.

Buy or Rent The Illusionists

💌 If you'd like to say hi, my contact information is here
✏️ If this post resonated with you, leave a comment!