/ Digital Ocean

Hosting a blog and it's initial security config

True to my earlier posting, procrastination has gotten the better of me. The last few weeks have been spent ironing out the configuration of the altonblom.com site (yes the site has moved permanently to https, more on that shortly).

One of the other reasons for setting up this blog is to get better hands on eperience with hosted environments - I'm still reluctant to call what I'm playing with "the cloud". From a security perspective what I'm really interested in is how these services are configured "out of the box", is there anything more or less risky than if it was to be hosted and managed within an enterprise.

The next few posts will focus on the journey that got me to this current setup. First up chosing a hosting provider.

Choosing a Hosting Provider

One of the first things that I needed to do was find someone to host this site. I did toy with the idea of simply running up a few VMs at home and exposing them to the Internet, but that went against my desire to understand how hosting organisations work and their default configurations.

The primary decision to use Digital Ocean wasn't technical, it waspricing. I I was first made aware of Digital Ocean through Newsblur, who I use as my Google Reader replacement. Newsblur had an outage in November 2013 [1], who host on Digital Ocean. It was caused by a Failed UPS and Power Switching module in an Equinix facility. Whilst an outage isn't a resounding endorsement for a hosting provider their update notifications seemed promising at the time. In addition to this Digital Ocean sell themselves as "Built for Developers". As I said earlier, I'd also like to examine whether there is anything that increases or reduces risks to an oranisation through developers spinning up machines as they need them on a hosted environment.

Digital Ocean then had a Black Friday free $50 credit promotion. That sealed the deal for me, they had a number of pre-configured images ready to go and I'd be able to play around with no immediate cost.

So I had $50 credit sitting with Digital Ocean, but per my earlier post it took me a while to get it up and running.

What's the Security Angle?

Let's start with Rich Mogull (@rmogull) from Securosis. He recently wrote about a security screw up on his cloud environment that cost him $500 [2]. To summarise, Rich had accidentally published one of his AWS Access Keys to github, someone used this and setup five new instances for bitcoin mining. If you have a moment, make sure you take a moment to read his honest account of the situation.

Fortunately I'm nowhere near writing code into a github repository and having that abused to spin up extra instances, however Digital Ocean does have my credit card information for billing.

Digital Ocean allow Two Factor Authentication, through Google's Authenticator, as an additional layer of protection when loggin into their Admin Console. I've got that setup and it works well.

Whilst not a highlight it's also nice to see that Digital Ocean don't fall into the old "send forgotten passwords over email" trap. Their password reset process works without any passwords being sent in cleartext.

One of the take-aways from Rich's post is that billing alerts could have alerted him to this earlier. I'll reach out to Digital Ocean to find out if they'll be offering this type of service anytime soon.

UPDATE: I logged a support case with Digital Ocean about billing alerts and they suggested I add this as a feature request on their forum. I've created the feature request and it will now be voted on by the Digital Ocean community.

For my next post I'll take a look at why I chose Ghost as a blogging platform and what I learnt setting it up.

1 - https://www.digitalocean.com/blog_posts/ny1-equinix-power-issue-postmortem

2 - https://securosis.com/blog/my-500-cloud-security-screwup