Tutorial/guide for installing on a VPS


#1

Hi everyone

I’d like to install Ghost on a VPS from DigitalOcean. Is there a ‘noob’ guide covering everything from start to finish available somewhere? Their Ocean cast is not so clear.


#2

Instructions are in the official docs, there’s also a link to the 1-click DigitalOcean setup which is super simple to get started with.


#3

I’ve successfully installed Ghost with the 1-click DigitalOcean but I got an outgoing DDoS attack a couple of days later… I was hoping to find a full tutorial which explains how to prevent that as well.

I have another question, how do I get access to /content/themes/casper/post.hbs? I would like to modify post.hbs.


#4

It’s not something we’ve heard about before so you won’t find any tutorial which explains it. You’ll need to investigate how/why such an alert was triggered. How do you know there was an outgoing DDoS attach?

I have another question, how do I get access to /content/themes/casper/post.hbs? I would like to modify post.hbs.

After logging in as an admin, click the Design link in the left-hand navigation. On that screen you can download and upload themes.


#5

There are a few ways to fight against DDOS:

  • move your DNS’s to Cloudflare (cloudflare.com) and they have a button for that (as well as a firewall you could use to block attacking IP’s)
  • you can make sure you have a firewall installed locally on the VPS as well (i.e. ufw)
  • you can also install fail2ban locally to prevent brute force attempts on your web server (can rate limit access as well)

A search on google will yield quite a lot of useful results.


#6

@dsecareanu those are useful resources for incoming DDoS attacks but @Astro mentioned an outgoing DDoS attack which suggests that some network requests originating from the VPS were seen as an attack. That’s why it would be useful to know how that was detected and any other information about what traffic was seen as being an attack.


#7

Ah, sorry, missed the “outgoing” part :slight_smile:.

Well, the issues probably stem from an improper VPS security (some help about it here):

Cleaning up a hacked server can be a very tedious job, you would probably be better of just backing up your data and making a new server that you properly secure as indicated above.


#8

@dsecareanu, @Astro mentioned this was after using the 1-click DO install which should already be pretty locked down, I’m trying to determine if there’s a problem there so that we can address it with DO :wink:

First port of call is working out where the DDoS notification came from and if there are any details about the type of traffic that triggered it. We have nothing to go on at the moment, other than a 1-click install was created and a notification received a few days later. @Astro did you set up anything else on the VPS or use other services to watch network traffic?


#9

I have used the 1-click Ghost 2 install on Digital Ocean. Works like a charm.

Ask others have suggested how you determined that your server was engaged in outdoing DDoS attack.


#10

Hi @Kevin, @khurtwilliams

Here’s the email I received from DigitalOcean:

I didn’t set up anything else on the VPS apart from Ghost. I emailed them and asked what happened and how I could understand but they remained very vague in their replies. Is there a way to understand what happened for a novice like myself? This was a test droplet and the root password was rather simple but still bothering to see this happen.


#11

As I said above :slight_smile: try to go through the VPS securing recommendations and you should reduce the risk of having a compromised server. Also, your safest best is to just create a new droplet, secure it and move your Ghost installation there.

@Kevin :slight_smile: so it seems the one click install is not that secure after all and truth be told it still depends on the strength of the root password if one was setup vs using a SSH key for a stronger security.


#12

I think this is the answer to your issue.


#13

As @dsecareanu said, the weak root password is most likely the problem if you didn’t follow it up with further security measures.

For a more secure DigitalOcean droplet from the get-go it’s always recommended to have uploaded your public SSH key to your DigitalOcean account before creating a droplet. That way the “Add your SSH keys” checkbox for your key is automatically checked on the create page and password login via SSH is disabled which would have prevented a weak password being brute-forced.