I think there are a few things that can be added to the Ubuntu install documentation here:
To help users be more aware of security risks and to streamline the installation process, namely:
- recommend server setup with a SSH key (and link to relevant DO documentation)
- add ssh pub key to new user (to enable ssh only auth if not already done, disable password logins - PasswordAuthentication no)
- after creating a new user, disable root login in /etc/sshd_config (PermitRootLogin no)
- install ufw and fail2ban (after updates)
- config ufw (ufw allow ssh, http, https) - as the ‘Nginx Full’ profile does not seem to be available in a standard Ubuntu 18.04 install
- mention also mariadb option (vs mysql)
- maybe instead of just creating a root password for mysql rather go through the mysql_secure_installation procedure
- recommend configuring nginx to use nginx or www-data user (for security reasons) or the created user (seems the default owner for /var/www is root so maybe chown user.group /var/www/site1 -R)
- systemctl enable nginx, mysql
- service nginx/mysql start
Maybe update the DO one click tutorial to factor in the above security steps as well:
https://www.digitalocean.com/docs/one-clicks/ghost/
I know these details might be a bit out of scope, but they shouldn’t take too much space and will ensure that new Ghost users at least are aware of the few steps they could go through to improve their web server security.
My favourite WordPress server setup tutorial is this one and I think it provides a ton of valuable and useful information (I will work on writing a similar detailed one for Ghost CMS in the near future):