So I thought I would try Fedora Core OS, got the digital ocean image and installed it on a droplet. I installed firewalld, policycoreutils-python-utils, certbot and docker-compose. With firewalld I opened ports 80, 443 and 2244. I changed SSH config to allow password login and changed the default port to 2244 (I do this because in the past I have received a huge amount of login attempts which I haven’t made myself). And I enabled the ports in SELinux. And then I started some containers.
All has been running very nicely for a couple of weeks. Until some time in the last 7 days. Suddenly all the containers I’ve been running are not accessible and and I can’t access the droplet with ssh on the new or old port. With password or with certificate. I have no idea what happened? Hacked? Probably not, me not knowing fully how Fedora Core OS works, probably!
I’ve deleted that droplet and made a new one now and I’m setting up a new one with the latest image for digital ocean. But I don’t want to make the same mistakes again. Does anyone have any idea of what I did wrong?
It’s really hard to know what you did wrong (assuming you did something wrong and weren’t hacked ) without having exact steps. You say you switched the default port ssh listens on to 2244 and also set up a firewall. Maybe you didn’t apply your firewall settings permanently (i.e. they go away on reboot)? If that’s the case then a reboot because of an automatic update would have locked you out of the machine.
On DO there is a VGA console. Since you had set up a password could you have tried to log in on the VGA console of the machine to recover?
How do the FCCT/Ignition configuration you are using looks like? Did you try at least once to manually reboot your machine once it was in the steady working state, and see if it was coming back properly?
As Dusty said, you applied some heavy customization to that machine (most of those I’d recommend against) and not properly persisting any of them may indeed results in breakage on reboot.
The firewall was enabled in systemctl and rebooted it a couple of times before I couldn’t get access anymore. I added the password afterwards, so the droplet was created using a certificate.
I didn’t use an ignition file when I created the droplet. Could that be the problem?
As I’m trying to learn how to setup a safe server using Fedora Core OS, I’d like to know what you consider heavy customization and why you recommend against it?
Good to know. I’m not quite sure what happened but in the future definitely keep in mind the VGA console does exist. If you have a password set you should be able to use that to log in. Even if you don’t you can still recover the machine.
We do recommend you use an Ignition config once you’ve learned all the customizations you want to set up. It will make re-provisioning the machine in the future much easier. Specifically for the password thing there is this documentation.
) without having exact steps. You say you switched the default port ssh listens on to 2244 and also set up a firewall. Maybe you didn’t apply your firewall settings permanently (i.e. they go away on reboot)? If that’s the case then a reboot because of an automatic update would have locked you out of the machine.