New Hetzner Server Installation Best Practices
-
Hello,
I am new to this and wanted to ask a couple questions. I am planning on installing at Hetzner and using a domain I picked up through Cloudflare. There is no one-click install, but I am not sure that would be the best idea for me regardless to not know what's going on fully.
I understand this script is all I need to run on the latest version of Ubuntu LTS, which right now is 24.04.
wget https://cloudron.io/cloudron-setup chmod +x ./cloudron-setup ./cloudron-setupMy question is twofold:
- Since my plan is to use Cloudron for my own company and in the future roll out to clients we have, is it wiser for me to go the route of a dedicated vCPU or a shared VCPU?
- Second, I want to make sure that I secure this as best as we can. Should I, or should I not, 1. disable the root user, 2. setup the non-root user and enable its keygen, 3. install Fail2Ban, and/or 4. install Crowdsec BEFORE I go through the installation as described with the wget command? Should I do this after I install Cloudron or does Cloudron do some of these items itself? Are any of these four steps here unnecessary?
Thank you for the help in advance. If there is anything that a NEW user should ask but I am missing here, please let me know where to look for insight. Cloudron seems like the best solution for me right now, but I just want to make sure I get the initial install done right so that I can focus on deploying the apps and not on the integrity of my initial installation.
Matt
- Since my plan is to use Cloudron for my own company and in the future roll out to clients we have, is it wiser for me to go the route of a dedicated vCPU or a shared VCPU?
-
Hi and welcome here!
CPU wise this very much depends on your use-cases and which apps you will install. This is rather impossible to tell upfront. I would start with a smaller and more cost effective setup (so probably vCPU) and then scale this if needed later.
For the second question, we have some docs at https://docs.cloudron.io/security/#securing-ssh-access how to do this. Generally it doesn't matter if you install Cloudron first and then set those things. Overall just be cautious to only install packages very selectively and only if you know what will happen via apt. The default Cloudron installation will already lock down the firewall and also enables automatic security updates.
-
Hello,
I am new to this and wanted to ask a couple questions. I am planning on installing at Hetzner and using a domain I picked up through Cloudflare. There is no one-click install, but I am not sure that would be the best idea for me regardless to not know what's going on fully.
I understand this script is all I need to run on the latest version of Ubuntu LTS, which right now is 24.04.
wget https://cloudron.io/cloudron-setup chmod +x ./cloudron-setup ./cloudron-setupMy question is twofold:
- Since my plan is to use Cloudron for my own company and in the future roll out to clients we have, is it wiser for me to go the route of a dedicated vCPU or a shared VCPU?
- Second, I want to make sure that I secure this as best as we can. Should I, or should I not, 1. disable the root user, 2. setup the non-root user and enable its keygen, 3. install Fail2Ban, and/or 4. install Crowdsec BEFORE I go through the installation as described with the wget command? Should I do this after I install Cloudron or does Cloudron do some of these items itself? Are any of these four steps here unnecessary?
Thank you for the help in advance. If there is anything that a NEW user should ask but I am missing here, please let me know where to look for insight. Cloudron seems like the best solution for me right now, but I just want to make sure I get the initial install done right so that I can focus on deploying the apps and not on the integrity of my initial installation.
Matt
@visamp
With Hetzner, try to gauge your Cloudron project.
How much will happen on that instance? Will you start small and grow or do you already have an app stack in mind?Many customers of mine want to start small, so shared vCPU and CX22 which can be scaled up as needed.
If at some point the normal scaling comes to a threshold where a dedicated server is less expensive then a Cloud server we switch to that.
The Cloudon backup function makes it very easy to fully migrate between servers and providers (not needed when upscaling).Just one thing to keep in mind! IP reputation for Mail!
If you have to migrate from Cloud to dedicated Hardware, do so with some time ahead since almost all IPv4 addresses have been used before and have a "bad" reputation. - Since my plan is to use Cloudron for my own company and in the future roll out to clients we have, is it wiser for me to go the route of a dedicated vCPU or a shared VCPU?
-
J joseph marked this topic as a question
-
@visamp
With Hetzner, try to gauge your Cloudron project.
How much will happen on that instance? Will you start small and grow or do you already have an app stack in mind?Many customers of mine want to start small, so shared vCPU and CX22 which can be scaled up as needed.
If at some point the normal scaling comes to a threshold where a dedicated server is less expensive then a Cloud server we switch to that.
The Cloudon backup function makes it very easy to fully migrate between servers and providers (not needed when upscaling).Just one thing to keep in mind! IP reputation for Mail!
If you have to migrate from Cloud to dedicated Hardware, do so with some time ahead since almost all IPv4 addresses have been used before and have a "bad" reputation.@BrutalBirdie said in New Hetzner Server Installation Best Practices:
Just one thing to keep in mind! IP reputation for Mail!
If you have to migrate from Cloud to dedicated Hardware, do so with some time ahead since almost all IPv4 addresses have been used before and have a "bad" reputation.I think this is slowly getting better because Hetzner a making it slightly harder to sign-up as new customers for the cloud offering, but yes!
As soon as you've got your VPS, and before bothering to install Cloudron, I'd recommend checking your IP on e.g. https://mxtoolbox.com/blacklists.aspx to see if it's on blacklists. If it is I'd probably just cancel it and get another one (easier than getting your IP off of the blacklists). And/ or contact Hetzner about it to see if they can asign a different IP or help get the IP of the blacklists.
-
Thank you all so much. This is extremely helpful and will guide how I set up things. I appreciate better now that you can migrate very easily with Cloudron. So that part doesn't give me any reservations.
I didn't think of email and blacklists so thanks for pointing out a blindspot.
One more quick question. Do you recommend installing CrowdSec or not? Maybe it's overkill?
-
Thank you all so much. This is extremely helpful and will guide how I set up things. I appreciate better now that you can migrate very easily with Cloudron. So that part doesn't give me any reservations.
I didn't think of email and blacklists so thanks for pointing out a blindspot.
One more quick question. Do you recommend installing CrowdSec or not? Maybe it's overkill?
@visamp said in New Hetzner Server Installation Best Practices:
Do you recommend installing CrowdSec or not? Maybe it's overkill?
I had it installed once, looked at pretty graphs for maybe 4–5 days. Then I forgot it, re-setup the server and did not install it again.
So, I can not even tell you if it was helpful or not.
But what I can say is, no one here really uses crowdsec, nor maintains support for it with cloudron.Good thing is, backup or snapshot, try it, decide for yourself, rollback if it is not to your liking.
