Uploading your SSH key
After signing up with DigitalOcean, the first thing you’ll want to do is uploading your public SSH key. This makes it possible to log into your newly created server without typing out a password.
In the DigitalOcean settings, click on the menu item labeled Security. Click the Add SSH Key button and enter a name for your key. Paste the contents of your public key into the SSH Key Content field, and then click Add SSH Key.
If you are running X11 and have
xclip installed, you can copy the contents of
your public key to the clipboard by running the following command:
xclip < ~/.ssh/id_rsa.pub
If you’re running macOS, you can use the
pbcopy utility to copy your key to
pbcopy < ~/.ssh/id_rsa.pub
Creating your virtual server
DigitalOcean call their virtual servers Droplets.
In the DigitalOcean management console click the main menu item labeled Droplets and then click the Create Droplet button.
Select the Debian 7.0 x64 image.
Select the desired size and region for your Droplet.
Select your SSH key.
Enter a hostname for your server. This hostname can be pretty much anything,
but if you’re going to set up DNS records for this server’s IP address you
should enter the desired fully qualified domain name (e.g.,
yourserver.example.com) as the hostname. This will automatically set up a
PTR/rDNS record for the server’s IP address.
Click the Create button.
When your Droplet has been created, you will be taken back to the Droplets page. Take note of your server’s IP address in the IP Address column.
Now that you have created your virtual server, it’s time to log into it using SSH:
DROPLET_IP=203.0.113.0 # Replace this with your droplet’s IP address ssh root@$DROPLET_IP
Since you uploaded and selected your SSH key when creating your Droplet, you won’t have to provide a password when logging in.
The first thing you should do after logging in, is changing the root user’s password:
To ensure that you are up to date with the latest security upgrades, update the package index and then upgrade the system:
apt-get update apt-get upgrade
Enabling automatic security upgrades
If you don’t want to regularly log into your server to apply security upgrades,
you can activate automatic upgrades. To do this, install the
apt-get install unattended-upgrades
Edit the configuration file.
Update it to look like this:
APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Download-Upgradeable-Packages "1"; APT::Periodic::AutocleanInterval "7"; APT::Periodic::Unattended-Upgrade "1";
By default, this will only download and install packages labeled as security
upgrades. If you want more packages to be downloaded and installed, edit
/etc/apt/apt.conf.d/50unattended-upgrades to your preference.
Fail2ban is a daemon that monitors log files for failed login attempts and
other suspicious activity, and bans the IP addresses that show malicious signs.
Install it using
apt-get. The default configuration should be sufficient.
apt-get install fail2ban
Configuring the firewall
Linux includes a firewall that can be configured using the
iptables program can be cumbersome, so instead, we’ll use a
ufw (The Uncomplicated Firewall). Install
apt-get install ufw
Configure the firewall to allow connections on port 22, i.e., SSH connections:
ufw allow 22
Enable the firewall. This will tell you that the command may disrupt existing SSH connections and will ask if you want to proceed. Answer y(es).
Setting up a user
Logging in as root for everyday tasks is considered bad practice since it makes
dangerous mistakes easy to make. Instead, you should log in as a normal user
and use the
sudo command whenever you need root privileges. Create your user
and its home directory using the
NEW_USER=alice # Replace this with your desired username useradd -s /bin/bash -m $NEW_USER
To be able to log in as the new user using your SSH key, copy the
authorized_keys file from the root user’s
.ssh directory to one in your new
user’s home directory.
mkdir -m 700 /home/$NEW_USER/.ssh cp ~/.ssh/authorized_keys /home/$NEW_USER/.ssh/authorized_keys chown -R $NEW_USER:$NEW_USER /home/$NEW_USER
Set a password for your user:
sudo access to your user:
Remove all existing user/group grant lines and add the following at the end,
NEW_USER with the new user’s username:
root ALL=(ALL) ALL NEW_USER ALL=(ALL) ALL
sshd to only allow logins from your newly created user using an
authorized SSH public key:
Find the following line:
Change it to say no:
Uncomment this line:
Also, change it to say no:
At the bottom of the file, add the following—again, replacing
the new user’s username:
sshd for the changes to take effect:
service ssh restart
Open another terminal window on your local machine and ensure that you can log into your server using your new user before logging out as root:
You now have a basic Linux server set up and can proceed with setting up other services.