In this guide, I’ll show you how to set up and configure a basic Linux server in the DigitalOcean cloud running Debian 7 Wheezy.
If you’re using a different Linux distribution or hosting provider, you might need to alter the commands somewhat.
Uploading your SSH key
After signing up with DigitalOcean, the first thing you’ll want to do is to upload your public SSH key. This makes it possible to log into your newly created server without typing out a password.
In the DigitalOcean settings, click on the menu item labeled Security. Click the Add SSH Key button and enter a name for your key. Paste the contents of your public key into the SSH Key Content field, and then click Add SSH Key.
If you are running X11 and have
xclip installed, you can copy the contents
your public key to the clipboard by running the following command:
xclip < ~/.ssh/id_rsa.pub
If you’re running macOS, you can use the
pbcopy utility to copy your key to
pbcopy < ~/.ssh/id_rsa.pub
Creating your virtual server
DigitalOcean call their virtual servers Droplets.
In the DigitalOcean management console click the main menu item labeled Droplets and then click the Create Droplet button.
Select the Debian 7.0 x64 image.
Select the desired size and region for your Droplet.
Select your SSH key.
Enter a hostname for your server. This hostname can be pretty much anything, but
if you’re going to set up DNS records for this server’s IP you should enter the
desired fully qualified domain name (i.e.
yourserver.example.com) as the
hostname. This will automatically set up a PTR/rDNS record for the server’s IP.
Click the Create button.
When your Droplet has been created, you will be taken back to the Droplets page. Take note of your server’s IP in the IP Address column.
After creating your virtual server, you can now log into it using SSH:
Since you uploaded and selected your SSH key when creating your Droplet, you won’t have to provide a password when logging in.
The first thing you should do after logging in, is to change the root user’s password:
To ensure that you are up to date with the latest security upgrades, update the package index and then upgrade the system:
apt-get update apt-get upgrade
Enabling automatic security upgrades
If you don’t want to regularly log into your server to apply security upgrades,
you can activate automatic upgrades. To do this, install the
apt-get install unattended-upgrades
Edit the configuration file.
Update it to look like this:
APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Download-Upgradeable-Packages "1"; APT::Periodic::AutocleanInterval "7"; APT::Periodic::Unattended-Upgrade "1";
By default, this will only download and install packages labeled as security
upgrades. If you want more packages to be downloaded and installed edit
/etc/apt/apt.conf.d/50unattended-upgrades to your preference.
Fail2ban is a daemon that monitors log files for failed login attempts and other
suspicious activity on your server and effectively bans the IPs that show
malicious signs. Install it using
apt-get. The default configuration should be
apt-get install fail2ban
Setting up the firewall
The Linux kernel includes a firewall that can be configured using the
program. Using the
iptables program directly can be cumbersome and hard, so
instead, we’ll use a front-end called
ufw (The Uncomplicated Firewall).
apt-get install ufw
Configure the firewall to allow connections on port 22, i.e. SSH connections:
ufw allow 22
Enable the firewall. This will tell you that the command may disrupt existing SSH connections and will ask if you want to proceed. Answer y(es).
Setting up your user
Logging in as the root user is generally considered bad practice. Instead, you
should log in as a normal user and use the
sudo command whenever you need root
privileges. Create your user and its home directory using the
useradd -s /bin/bash -m youruser
To be able to log in using your SSH key, copy the
authorized_keys file from
the root user’s
.ssh directory to one in your new user’s home directory.
mkdir -m 700 /home/youruser/.ssh cp ~/.ssh/authorized_keys /home/youruser/.ssh/authorized_keys chown -R youruser:youruser /home/youruser
Set a password for your user:
sudo access to your user:
Remove all existing user/group grant lines and add the following at the end:
root ALL=(ALL) ALL youruser ALL=(ALL) ALL
sshd to only allow logins from your newly created user using an
authorized SSH public key:
Find the following line:
Change it to say no:
Uncomment this line:
Also, change it to say no:
At the bottom of the file, add the following:
sshd for the changes to take effect:
service ssh restart
Open another terminal window on your local machine and ensure that you can log into your server using your new user before logging out as root:
You now have a basic Linux server set up and can proceed with setting up other services.