In this guide, I’ll show you how to set up and configure a basic Linux server in the DigitalOcean cloud running Debian 7 Wheezy.

If you’re using a different Linux distribution or hosting provider, you might need to alter the commands somewhat.

Uploading your SSH key

After signing up with DigitalOcean, the first thing you’ll want to do is to upload your public SSH key. This makes it possible to log into your newly created server without typing out a password.

In the DigitalOcean settings, click on the menu item labeled Security. Click the Add SSH Key button and enter a name for your key. Paste the contents of your public key into the SSH Key Content field, and then click Add SSH Key.

If you are running X11 and have xclip installed, you can copy the contents your public key to the clipboard by running the following command:

xclip < ~/.ssh/id_rsa.pub

If you’re running macOS, you can use the pbcopy utility to copy your key to the clipboard:

pbcopy < ~/.ssh/id_rsa.pub

Creating your virtual server

DigitalOcean call their virtual servers Droplets.

In the DigitalOcean management console click the main menu item labeled Droplets and then click the Create Droplet button.

Select the Debian 7.0 x64 image.

Select the desired size and region for your Droplet.

Select your SSH key.

Enter a hostname for your server. This hostname can be pretty much anything, but if you’re going to set up DNS records for this server’s IP you should enter the desired fully qualified domain name (i.e. yourserver.example.com) as the hostname. This will automatically set up a PTR/rDNS record for the server’s IP.

Click the Create button.

When your Droplet has been created, you will be taken back to the Droplets page. Take note of your server’s IP in the IP Address column.

Logging in

After creating your virtual server, you can now log into it using SSH:

ssh root@YOURIP

Since you uploaded and selected your SSH key when creating your Droplet, you won’t have to provide a password when logging in.

The first thing you should do after logging in, is to change the root user’s password:

passwd

To ensure that you are up to date with the latest security upgrades, update the package index and then upgrade the system:

apt-get update
apt-get upgrade

Enabling automatic security upgrades

If you don’t want to regularly log into your server to apply security upgrades, you can activate automatic upgrades. To do this, install the unattended-upgrades package:

apt-get install unattended-upgrades

Edit the configuration file.

vi /etc/apt/apt.conf.d/10periodic

Update it to look like this:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";

By default, this will only download and install packages labeled as security upgrades. If you want more packages to be downloaded and installed edit /etc/apt/apt.conf.d/50unattended-upgrades to your preference.

Installing Fail2Ban

Fail2ban is a daemon that monitors log files for failed login attempts and other suspicious activity on your server and effectively bans the IPs that show malicious signs. Install it using apt-get. The default configuration should be sufficient.

apt-get install fail2ban

Setting up the firewall

The Linux kernel includes a firewall that can be configured using the iptables program. Using the iptables program directly can be cumbersome and hard, so instead, we’ll use a front-end called ufw (The Uncomplicated Firewall). Install ufw using apt-get:

apt-get install ufw

Configure the firewall to allow connections on port 22, i.e. SSH connections:

ufw allow 22

Enable the firewall. This will tell you that the command may disrupt existing SSH connections and will ask if you want to proceed. Answer y(es).

ufw enable

Setting up your user

Logging in as the root user is generally considered bad practice. Instead, you should log in as a normal user and use the sudo command whenever you need root privileges. Create your user and its home directory using the useradd command:

useradd -s /bin/bash -m youruser

To be able to log in using your SSH key, copy the authorized_keys file from the root user’s .ssh directory to one in your new user’s home directory.

mkdir -m 700 /home/youruser/.ssh
cp ~/.ssh/authorized_keys /home/youruser/.ssh/authorized_keys
chown -R youruser:youruser /home/youruser

Set a password for your user:

passwd youruser

Grant sudo access to your user:

VISUAL=vi visudo

Remove all existing user/group grant lines and add the following at the end:

root ALL=(ALL) ALL
youruser ALL=(ALL) ALL

Configuring sshd

Configure sshd to only allow logins from your newly created user using an authorized SSH public key:

vi /etc/ssh/sshd_config

Find the following line:

PermitRootLogin yes

Change it to say no:

PermitRootLogin no

Uncomment this line:

#PasswordAuthentication yes

Also, change it to say no:

PasswordAuthentication no

At the bottom of the file, add the following:

AllowUsers youruser

Restart sshd for the changes to take effect:

service ssh restart

Open another terminal window on your local machine and ensure that you can log into your server using your new user before logging out as root:

ssh youruser@YOURIP

You now have a basic Linux server set up and can proceed with setting up other services.