First steps to securing Ubuntu Server 18.04 on Digital Ocean
When you need to setup a new Linux server on one of the popular VPS providers, the first steps are often similar. A big reason I have a blog is so I can copy/paste common tasks I need to do more than once. So, below are the first few steps I take when setting up a new Ubuntu 18.04 server on Digital Ocean.
Step 1: Create new server, add ssh key
While the directions will vary between VPS providers, the first step is to provision a new server and then configure it to accept SSH keys. This is superior to having the root password sent to you over email however if that does happen, as long as you login quickly and change the password, I think the risk is fairly low.
Step 2: Setup a standard user
The first step is to login to your server as root, change the password if it was sent over email, configure a standard user with sudo
access and then remove the ability for the root user to login over the network. Make sure you know the IP address of your newly created server which you can do from the VPS providers website. Then, ssh into the server with ssh root@ip
and do the following:
Add a new user (as root)
$ adduser hideo
Add the user to the superuser (sudo) group
$ usermod -aG sudo hideo
Switch to the new user
$ su - hideo
Create directory to hold ssh file
$ mkdir ~/.ssh && chmod 700 ~/.ssh
Create the authorized keys file and set permissions:
$ touch ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys
Then with your preferred editor, add your public key to your authorized_keys file, e.g. vim .ssh/authorized_keys
While you are still logged in as root, open a new terminal session and try to ssh to your server with your standard user, e.g. ssh hideo@ip
. Then make sure you can access root privileges with sudo -s
. If all is working as expected, go ahead and log out of your original root session.
Step 3: Enable a firewall, allow ssh
Next, it’s time to setup a firewall with a default deny policy and only allow ssh (until you need other services):
See what ufw application profiles are avaiable
$ sudo ufw app list
Available applications:
OpenSSH
Allow ssh
$ sudo ufw allow OpenSSH
Rules updated
Rules updated (v6)
Enable the firewall
$ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
Check status to make sure active and enforcing
$ sudo ufw status
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
Step 4: Apply Ubuntu updates
Finally, it’s time to apply any server updates so everything is at the latest version and mostly importantly you have have the latest security patches.
Update your package source
$ sudo apt update
Upgrade with available updates
$ sudo apt upgrade -u
And finally reboot (for good measure, esp if kernel was updated)
$ sudo reboot
You should now be ready to use your VPS or add more security layers such at fail2ban, log monitoring and more!
Commands only
adduser hideo
usermod -aG sudo hideo
su - hideo
mkdir ~/.ssh && chmod 700 ~/.ssh
touch ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys
vim ~/.ssh/authorized_keys (and add your ssh key)
sudo ufw app list
sudo ufw allow OpenSSH
sudo ufw enable
sudo ufw status
sudo apt update
sudo apt upgrade -u
sudo reboot