First steps to securing Ubuntu Server 18.04 on Digital Ocean

When you need to setup a new Linux server on one of the popular VPS providers, the first steps are often similar. A big reason I have a blog is so I can copy/paste common tasks I need to do more than once. So, below are the first few steps I take when setting up a new Ubuntu 18.04 server on Digital Ocean.

Step 1: Create new server, add ssh key

While the directions will vary between VPS providers, the first step is to provision a new server and then configure it to accept SSH keys. This is superior to having the root password sent to you over email however if that does happen, as long as you login quickly and change the password, I think the risk is fairly low.

Step 2: Setup a standard user

The first step is to login to your server as root, change the password if it was sent over email, configure a standard user with sudo access and then remove the ability for the root user to login over the network. Make sure you know the IP address of your newly created server which you can do from the VPS providers website. Then, ssh into the server with ssh root@ip and do the following:

Add a new user (as root)

$ adduser hideo

Add the user to the superuser (sudo) group

$ usermod -aG sudo hideo

Switch to the new user

$ su - hideo

Create directory to hold ssh file

$ mkdir ~/.ssh && chmod 700 ~/.ssh

Create the authorized keys file and set permissions:

$ touch ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys

Then with your preferred editor, add your public key to your authorized_keys file, e.g. vim .ssh/authorized_keys

While you are still logged in as root, open a new terminal session and try to ssh to your server with your standard user, e.g. ssh hideo@ip. Then make sure you can access root privileges with sudo -s. If all is working as expected, go ahead and log out of your original root session.

Step 3: Enable a firewall, allow ssh

Next, it’s time to setup a firewall with a default deny policy and only allow ssh (until you need other services):

See what ufw application profiles are avaiable

$ sudo ufw app list
Available applications:

Allow ssh

$ sudo ufw allow OpenSSH
Rules updated
Rules updated (v6)

Enable the firewall

$ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup

Check status to make sure active and enforcing

$ sudo ufw status
Status: active
To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere
OpenSSH (v6)               ALLOW       Anywhere (v6)

Step 4: Apply Ubuntu updates

Finally, it’s time to apply any server updates so everything is at the latest version and mostly importantly you have have the latest security patches.

Update your package source

$ sudo apt update

Upgrade with available updates

$ sudo apt upgrade -u

And finally reboot (for good measure, esp if kernel was updated)

$ sudo reboot 

You should now be ready to use your VPS or add more security layers such at fail2ban, log monitoring and more!

Commands only

adduser hideo
usermod -aG sudo hideo
su - hideo
mkdir ~/.ssh && chmod 700 ~/.ssh
touch ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys
vim ~/.ssh/authorized_keys (and add your ssh key)
sudo ufw app list
sudo ufw allow OpenSSH
sudo ufw enable
sudo ufw status
sudo apt update
sudo apt upgrade -u
sudo reboot
About Andrew Hoog
I like to tinker in mobile forensics, security, tools development and nodejs. I’m an author, inventor, expert witness and co-founder of NowSecure.