12 Things do to after just started your DigitalOcean VPS

Recently I helped one of my client to setup a VPS on DigitalOcean (DO). The price is very competitive (the cheapest plan is $5 per month) and they offer SSD as the storage. I highly recommend to give a try if someone is looking for a virtual hosting.

Actually a VPS is just a server running on other location. Once you subscribe a plan and start to OS, it's your responsibility to maintain the system.

The steps below are to enhance the security once the server is deployed ( we are using Ubuntu 14.04 in this case). The objective is to harden the server so that it can only be accessed from a client with ssh

1. Setup ssh keyfrom a linux server at home or office. Assumed you have a linux client with a user "user1"




$ ssh-keygen  -b 2048 -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user1/.ssh/id_rsa):
Created directory '/home/user1/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user1/.ssh/id_rsa.
Your public key has been saved in /home/user1/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:LM1rjFVAjo5Q/8kMkcBxH8UcXdH23n5RijI8EQcH45Q user1@client1
The key's randomart image is:
+---[RSA 2048]----+
|   .+ooo++B*..oo |
|   ..o.= =Eoo   o|
|  .   + o oo   ..|
|   . o O o.     o|
|    . o S. . . oo|
|       = .= . ..o|
|      . +  +   ..|
|       .        o|
|                .|
+----[SHA256]-----+

2.  Login the Digital Ocean and open the console and login as root.

3. Create a user "user1" on the server

useradd -m user1

4. copy and paste the file /home/user1/.ssh/id_rsa.pub generated at step1 to /home/user1/.ssh/authorized_keys.

5. chmod 700 /home/user1/.ssh; chmod 640 /home/user1/.ssh/authorized_keys

6. Now, you should be able to ssh from the client. But port 22 is a well known service port for SSH. We are going make ssh more secure by change the service port

7. Edit /etc/ssh/sshd_config . Change the service port to another number (eg 2222)

#Port 22

Port 2222

8. setup sudo. Grant user1 to run sudo

Run visudo and the line

# User privilege specification

root    ALL=(ALL:ALL) ALL

user1 ALL=(ALL:ALL) ALL

9. Test sudo for user1

passwd user1

su - user1

sudo su -

if we can run sudo then disable root login

passwd -l root

10. Install ufw (uncomplicated firewall)
# apt-get install ufw

11. setup firewall
ufw enable
# Default deny all incoming connection
ufw default deny incoming
# Then allow ssh at port 2222
ufw allow 2222/tcp
# If it is a web server then open port 80
ufw allow 80/tcp
# Check the status
ufw status
Status: active

To                         Action      From
--                         ------      ----
2222/tcp                   ALLOW       Anywhere
80/tcp                     ALLOW       Anywhere
2222/tcp (v6)              ALLOW       Anywhere (v6)
80/tcp (v6)                ALLOW       Anywhere (v6)

12. Test ssh from client

ssh user1@server -p 2222

DONE

ref: https://www.digitalocean.com/community/tutorial_series/new-ubuntu-14-04-server-checklist