Introduction
How do you get a Ubuntu server configured using the DigitalOcean cloud service?
In this article, we will walk through the steps to get a new server on DigitalOcean configured with a new root user, SSH authentication, and a basic firewall. When you have finished this article, you'll have a server that's ready to deploy whatever application you plan on building.
Let's get started!
Table of Contents
- Signup or Login Into DigitalOcean Account
- Create New Droplet on DigitalOcean
- Log In to Server as Root
- Create a New User
- Give Your New User Root Privileges
- Add Public Key Authentication
- Disable Password Authentication
- Test Log In Using SSH Key
- Basic Firewall Set up
Signup or Login Into DigitalOcean Account
To start, you need to create an account on DigitalOcean or log in to your existing account.
For a FREE $100 CREDIT FOR 60 DAYS, use this link: https://m.do.co/c/ce20017d8588.
They will ask you for a credit card, but you can cancel anytime before the 30 days ends and not be charged.
Create a New Server Droplet on DigitalOcean
After logging in or successfully signing up for a new account, open the "Create" drop-down menu and click the "Droplets" link.
On the Create Droplets page, select the Ubuntu operating system. And choose the $5/month plan, which will give us plenty of computing power to start with.
There are a few more options on that page to fill out.
When it comes to the Authentication section, don't set up any SSH keys or create a one-time password. We'll handle that in the next sections.
When you're done selecting options, hit the Create Droplet button.
When the droplet is fully up and running, the control panel will display it's IP address.
Your server is now up and running!
In the next step, we'll start the configuration process.
Log In to Server as Root
To set up our server, you'll need both the IP address of the server and the private key (password) for the root user's account. After creating your droplet, DigitalOcean should have sent you an email with information about your server. You'll need that information for the next steps.
Sometimes their emails take a while to come through, so be patient if you haven't received it yet.
To log into your server, open a terminal (Ctrl+Alt+T for Linux) on your local machine. Once you have a terminal open, use the following command to SSH in as the root user:
ssh root@server_ip_address
Accept the warning about host authenticity, if it appears, and provide your root password (will be listed in the email from DigitalOcean). If it's your first time logging into the server with a password, you will also be asked to change the root password.
The root user in a Linux environment has very broad privileges and, for that reason, you are discouraged from using it regularly. This is because very destructive changes (even by accident) can be made while using it.
Therefore, in the next step we are going to create an alternative account with limited scope that will be used for daily work.
Create a New User
Logged in as root, we can create a new user account that will be used to log in from this point forward. You can create a new user with the following command:
adduser bob
You'll be asked some questions starting with the password. Choose a strong password and fill in any of the optional information after that. You can just hit ENTER repeatedly to skip the rest of the questions after that.
Give Your New User Root Privileges
You now have a new user account with regular account privileges. But you might occasionally need to do administrative tasks that require root privileges. So, instead of logging out of your normal user and logging back in as the root account, we can give the normal account the ability to run root privileged commands when you need to by adding sudo before each command.
To do this, add your new user to the sudo group. As root, run the following command to add your user to the sudo group:
usermod -aG sudo bob
Now your user can run commands with root privileges!
The next server setup steps help increase the security of your server. They are optional but highly recommended.
Add Public Key Authentication
By setting up public-key authentication for the new user, it will increase our server's security by requiring a private SSH key to login in.
Generate a Key Pair
If you don't already have an SSH key pair, which consists of a public and private key, you need to generate one. If you already have a key that you want to use, skip to the Copy the Public Key step.
To generate a new key pair, enter the following command at the terminal of your local machine:
ssh-keygen
You'll receive an output similar to the following:
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/yourusername/.ssh/id_rsa):
Press ENTER to accept the file name and path.
Next, you'll be prompted to enter a password to secure the newly created key with. You can either create a password or leave it blank. This generates a private key, id_rsa, and a public-key, id_rsa.pub, in the .ssh directory of your home directory.
Copy the Public Key
Now that you have the SSH key pair on our local machine, you need to copy our public key to the server.
Option 1: SSH-Copy-Id
If your local machine has the ssh-copy-id script installed, you can use it to install your public key to any user that you have login credentials for. If not, use Option 2 to install the key manually.
Still on your local machine, type the following command:
ssh-copy-id bob@server_ip_address
You will be asked for the user's password. Then, your public key will be added to the server user's .ssh/authorized_keys file. The corresponding private key can now be used to log into the server.
Option 2: Install the Key Manually
Assuming you generated an SSH key pair using the previous step, use the following command at the terminal of your local machine to print your public key (id_rsa.pub):
cat ~/.ssh/id_rsa.pub
This should print your public SSH key, which should look something like the following:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBGTO0tsVejssuaYR5R3Y/i73SppJAhme1dH7W2c47d4gOqB4izP0+fRLfvbz/tnXFz4iOP/H6eCV05hqUhF+KYRxt9Y8tVMrpDZR2l75o6+xSbUOMu6xN+uVF0T9XzKcxmzTmnV7Na5up3QM3DoSRYX/EP3utr2+zAqpJIfKPLdA74w7g56oYWI9blpnpzxkEd3edVJOivUkpZ4JoenWManvIaSdMTJXMy3MtlQhva+j9CgguyVbUkdzK9KKEuah+pFZvaugtebsU+bllPTB0nlXGIJk98Ie9ZtxuY3nCKneB+KjKiXrAvXUPCI9mWkYS/1rggpFmu3HbXBnWSUdf localuser@machine.local
Select the public key, and copy it to your clipboard.
To enable the use of SSH key to authenticate as the new remote user, you must add the public key to a special file in the user's home directory.
On the server, as the root user, enter the following command to temporarily switch to the new user:
su - bob
Now you will be in your new user's home directory.
Create a new directory called .ssh and restrict its permissions with the following commands:
mkdir ~/.ssh && chmod 700 ~/.ssh
Now open a file in .ssh called authorized_keys with a text editor. We will use nano to edit the file:
nano ~/.ssh/authorized_keys
Now insert your public key (which should be in your clipboard) by pasting it into the editor.
Hit CTRL-X to exit the file, then Y to save the changes that you made and ENTER to confirm the file name.
Now restrict the permissions of the authorized_keys file with this command:
chmod 600 ~/.ssh/authorized_keys
Type this command once to return to the root user:
exit
Now your public key is installed, and you can use SSH keys to log in as your user.
Disable Password Authentication
This step will only allow you to log into your server using the SSH key you just created. Only people who possess the private key that pairs with the public key that was installed will get into the server. This increases your server's security by disabling password-only authentication.
Only follow this step if you installed a public key in the last step. Otherwise, you'll lock yourself out of the server.
To disable password authentication, follow these steps:
As the root user or new sudo user on your server, open the SSH daemon configuration file using the following command:
sudo nano /etc/ssh/sshd_config
Find the line that says PasswordAuthentication and change its value to no. It should look like this after the change was made:
PasswordAuthentication no
Save and close the file using the method: CTRL-X, then Y, then ENTER).
To reload the SSH daemon and put our changes live, type the following command:
sudo systemctl reload sshd
Password authentication is now disabled. Now your server can only be accessed with SSH key authentication.
Test Log In Using SSH Key
On your local machine, log in to your server using the new account that we created. Use the following command:
ssh bob@server_ip_address
Once authentication is provided to the server, you will be logged in as your new user.
Basic Firewall Setup
Ubuntu servers can use the UFW firewall to ensure only connections to certain services are allowed. It's a simple process to set up a basic firewall and will improve your server's security.
You can see which applications are UFW currently allows by typing:
sudo ufw app list
This should output the following:
Available applications
OpenSSH
We need to make sure the firewall allows SSH connections so that we can log back in next time. To allow these types of connections, type the following command:
sudo ufw allow OpenSSH
And then enable the firewall:
sudo ufw enable
Press y and then ENTER to proceed. You can see that SSH connections are still allowed by typing:
sudo ufw status
That was the last step!
Conclusion
You now have a cloud server configured with DigitalOcean!
Good luck in your future coding endeavors!
Have any questions or comments about this article? You can contact me via email at nick@coderrocketfuel.com or on Twitter at @CoderRocketFuel.