Securing a Linux Droplet

Intro

Setting up a Linux Droplet on DigitalOcean is straightforward. However, as an IaaS offering, it also puts responsibility on you in terms of security. You are responsible for securing the VM to prevent attacks. In this tutorial, I'll outline my minimal approach to securing a Linux VM for development and learning. For production systems, even stricter security measures are required.

SSH Key

I won't cover how to set up an SSH key on DigitalOcean, but I personally use 1Password Developer to manage my SSH keys. It's very convenient and my keys are synced accross all my devices. I never have to worry about backing them up. See the resources at the end of this article for how to get started with 1Password for SSH.

Update Your System

After your first successful SSH login, you should start by updating the package repository and upgrading the installed packages:

apt update && apt upgrade -y

Create a Non-Root User

Running everything as sudo is risky. Create a regular admin user and add it to the sudo group:

adduser username
usermod -aG sudo username

Setting up SSH for the new admin user

If you create a new non-root user, SSH key authentication won't work until you set up their ~/.ssh/authorized_keys properly.

Create the .ssh directory and set correct permissions

mkdir -p /home/username/.ssh
chmod 700 /home/username/.ssh

Copy your root authorized_keys

cp /root/.ssh/authorized_keys /home/username/.ssh/
chmod 600 /home/username/.ssh/authorized_keys
chown -R username:username /home/username/.ssh

Test login in a new session before disabling root access

ssh username@your_droplet_ip

Secure SSH

Now, since the new admin user can SSH into the Linux VM and is part of the sudo group, we can lock down root SSH access.

Edit SSH config

sudo nano /etc/ssh/sshd_config

Disable RootLogin and PasswordAuthentication

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes

Restart SSH service

sudo systemctl restart ssh

Open another terminal session and try logging in as root. It shouldn't work aynmore!

Enable a Basic Firewall

DigitalOcean Droplets usually come with ufw pre-installed by default, but you can also install the package manually:

sudo apt install ufw

Reset ufw

This removes all rules, disables UFW, and restores the defaults. You'll see a warning that all rules will be deleted. Confirm with y:

sudo ufw reset

Check Status

This should show Status: inactive with no rules:

sudo ufw status verbose

Block all inbound traffic

This blocks all incoming connections except ones you explicitly allow. Don't worry, you won't be kicked out of your current SSH session, ufw is smart enough:

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw enable

Add only the rules you need

sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https

Could be useful

• Get started with 1Password for SSH
• Security Best Practices Guide for Droplets – DigitalOcean Official Guide