How I set up my Digital Ocean droplet

First of all, I am not a system or infrastructure guy. This post contains simple set up and security hardening of Ubuntu droplet. I use Digital Ocean documentation and other blog posts as a reference to write this post.

Step 1: Create a new user

As you may aware, a new droplet from Digital Ocean provides only root user. Root user  is the administrative user in a Linux environment that has very broad privileges. Because of that, it is highly discouraged to use root user thus you need to create a new user account. In this example, I am going to create a new user called demo.

#adduser demo

You will be asked a few questions including password for the account.

Step 2: Root privileges

To avoid having to log out of our normal user and log back in as the root account, we can set up root privileges for normal account also known as super user or sudoer . This will allow normal user to run commands with administrative privileges by putting the word sudo before each command.

To add these privileges to our new user, we need to add the new user to the sudo group.

#gpasswd -a demo sudo

This is optional but a recommended step. Setting this up will increase the security of your server by requiring a private SSH key to log in.

Generate a key pair

If you do not have a SSH key, you need to generate it in your local computer first.

#ssh-keygen

You will be asked a couple of questions including a paraphrase for you private key. You may either leave it blank or enter the passphrase. It is recommended to enter passphrase because it is more secure.

This command generates a private key and a public key with extension .pub under .ssh directory of user home directory. Do remember that you must keep the private key safe and should not shared it with anyone.

Copy the public key

After you have generated the key pair, you need to copy the public key to server.

#ssh-copy-id demo@SERVER_IP_ADDRESS

Now you may SSH login as your new user, using the private key as authentication.

Step 4: Disable remote SSH access to root account

It is recommended to disable SSH access to root account.

  1. Open  /etc/ssh/sshd_config file using your favorite editor.
  2. Then find a line which looks like PermitRootLogin yes
  3. Modify it from yes to no.
  4. Save the file.

Reload SSH service after the modification.

#service ssh restart

Step 5: Testing the changes

We need to test all the changes we made.

  1. Make sure your SSH access for root account is disabled.
  2. Make sure you can log in using the new account you just created.
  3. Make sure you can issue sudo command with that account.

Step 6: Configure time zones

From this step onwards, we are going to switch to a new user we just created instead of using root account.

It is very important that the server is operating under correct time zone. You do not want your log timestamps showing different time.

#sudo dpkg-reconfigure tzdata

You will be presented with a menu system that allows you to select the geographic region followed by city.

Step 7: Configure NTP Synchronization

This will allow your computer to stay in sync with other servers.

#sudo apt-get update

#sudo apt-get install ntp

Step 8: Setting up a firewall

I use ufw which is a layer on top of IPtables meant to simplify things and is installed by default on Ubuntu.

These are the ports I add to firewall rules.

  1. #sudo ufw allow ssh
  2. #sudo ufw allow http
  3. #sudo ufw allow https
  4. #sudo ufw allow smtp

After adding rules, you can enable it by issuing the command below.

#sudo ufw enable

Step 9: Automated security updates

When it comes to production environment, you are not supposed to use latest. You are not supposed to upgrade your server unless it is needed. However, you might want to update security patches as they very rarely create dependency nightmares at an application level. This is how you can automate to update security patches only.

#sudo apt-get install unattended-upgrades

#sudo vim /etc/apt/apt.conf.d/10periodic

Update this file to match this:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";

Update another file to disable unattended upgrade for normal updates.

#sudo vim /etc/apt/apt.conf.d/50unattended-upgrades

Make the file look like this:

Unattended-Upgrade::Allowed-Origins {
    "Ubuntu lucid-security";
    //"Ubuntu lucid-updates";
};

You’re all set.

Step 10 (Optional): fail2ban and logwatch

This step is optional and it is up to you to decide you want to install these.

fail2ban

fail2ban is a great package that actively blocks suspicious activity as it occurs. From their wiki Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs — too many password failures, seeking for exploits, etc… It does this by adding rules to iptables.

We’re just going to install it and leave the default settings for SSH as a base starting point though:

#sudo apt-get install fail2ban

Logwatch

This is really more of a simple pleasure and a monitoring tool that helps you see what’s going on after the fact. Logwatch monitors your logfiles and when configured sends you a daily email with the information parsed very nicely.

#sudo apt-get install logwatch

Add a cron job

#sudo vim /etc/cron.daily/00logwatch

Add this line to the cron file:

/usr/sbin/logwatch --output mail --mailto you@example.com --detail high

And you are set.

Final Step

I suggest you to create an image backup of this droplet so that you can just create a new droplet from this image any time you want.

I hope this makes your life easier when you set up a new droplet. Let me know if there is any improvements I can add to this post.

References

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s