After my server on DigitalOcean was attacked few times, I thought I should write an article about it. Do hope it is useful to you.

Step One — Root Login

 $ ssh root@your_server_ip

Step Two — Create a New User

 # adduser van

Step Three — Root Privileges

Set root privileges to new user.

 # usermod -aG sudo van

Step Four — Add Public Key Authentication (Recommended)

Generate a Key Pair

You need to generate a key pair on your local machine before putting it on the server.

 $ ssh-keygen
ssh-keygen output
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/localuser/.ssh/id_rsa):

You will be asked a few questions. It is recommended to leave the password field blank.

Copy the Public Key manually

On your local machine, type the command below will show your public key inside terminal.

 $ cat ~/.ssh/

Now copy it to the clipboard. contents
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBGTO0tsVejssuaYR5R3Y/i73SppJAhme1dH7W2c47d4gOqB4izP0+fRLfvbz/tnXFz4iOP/H6eCV05hqUhF+KYRxt9Y8tVMrpDZR2l75o6+xSbUOMu6xN+uVF0T9XzKcxmzTmnV7Na5up3QM3DoSRYX/EP3utr2+zAqpJIfKPLdA74w7g56oYWI9blpnpzxkEd3edVJOivUkpZ4JoenWManvIaSdMTJXMy3MtlQhva+j9CgguyVbUkdzK9KKEuah+pFZvaugtebsU+bllPTB0nlXGIJk98Ie9ZtxuY3nCKneB+KjKiXrAvXUPCI9mWkYS/1rggpFmu3HbXBnWSUdf localuser@machine.local

Next, connect to your server as root user. Then switch to your sudo user.

 # su - van

Create .ssh folder.

 $ mkdir ~/.ssh
 $ chmod 700 ~/.ssh

Create authorized_keys file.

 $ nano ~/.ssh/authorized_keys

When the authorized_keys file opened. Let’s paste your public key here. Then press Ctrl-o to save the file and Ctrl-x to close it.

It’s better to restrict access privileges of this file.

 $ chmod 600 ~/.ssh/authorized_keys

Exit sudo user.

 $ exit

Step Five — Disable Password Authentication (Recommended)

Let’s open sshd_config file.

 $ sudo nano /etc/ssh/sshd_config

To disable password authentication, you need to set no to PasswordAuthentication directive.

PasswordAuthentication no

Then to make sure, you should check these default settings are correct.

PubkeyAuthentication yes
AuthorizedKeyFile  .ssh/authorized_keys
ChallengeResponseAuthentication no

Apply update sshd_config.

 $ sudo systemctl reload sshd

Step Six — Test Log In

It’s time to check if everything is working nicely. Let’s connect to your server with the new sudo user.

 $ ssh van@your_server_ip
 $ sudo command_to_run

Step Seven — Set Up a Basic Firewall

 $ sudo ufw enable
 $ sudo ufw allow OpenSSH
 $ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere
OpenSSH (v6)               ALLOW       Anywhere (v6)

Step Eight — Disable Root Login (Recommended)

To prevent server attack, it’s recommended to disable root login.

 $ sudo nano /etc/ssh/sshd_config

To disable root login, you just need to set no to PermitRootLogin directive.

PermitRootLogin no

What Next

These steps are the foundation of server setup. Now you can install any softwares on your new server.

To keep your server more secure, you could have a look at fail2ban solution or changing your ssh port. At the moment, I have just changed my ssh port. It works for now.

Happy coding!


Categories: Ubuntu