There are bad guys out to get you. Well, maybe they’re not targeting you specifically. Actually, they’re targeting every device with a public IP.
When you first spin up a droplet in DigitalOcean, the default configuration is to log in as root. Furthermore, there is no firewall configured. This default configuration leaves you vulnerable to bots that will scan and attempt to break into your server. With the below video, and the rest of this blog post, I’ll show you some basic steps you can take to secure your server.
Since this guide will be using DigitalOcean, you’ll need to sign up for an account with them. Ask your friends for a referral code and you’ll get some nice credit, or click this link to use my referral. Note: I get a small credit when you use my referral code.
This guide is intended for Ubuntu droplets. I will publish another article for securing CentOS droplets, and will update this post when I have done so.
DigitalOcean has this excellent guide, but I’m going to give you some steps to do it in a more automated fashion, using a user data script.
Spin up a droplet
First thing’s first, let’s go to the DigitalOcean console and create a Droplet. Select the Ubuntu 18.04 LTS distribution. Go ahead and select the appropriate plan, datacenter, and other options.
Once you reach the Authentication section, stop. This is important. Do not use the “One-time password” option. Instead, select “SSH keys”. If you don’t already have an SSH key populated, click “New SSH Key” and paste in your public key. Don’t have one? Follow the instructions in the popup to create one.
Now, before you continue, check the User data checkbox and paste the below userdata script.
Notice at the top of the script two variables,
PASSWORD. You’ll need to change both of those. Set
USERNAME to the name of your user you’d like to login with. Change the
PASSWORD to a salted hash of the password you’ll use to switch to sudo (you will not use this password to login!).
To generate a password, you can use the
openssl application to do so. On Linux, type:
openssl passwd -6
This will generate a SHA-512 hashed password. Unfortunately, on macOS it’s more complicated to generate a SHA-512 hash. For macOS, we can use
openssl to generate a less secure MD5 hash. This is okay since we only use it for sudo:
openssl passwd -1
If you’re using Windows, install
openssl in your Linux subsystem on Windows.
Once you’re done with all that, go ahead and click the “Create Droplet” button.
Let’s break down the script. We’ve already discussed the
PASSWORD variables, so let’s skip past those.
# Allow SSH and enable the firewall ufw allow OpenSSH ufw --force enable
This section uses the
ufw, aka “Uncomplicated Firewall”, application to enable the firewall and allow OpenSSH connections. In this configuration, nothing else will be allowed through, and you’ll need to use
ufw to allow ports for any applications you install.
Create the user
# Create the user, set shell to bash, and give sudo access useradd -s /bin/bash -m -p $PASSWORD $USERNAME usermod -aG sudo $USERNAME
In this section, we create our user. The
-s option sets the user’s shell to
/bin/bash, and the
-p option accepts a hashed password for use.
usermod is used to add the newly created user to the
sudo group, meaning the user can use sudo and gain root privileges.
Authorize SSH key
# Copy the authorized_keys from root to the user, and set ownership mkdir /home/$USERNAME/.ssh cp /root/.ssh/authorized_keys /home/$USERNAME/.ssh chown -R $USERNAME: /home/$USERNAME/.ssh chmod 0700 /home/$USERNAME/.ssh
This section copy the
authorized_keys file from
root's home directory to the new user’s home directory. It then sets appropriate permissions. SSH is very strict about the
~/.ssh folder and requires it to be set such that only the user can access it.
Disallow root access
# Disallow root logins via SSH, and restart SSH sed -i 's/^PermitRootLogin yes$/PermitRootLogin no/' /etc/ssh/sshd_config systemctl restart ssh
Now that our new user can log in, we ensure that root can no longer log in via SSH.
Login to the server
After a few minutes, your newly created droplet will be spun up and ready to go. Let’s make sure you can login!
First, SSH as the user you created:
$ ssh [email protected] Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-66-generic x86_64) .... To run a command as administrator (user "root"), use "sudo <command>". See "man sudo_root" for details. [email protected]:~$
Now, let’s make sure you can sudo. Type
sudo -i to get an interactive prompt, and type the password you hashed above.
Now, log out of the droplet completely, and make sure you cannot SSH in as root.
[email protected]:~# logout [email protected]:~$ logout Connection to 18.104.22.168 closed. $ ssh [email protected] [email protected]: Permission denied (publickey).
Success! You can sleep better at night knowing that your new droplet is a bit more secure than it was.