Building a Secure DigtialOcean Droplet (Ubuntu)


Keep the bad guys out of your server

There are bad guys out to get you. Well, maybe they’re not targeting you specifically. Actually, they’re targeting every device with a public IP.

When you first spin up a droplet in DigitalOcean, the default configuration is to log in as root. Furthermore, there is no firewall configured. This default configuration leaves you vulnerable to bots that will scan and attempt to break into your server. With the below video, and the rest of this blog post, I’ll show you some basic steps you can take to secure your server.

Since this guide will be using DigitalOcean, you’ll need to sign up for an account with them. Ask your friends for a referral code and you’ll get some nice credit, or click this link to use my referral. Note: I get a small credit when you use my referral code.

This guide is intended for Ubuntu droplets. I will publish another article for securing CentOS droplets, and will update this post when I have done so.

DigitalOcean has this excellent guide, but I’m going to give you some steps to do it in a more automated fashion, using a user data script.

Spin up a droplet

First thing’s first, let’s go to the DigitalOcean console and create a Droplet. Select the Ubuntu 18.04 LTS distribution. Go ahead and select the appropriate plan, datacenter, and other options.

Once you reach the Authentication section, stop. This is important. Do not use the “One-time password” option. Instead, select “SSH keys”. If you don’t already have an SSH key populated, click “New SSH Key” and paste in your public key. Don’t have one? Follow the instructions in the popup to create one.

Now, before you continue, check the User data checkbox and paste the below userdata script.

Notice at the top of the script two variables, USERNAME and PASSWORD. You’ll need to change both of those. Set USERNAME to the name of your user you’d like to login with. Change the PASSWORD to a salted hash of the password you’ll use to switch to sudo (you will not use this password to login!).

To generate a password, you can use the openssl application to do so. On Linux, type:

openssl passwd -6

This will generate a SHA-512 hashed password. Unfortunately, on macOS it’s more complicated to generate a SHA-512 hash. For macOS, we can use openssl to generate a less secure MD5 hash. This is okay since we only use it for sudo:

openssl passwd -1

If you’re using Windows, install openssl in your Linux subsystem on Windows.

Once you’re done with all that, go ahead and click the “Create Droplet” button.

The script

Let’s break down the script. We’ve already discussed the USERNAME and PASSWORD variables, so let’s skip past those.

Firewall

# Allow SSH and enable the firewall
ufw allow OpenSSH
ufw --force enable

This section uses the ufw, aka “Uncomplicated Firewall”, application to enable the firewall and allow OpenSSH connections. In this configuration, nothing else will be allowed through, and you’ll need to use ufw to allow ports for any applications you install.

Create the user

# Create the user, set shell to bash, and give sudo access
useradd -s /bin/bash -m -p $PASSWORD $USERNAME
usermod -aG sudo $USERNAME

In this section, we create our user. The -s option sets the user’s shell to /bin/bash, and the -p option accepts a hashed password for use.

usermod is used to add the newly created user to the sudo group, meaning the user can use sudo and gain root privileges.

Authorize SSH key

# Copy the authorized_keys from root to the user, and set ownership
mkdir /home/$USERNAME/.ssh
cp /root/.ssh/authorized_keys /home/$USERNAME/.ssh
chown -R $USERNAME: /home/$USERNAME/.ssh
chmod 0700 /home/$USERNAME/.ssh

This section copy the authorized_keys file from root's home directory to the new user’s home directory. It then sets appropriate permissions. SSH is very strict about the ~/.ssh folder and requires it to be set such that only the user can access it.

Disallow root access

# Disallow root logins via SSH, and restart SSH
sed -i 's/^PermitRootLogin yes$/PermitRootLogin no/' /etc/ssh/sshd_config
systemctl restart ssh

Now that our new user can log in, we ensure that root can no longer log in via SSH.

Login to the server

After a few minutes, your newly created droplet will be spun up and ready to go. Let’s make sure you can login!

First, SSH as the user you created:

$ ssh [email protected]
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-66-generic x86_64)

....

To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

[email protected]:~$

Now, let’s make sure you can sudo. Type sudo -i to get an interactive prompt, and type the password you hashed above.

[email protected]:~$ sudo -i
[sudo] password for user:
[email protected]:~#

Now, log out of the droplet completely, and make sure you cannot SSH in as root.

[email protected]:~# logout
[email protected]:~$ logout
Connection to 161.35.11.36 closed.
$ ssh [email protected]
[email protected]: Permission denied (publickey).

Success! You can sleep better at night knowing that your new droplet is a bit more secure than it was.


See also