DigitalOcean Droplet Initial Setup

DigitalOcean is an amazing tool for building cloud infrastructure very quickly. Click a few buttons to select and size your droplet and sixty seconds later you’re logging in to a fresh cloud server ready to start building something. This is especially nice if you just want to try something out. Simply spin up a droplet, do your test, and then throw the whole thing away when you’re done.

I’ve been setting up a number of things on DigitalOcean as of late–some for production and some for testing. While the task of creating a new droplet is trivial, I find myself doing the same initial configuration over and over again. None of this is rocket science, but I wanted to have a list of commands I could easily reference and copy/paste into a new droplet bringing it up to a solid starting point.

Customize this Guide

There are a few portions of this guide that you will probably want to customize. If you modify those values here, you will then be able to copy/run the commands without the need for modification.

Server IP Address:

Non-root Username:

Create the Droplet

Go through the droplet creation wizard to build your server. I’ll use the stock Ubuntu image provided by DigitalOcean and I use SSH keys for authentication. Once the droplet is created, connect with ssh.

ssh root@

Bring the Droplet Up-to-Date

Start off by making sure you have the latest and greatest software.

apt-get update && apt-get -y dist-upgrade

Add Some Swap (optional)

If you will need swap space, these commands will create a 1GB swap file and set it up to be mounted at boot.

fallocate -l 1G /swapfile
chmod 600 /swapfile
mkswap /swapfile
echo "/swapfile none swap sw 0 0" >> /etc/fstab
echo 10 | tee /proc/sys/vm/swappiness
echo vm.swappiness = 10 | tee -a /etc/sysctl.conf

Setup a Basic Firewall

Add basic firewall rules to:
– allow established connections
– allow loopback traffic
– allow incoming pings
– allow SSH traffic
– drop everything else
…and make these rules persistent.

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -I INPUT 1 -i lo -j ACCEPT

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

If you’ll be running a webserver, you’ll probably want to allow ports 80 and 443 as well.

iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -j DROP

apt-get install -y iptables-persistent

Add Miscellaneous Packages

Add any packages you want in your base system. ‘haveged’ helps with random number generation in a cloud server environment.

apt-get install -y haveged

Create a Non-Root User

Now we’ll create a non-root account that will be used with sudo from here on out. Since the SSH key that I’m using for the root account during this initial configuration is the same key I’ll be using for the non-root user, I’ll just copy it over and then remove it from the root account.

adduser --disabled-password --gecos "" 
adduser sudo

mkdir -p /home//.ssh/
cp -a /root/.ssh/authorized_keys /home//.ssh/
chown -R : /home//.ssh/
rm /root/.ssh/authorized_keys

passwd

Tighten Up SSH

Finally, we will make a few changes to SSH and reboot the droplet.

nano /etc/ssh/sshd_config

PermitRootLogin no
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no

reboot

And now we should be able to connect as our non-root user.

ssh @

And that’s it! If you have any suggestions on how to improve this initial setup please comment below.

Leave a Reply

Your email address will not be published. Required fields are marked *