How to Setup DigitalOcean Droplet Server

We are going to be setting up a fresh and secure DigitalOcean droplet server, using Ubuntu 20.04.

Prerequisites

  • Access to DigitalOcean for setting up a new project & droplet (~$5/mo)
  • Your own domain name that you can use to link with DigitalOcean

What we will be doing

  • Create a new Project
  • Create new Droplet
  • Link your domain name with DigitalOcean
  • > Update your own domain's nameservers
  • Secure the Server
  • > Login to the server via SSH
  • > Update and Upgrade
  • > Create a new user
  • > Disable root user
  • > Change Default UFW Firewall Port

Create a new Project

Login to digitalocean.com (thank you for using my referral link), and create a New Project from the top right.

Fill in the project information of your choice and hit Create Project.

Skip the second step unless you already use DigitalOcean and have resources you would like to move.

Create a new Droplet

Create: Droplet.

Choose an image: Ubuntu 21.04 x64

Choose a plan: Basic

CPU options: Regular Intel with SSD, $5/mo

Choose a datacenter region: (your choice, closer is better)

Authentication: Choose a temp password (we will change it later)

Finalize and create: 1 Droplet, choose a hostname (or use default)

Choose whether or not you wish to enable backups.

Create Droplet:


Update your own domain's nameservers

From wherever you bought your domain name, you will to setup the nameservers to point it towards DigitalOcean's. For example, on namecheap.com you go to your domain settings, and set the nameserver addresses:

ns1.digitalocean.com
ns2.digitalocean.com
ns3.digitalocean.com

Consult your domain name provider if you need help setting up custom nameservers.


Manage DNS on DigitalOcean: Select it on the bottom of your project page.

If for some reason you cannot find it, find Networking on the left menu and choose Domains

Add a domain: Your own domain name

Select your own domain name.

Create a new record: This is going to point to the default HTTP page we will get when we setup Nginx.

@ indicates we want to use the plain hostname for our default web server.

You can also enter a hostname if you intend to use a subdomain name.
If you enter * you will redirect all sub-domains to the default web-server.

If you open PowerShell or any commandline, and enter ping <yourdomain/ip>, you will hopefully get the IP address to the server. This means the domain name is ready to be used.

Note that it may take a little while before the new record works.
If your domain is completely new, it may take 12-48h.

Secure the Server

Login to the server via SSH

Open PowerShell, or any other command-line tool that has SSH capabilities.

SSH is used to connect to the server terminal so we can start working with it

SSH in to your server:

ssh root@yourdomain

Type "yes" to confirm that you wish to continue, and enter your password.

Your password is not visible while typing

Once you have succeeded logging in, you will be greeted by a warm message:

Update and Upgrade

sudo apt update -y
-y is to accept the update in advance (otherwise you have to manually enter for the updates)
sudo apt upgrade -y

This will ensure most of our software is up to date.

Upgrade Event: Daemons using outdated libraries

If you are getting a popup during the upgrade process asking you which services should be restarted; unless you know what you are doing, you should keep the default and select OK by pressing Enter.

Create a new user

We do not ever want a root account available to the outside world. We can remedy that security risk by creating a new user with sudo permissions, and disabling root.

"sudo permissions" is a fancy-pancy way of saying administrator privileges.

Add new user:

adduser <your-username>

Add the new user to the sudo group:

usermod -aG sudo <your-username>

Before we even think about disabling root, we want to ensure that our new user has the appropriate permissions to access root commands.

Login as the user:

su - <your-username>

Verify that you are in the sudo group:

groups

Verify that you can access a root folder:

sudo ls -al /root

If you did not receive any permission errors, we are good to go.

If you got any errors, share them with us!

Type exit to leave as the user and return as the root user.

exit

Disable root user

Now that we have ensured that we have a new user we can use to replace the "root" user, we want to disable the root user so no evil can be done with it.

Disable root user:

passwd -l root

Disconnect as the root user:

exit

SSH into your server again with your new username and password:

ssh <username>@<server>

Change Default UFW Firewall Port

NB: Make sure you complete this part, as we will be disabling the default SSH port when we activate UFW.
If you quit before re-enabling SSH you will no longer be able to SSH into the server.

We are going to be using the UFW firewall. Check the status, and enable it if it isn't already so.

sudo ufw status
sudo ufw enable

We currently do not have any open ports. We want to make sure we have SSH enabled, but we will do so for a different port. We are going to set the port to  13022, but you can choose any between 1024 and 65535. Remember this, as we will have to change the SSH configuration as well later.

sudo ufw allow 13022/tcp
We want to change the default. Using the default port 22 is a bad idea, as it is a common subject to hack attacks

Update SSH Configuration File

All that remains now is to set the port to 13022 in the SSH config.

Open sshd_config:

sudo nano /etc/ssh/sshd_config

Scroll down until you find #Port 22 and change it to Port 13022

Press CTRL+X to exit, and type Y and press enter to save.

/etc/ssh/sshd_config

Make sure you have the correct port in UFW:

sudo ufw status

If you have the same port 13022/TCP there, you are good to continue.


Restart SSHD, and exit:

sudo service sshd restart
exit

If you try to connect without specifying a port, you will now get timed out:

Let us connect by specifying the port number we changed it to, 13022:

ssh <username>@<domain> -p 13022

You are now done with the fundamental setup of a new DigitalOcean server, happy hacking!