In this tutorial we’ll be creating SSH keys to login to the VPS.
Find your password and IP in your email’s inbox after creating a droplet:
Write down the IP Address, Username, and Password
CREATE SSH KEYS
Skip this part if you just want to use the password provided by digitalocean (highly unrecommended).
Windows users should use Putty for SSH and Puttygen to create your keys. Follow this tutorial
Create the RSA Keys
ssh-keygen -t rsa -b 4096
When you’re prompted to “Enter a file which to save the key,” press Enter. This accepts the default file location.
Also a password is optional but not required.
Copy the Puplic Key
First login to your VPS using the password provided in the email and you’ll be asked to change it. Do that.
Once your password is changed type exit
Run this command to copy your key to the VPS
Disable password authentication for security reasons.
Edit this file
sudo nano /etc/ssh/sshd_config
Make sure this file has these two lines inside
PermitRootLogin without-password PasswordAuthentication no
sudo service ssh restart
CREATE A FIREWALL
We’ll allow port 80 for HTTP requests and port 22 for SSH.
By default there will be no rules set on your firewall but just for good measure run these commands
sudo iptables -P INPUT ACCEPT sudo iptables -P OUTPUT ACCEPT sudo iptables -F sudo iptables -L
You should see this outputed
Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
Now let’s add rules
We put this rule first because we want to make sure the connections already being used are matched, accepted, and pulled out of the chain before reaching any DROP rules.
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -I INPUT 1 -i lo -j ACCEPT
Lastly block any connections that don’t match
sudo iptables -P INPUT DROP
In order to save these rules even on reboot we need iptables-persistent
sudo apt-get update sudo apt-get install iptables-persistent
You’ll be asked if you want to save the current rules. Yes Enter
fail2ban will ban anyone attempting to brute force the SSH login. Install it:
sudo apt-get install fail2ban -y
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Open jail.local and apply these rules
sudo nano /etc/fail2ban/jail.local
There are lots of bots that will attempt to brute force so increase the ban time
bantime = 3600
Save the file and restart fail2ban
sudo service fail2ban restart
Your VPS is ready to install a web server such as Nginx or Apache. You may stop here or follow the next tutorial that will install Nginx and serve a simple NodeJS web app.