Could you please help us to configure our DigitalOcean Droplet?

This is a recent support request that we received as a part of our Server Management Services.

When we create a droplet, it is important to configure security and usability in a way that make scaling and integration with other products simpler in the future.

Let us today discuss the possible causes and fixes for this error.

How to configure an initial droplet in DigitalOcean?

DigitalOcean droplets are Linux-based virtual machines (VMs) that run on top of virtualized hardware. Each Droplet is a new server that we can use, either standalone or as part of a larger, cloud-based infrastructure.

The first step in configuring the droplet is to connect to it.  We can connect to the droplet with a program like PuTTY. Once connected, the steps to be performed can be listed as below:

1.Create and Upload SSH Keys
2.Create and Configure the Droplet
3.Create a Cloud Firewall

Let us now look at each of these steps in detail.

Create and Upload SSH Keys

As the password-based authentication is less secure, the best setup uses SSH keys for authentication when logging into Droplets.

We could create one using OpenSSH, which is included on Linux, macOS, and Windows Subsystem for Linux:

ssh-keygen

The key pair is saved in the location prompted, which by default is ~/.ssh/ on Linux and /Users/your_username/.ssh on Windows and macOS. We then need to copy the contents of the public key, which is named id_rsa.pub by default.

Then, from the Account section, in the Security tab, find the SSH keys section. Click Add SSH Key to open the New SSH key window. Now paste the public key into the SSH key content field, give it a name, then click Add SSH Key.

Create and Configure the Droplet

To perform this from the control panel, click Create in the top right to open the create menu, then click Droplets to open the Droplet create page. Configure the new Droplet with the following options:

1. From the Choose an image, under the Distributions tab, choose the latest version of Ubuntu.

2. In VPC Network, choose the default VPC.

3. From the Select additional options, check the boxes for IPv6 and monitoring. In Select additional options, additionally check the box for user data. In the text box that opens, copy and paste the following cloud-config script. Customize the emphasized line to set the username.

#!/bin/bash
set -euo pipefail

USERNAME=username # TODO: Customize the sudo non-root username here

# Create user and immediately expire password to force a change on login
useradd –create-home –shell “/bin/bash” –groups sudo “${USERNAME}”
passwd –delete “${USERNAME}”
chage –lastday 0 “${USERNAME}”

# Create SSH directory for sudo user and move keys over
home_directory=”$(eval echo ~${USERNAME})”
mkdir –parents “${home_directory}/.ssh”
cp /root/.ssh/authorized_keys “${home_directory}/.ssh”
chmod 0700 “${home_directory}/.ssh”
chmod 0600 “${home_directory}/.ssh/authorized_keys”
chown –recursive “${USERNAME}”:”${USERNAME}” “${home_directory}/.ssh”

# Disable root SSH login with password
sed –in-place ‘s/^PermitRootLogin.*/PermitRootLogin prohibit-password/g’ /etc/ssh/sshd_config
if sshd -t -q; then systemctl restart sshd fi
~~

4. In Authentication, select SSH keys, and choose one or more keys. These keys will give you access to the root user, and the user data script will add these keys to the sudo non-root user and disable password authentication.

5. For Add tags, create a tag that matches what you are using the Droplet for, like webserver. You will use this tag to apply cloud firewalls in the next step.

6. In Add backups, click Enable backups.

Once you’ve selected all of the options, click Create Droplet.

Create a Cloud Firewall

Firewalls help to protect the server from external attacks. DigitalOcean firewall blocks all traffic that is not expressly permitted by a rule.

You can apply cloud firewalls to individual Droplets by name or to one or more Droplets by tag.  When you add a tag to a cloud firewall, any Droplets with that tag are automatically included in the firewall configuration, including new Droplets that you tag during creation.

As a recommended setting, here we depict the rules to restrict all inbound traffic except for SSH connections to the Droplet on port 22. Also, we allow all outbound traffic to any destination on any port.

In the long term, it is recommended to organize firewalls by role, so we can create custom firewalls for your specific use case.

To create a cloud firewall from the control panel, click Create in the top right to open the create menu, then click Cloud Firewalls to open the firewall create page. Configure the cloud firewall with the following options:

1. For Name, enter inbound-ssh-only.

2. In Inbound Rules, leave the single default rule for SSH.

3. For Outbound Rules, keep the default rules, which permit all traffic to any destination on any port.

4. In Apply to Droplets, add the tag you created with the new Droplet. When you create additional Droplets, adding the same tag to them will automatically add them to this cloud firewall as well, simplifying scaling in the future.

Once you’ve selected all of the options, click Create Firewall.

Configuring additional Droplets

To create additional Droplets with the same setup, the only step is choosing its configuration options on the Droplet creation page:

1. Enable the same features (VPC, IPv6, monitoring, and backups).
2. Choose SSH key.
3. Paste the cloud-config script in user data.
4. Add the tag for the cloud firewall.

If you use doctl, the DigitalOcean command line interface, you can create a Droplet with all of these options in a single command:

doctl compute droplet create TODO-NAME –tag-names TODO-TAG-NAME \
–image ubuntu-18-04-x64 –region nyc3 –size s-2vcpu-2gb \
–ssh-keys TODO-KEY-FINGERPRINT –user-data-file TODO-PATH-TO-FILE \
–enable-ipv6 –enable-monitoring –enable-private-networking –enable-backups

[Need any further assistance to configure a droplet in DigitalOcean? – We’re available 24*7]

Conclusion

So far we saw how to configure an initial droplet in DigitalOcean. In today’s write up we saw how our Support Engineers configure it.