Setting up Ubuntu on Digital Ocean


Digital Ocean* is an internet hosting service that makes it trivial to spin up virtual servers called Droplets. While the base Ubuntu image Droplets are configured for the job, there are a couple of extra steps I take with new Ubuntu Droplets that I’m documenting here as much for my own future reference as to elicit your feedback

SSH Keys

I’ll typically create a new SSH key pair for a each Droplet. Digital Ocean’s community guide is comprehensive if you need a refresher or haven’t done it before.

ssh-keygen -t rsa -b 4096 -C ""

Droplet creation

After logging into Digital Ocean (or signing up - use this link for an extra $10 USD credit), we click Create Droplet and follow the wizard.

Here are the typical base settings I use:

Distributions Ubuntu, latest LTM, x64
Size As per requirements (usually the smallest $5/mo)
Datacenter region Best to pick the one closest to the majority of our expected userbase. That might only be us
Select additional options As per requirements (usually just Monitoring)
Add your SSH Keys Click New SSH Key and paste in the public part of the SSH Key generated earlier
Finalise and create As per requirements

Then we click Create and wait less than a minute while Digital Ocean performs its magic


For convenience we can give our new Droplet a friendly SSH name by adding the following to our local ~/.ssh/config file (I usually make this the same as the Droplet’s name):

# ~/.ssh/config
Host {droplet-name}
    User root
    HostName {droplet-ip-address}
    IdentityFile "~/.ssh/{our-new-ssh-private-key}"

Now we can SSH into our new Ubuntu Droplet with
ssh {droplet-name}

Set the timezone

dpkg-reconfigure tzdata

Ensure all packages are up-to-date

apt-get update; apt-get -y upgrade; apt-get -y clean

Configure automatic security patches (documentation here and here)

apt-get -y install unattended-upgrades; dpkg-reconfigure unattended-upgrades
Follow the prompts and accept the defaults.

Lock SSH to keys-only

Edit sshd_config to prevent root SSH login with a password - change PermitRootLogin from yes to without-password like so:

# /etc/ssh/sshd_config
# Authentication:
LoginGraceTime 120
PermitRootLogin without-password
StrictModes yes

And finally, reboot the Droplet to ensure our settings are loaded, current and it comes back to us before we start installing or configuring our application stack of choice..

Is there anything you’d add to this list of initial Ubuntu server setup steps? - Please let us know in the comments!