Making the Digital Ocean One-Click Ghost Install More Secure


Out of the box the one-click Ghost install that Digital Ocean provides saves us from having to do a bunch of grunt work. But in terms of security it could be improved upon.

It does have automatic security updates enabled. So there's that. But there are some steps we can take to make things a bit more secure and stable.

Most all this comes from a couple of guides I came across on Digital Ocean. They're really good and I saw little value in regurgitating them. So I've simply linked them below.

Overview of what the Digital Ocean Guides will Step you Through
  • Create a new User and put them in the sudo group.
  • Disable SSH access for the root user.
  • Enable Ubuntu's firewall, ufw, and set up rules to cover basic needs.
  • Create a swap file (can be the difference between your world imploding and not).
My Additional Recommendations
  • Install spf13-vim for greater happiness.
  • Set up Cloudflare.
    • I mean who doesn't want a CDN, SSL (there are some caveats) and enhanced security for free?
    • If you've used them in the past you already know the reason I don't haven't linked a guide for them. It's because you don't need one. Seriously, their onboarding is that good. Just sign up and give them the info they ask for. It's cake.
Guides to Follow
Bonus Not Bonus

I had plans to formalize all this into a bash script, but I'm a total bash script noob. So I wasn't able to get it working within the timebox I set for myself.

That said maybe someone out there can take it and finish it out.


# Gathering these 3 basic bits of info to use later in script
echo "What user name would you like to use?"  
read username  
echo "What password would you like to use?"  
read password  
echo "Copy in your public key and then hit enter."  
read public_key  
ufw allow ssh # Setting up firewall and rules.  
ufw allow 4444/tcp  
ufw allow 80/tcp  
ufw allow 443/tcp  
ufw allow 25/tcp  
ufw enable  
echo y # Never figured out how to confirm.  
fallocate -l 1G /swapfile # Next 5 lines create swap file.  
chmod 600 /swapfile  
mkswap /swapfile  
swapon /swapfile  
sh -c 'echo "/swapfile none swap sw 0 0" >> /etc/fstab'  
adduser $username # Creating new user.  
expect "Enter new UNIX password: " { send $password "\r" } # These lines don't work. They don't enter the password like I expected them to.  
expect "Retype new UNIX password: " { send $password "\r" }  
echo -ne '\n' '\n' '\n' '\n' '\n' 'y' '\n' # Just hitting enter 5 times to skip username info and confirm at the end but this doesn't seem to work for me either.  
gpasswd -a $username sudo # Adding new user to sudo group  
su - $username # switching to new user  
mkdir .ssh # Making ssh directory  
chmod 700 .ssh  
echo $public_key > ~/.ssh/authorized_keys # Putting public key gathered earlier into authorized keys file  
chmod 600 ~/.ssh/authorized_keys  
exit #Exiting the user.  
sed -i 's/PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config # Disallows ssh access to root  
curl -L -o - | sh # install spf13-vim  
service ssh restart