Question

What do you do with your first five minutes on a new server?

What are the things you do every time you log into a new Droplet for the first time? I’m always curious about how other people approach this. If you were to write your own Initial Server Setup guide, what would it include?

  • What do you do you lock down and secure your server?
  • What are the tools and utilities that you can’t live without that aren’t included in the default install?

Have you automated it? Share your user-data script, Ansible playbook, or your own aproach.

Show comments

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

I run playbooks related to the server’s purpose, especially the “common” one. Usually I use Debian.

  • Install my favorite tools (vim, zsh, htop, glances, sudo, rsync, ufw) + their configuration
  • Install common dependencies required most of the time (git, build-essential)
  • Configure the mail server (postfix)
  • Install most of the debug tools I’ve used in my life, just in case (lsof, gdb, iotop, slurm, strace)
  • Harden SSH login
  • Setup fail2ban
  • Configure logrotate to rotate with dates instead of rolling numbers (easier for archive/backup)
  • Configure time-related stuff (tzdata, ntp, setting the time zone)
  • Setup terminal auto-logout after a few minutes of inactivity
  • Set a random root password (for console login only)

For all other roles, usually they start with ufw configuration, install the matching packages (+ the dbg packages when available, they can prove invaluably useful once every two years) and write the project-independant configuration files.

About a year ago, I had a bash script that I would scp to the new server, run as root to do a few different tasks and create my personal user, then su to that user and finish up. It’s a mess of case statements for CentOS 6, CentOS 7, and Ubuntu, so I needed something better. :)

Over the last three or four months, I’ve been learning Ansible and it’s pretty easy to pick up. I have roles that do each of the following:

  1. Set the timezone to UTC.
  2. Install all updates.
  3. Install NTP.
  4. Set up SSH server: disable password authentication and root login.
  5. Install Fail2ban.
  6. Install vnstat.
  7. Install various other extra packages: dig, git, htop, iftop, iotop, mtr, ncdu, nmap, screen, sysstat, tcpdump, tig, tree, unzip, vim, zsh.
  8. Set up a non-root user: SSH keys, git and other configuration files, sudo access.

A firewall role definitely needs added in there. I’m sure there are roles on Ansible Galaxy for most or all of the things I’m doing, but I learned it a lot better by writing my own and studying others’.

I do a lot, currently have WordPress, Django and a Nodejs running on the same droplet. However, my First 5 moves in early seconds after creating a droplet are these:

  • Create new user with sudo
  • Enable SSH login for user
  • Disable password login for droplet
  • Install and enable ufw (allow out and incoming port 443, 80 and 22).
  • Install and config fail2ban

After the above steps, I can take a break.