It is easy to get carried away with developing your web applications,but you should not neglect securing your server. Once your server is broken into, sensitive data like your OAuth keys, database access credentials etc. can get stolen. Even worse, imagine your app having no data because your database got wiped after a security breach...
Digital Ocean's Tutorials provides a list
of things you can do to add some security to your server, but I will only cover the most basic of the list: securing login access.
This is covered by Setting up SSH Key Login,
but I highlight some things that are different from the tutorial.
Note: This guide assumes Unix/Linux environment. For Windows users, some additional Googling is required.
Every server starts out with only the root user. Root users are all-powerful such that a wrong move can irrecoverably destroy your system. Thus, it is recommended to login as a non-root user. Since it's your own server, it is alright to create a user with sudo rights.
- Log in as root using
ssh root@<droplet_ip>
. - Run
useradd -m -s /bin/bash <username>
. - Set password for the new user using
passwd <username>
. - Run
visudo
and add<username> ALL=(ALL:ALL) ALL
. Save and exit the editor. - Log out of the session.
- Do step 3 of Setting up SSH Key Login guide.
- Login as the new user you created. You should not be prompted for password at all.
- Follow step 4 of Setting up SSHKey Login guide. In addition, make sure RSAAuthentication and PubkeyAuthentication are set to yes and PaswordAuthentication is set to no.