D DigitalOcean

How to secure a Droplet on DigitalOcean

Intermediate 8 min read Updated 2026-03-13
Quick Answer

Enable SSH keys only (disable passwords), configure Cloud Firewall, update packages, install Fail2Ban, enable monitoring, and set backups.

Prerequisites

  • DigitalOcean account with Droplet
  • Basic Linux CLI knowledge
  • SSH client and key pair

Step-by-Step Instructions

1

Add SSH Keys to DigitalOcean Account

Log into DigitalOcean Control Panel, go to Settings > Security, click Add SSH Key, paste public key, name it, and add. SSH keys control root access only; set up named users separately on OS.
Generate keys with <code>ssh-keygen</code> before adding. Cannot add retroactively if other keys exist.
2

Disable Password Authentication

SSH into Droplet as root, edit /etc/ssh/sshd_config: set PasswordAuthentication no and PermitRootLogin prohibit-password. Restart SSH: 
sudo systemctl restart ssh
Test new SSH connection in another terminal before restarting to avoid lockout.
3

Configure Cloud Firewall

In Control Panel, go to Droplet > Networking > Firewalls. Create firewall, add inbound rules (SSH: TCP 22 from your IP, HTTP/HTTPS: 80/443), outbound all, apply to Droplet. CLI: doctl compute firewall list.
Default deny policy; explicitly allow only needed ports. Use VPC for private traffic.
4

Update System Packages

Run 
sudo apt update && sudo apt upgrade -y
(Ubuntu/Debian) to apply security patches and refresh packages.
Schedule automatic updates or use unattended-upgrades for ongoing protection.
5

Install and Configure Fail2Ban

Install: 
sudo apt install fail2ban -y
. Edit /etc/fail2ban/jail.local to enable [sshd] jail. Start: 
sudo systemctl enable --now fail2ban
. Monitors logs, bans brute-force IPs.
Whitelist your IP in jail.local to avoid self-ban.
6

Enable DigitalOcean Monitoring

In Droplet details, enable Monitoring for CPU, memory, disk metrics. CLI: doctl compute droplet create --enable-monitoring for new ones. Check graphs in Control Panel.
Set alerts for unusual activity like high CPU from attacks.
7

Set Up Automated Backups

In Droplet settings, enable weekly backups (extra cost) or use SnapShooter. Manual: doctl compute snapshot create.
Test restore process periodically.
8

Harden Additional SSH Settings

In /etc/ssh/sshd_config, set MaxAuthTries 3, LoginGraceTime 30, ClientAliveInterval 300. Restart SSH.
Use non-standard port (e.g., 2222) but update firewall rule.

Common Issues & Troubleshooting

Locked out after SSH changes

Use DigitalOcean Console (web KVM) to revert <code>sshd_config</code> and restart SSH.

Firewall blocks legitimate traffic

Check rules in Control Panel, verify your IP, add exceptions, apply changes.

Fail2Ban bans your IP

Unban: <code>fail2ban-client set sshd unbanip YOUR_IP</code>, add to whitelist.

Outdated packages fail to install

Run <code>apt update</code> first, check repos, or switch to LTS OS.

Exclusive Deal

Affiliate link. We may earn a commission at no extra cost to you.

Visit DigitalOcean View DigitalOcean Pricing