D DigitalOcean

Securing a DigitalOcean Droplet — Official Guide

Intermediate 8 min read Updated 2026-04-27
Quick Answer

Enable SSH keys only (disable passwords), configure Cloud Firewall, update packages, install Fail2Ban, enable monitoring, and set backups.

Full DigitalOcean Review

Prerequisites

  • DigitalOcean account with Droplet
  • Basic Linux CLI knowledge
  • SSH client and key pair

Step-by-Step Instructions

1

Add SSH Keys to DigitalOcean Account

Log into DigitalOcean Control Panel, go to Settings > Security, click Add SSH Key, paste public key, name it, and add. SSH keys control root access only; set up named users separately on OS.
Generate keys with <code>ssh-keygen</code> before adding. Cannot add retroactively if other keys exist.
2

Disable Password Authentication

SSH into Droplet as root, edit /etc/ssh/sshd_config: set PasswordAuthentication no and PermitRootLogin prohibit-password. Restart SSH: 
sudo systemctl restart ssh
Test new SSH connection in another terminal before restarting to avoid lockout.
3

Configure Cloud Firewall

In Control Panel, go to Droplet > Networking > Firewalls. Create firewall, add inbound rules (SSH: TCP 22 from your IP, HTTP/HTTPS: 80/443), outbound all, apply to Droplet. CLI: doctl compute firewall list.
Default deny policy; explicitly allow only needed ports. Use VPC for private traffic.
4

Update System Packages

Run 
sudo apt update && sudo apt upgrade -y
(Ubuntu/Debian) to apply security patches and refresh packages.
Schedule automatic updates or use unattended-upgrades for ongoing protection.
5

Install and Configure Fail2Ban

Install: 
sudo apt install fail2ban -y
. Edit /etc/fail2ban/jail.local to enable [sshd] jail. Start: 
sudo systemctl enable --now fail2ban
. Monitors logs, bans brute-force IPs.
Whitelist your IP in jail.local to avoid self-ban.
6

Enable DigitalOcean Monitoring

In Droplet details, enable Monitoring for CPU, memory, disk metrics. CLI: doctl compute droplet create --enable-monitoring for new ones. Check graphs in Control Panel.
Set alerts for unusual activity like high CPU from attacks.
7

Set Up Automated Backups

In Droplet settings, enable weekly backups (extra cost) or use SnapShooter. Manual: doctl compute snapshot create.
Test restore process periodically.
8

Harden Additional SSH Settings

In /etc/ssh/sshd_config, set MaxAuthTries 3, LoginGraceTime 30, ClientAliveInterval 300. Restart SSH.
Use non-standard port (e.g., 2222) but update firewall rule.

Common Issues & Troubleshooting

Locked out after SSH changes

Use DigitalOcean Console (web KVM) to revert sshd_config and restart SSH.

Firewall blocks legitimate traffic

Check rules in Control Panel, verify your IP, add exceptions, apply changes.

Fail2Ban bans your IP

Unban: fail2ban-client set sshd unbanip YOUR_IP, add to whitelist.

Outdated packages fail to install

Run apt update first, check repos, or switch to LTS OS.

Prices mentioned in this guide are pulled from current plan data and may change. Always verify on the official DigitalOcean website before purchasing.
Visit DigitalOcean View DigitalOcean Pricing

Related to DigitalOcean

ReviewDigitalOcean ReviewPricingDigitalOcean PricingAlternativesDigitalOcean Alternatives