Prerequisites

Create the Droplet

First SSH Connection

Create a Deploy User

Set Up UFW

Enable Unattended Upgrades

Verify Your Baseline This is part 1 of the Production Linux series. It covers the first steps after creating a new VPS. This post walks you through provisioning a fresh DigitalOcean droplet — from your first root SSH connection to a locked-down baseline with a non-root deploy user, a UFW firewall, and automatic security patches. This covers Ubuntu 24.04 LTS only; the commands assume a clean droplet with no prior configuration. The fastest path is doctl, the DigitalOcean CLI: This creates a 1 vCPU / 1 GB droplet in Toronto using all SSH keys in your account. Swap tor1 for your nearest region (nyc3, sfo3, ams3, etc.). The --wait flag blocks until provisioning is complete, then prints the droplet's public IP. If you prefer the web console, create the droplet through the DigitalOcean dashboard and select your SSH key during setup. Either way, note the public IP before continuing. Connect as root using your SSH key: On first login you will see the Ubuntu welcome banner, MOTD, and a summary of pending updates. Cloud-init has already configured the server with PasswordAuthentication no and your SSH public key in /root/.ssh/authorized_keys, so password login is disabled out of the box. Running everything as root is a bad habit. Create a dedicated deploy user now: adduser creates the home directory, prompts for a password, and sets up the default shell. usermod -aG sudo deployer grants the user passwordless-capable sudo access via the sudo group. Copy root's authorized keys to the new user so you can SSH in as deployer: rsync copies the .ssh directory with correct ownership in one step — no manual chown or chmod needed. Before closing your root session, open a second terminal and verify the new user works: You should see root returned by sudo whoami. Only close the root session after confirming this. Locking yourself out of a new server is a rite of passage you can skip. UFW (Uncomplicated Firewall) is the standard iptables front end on Ubuntu: The first two lines set the baseline policy: block all inbound, allow all outbound. The three allow rules open SSH, HTTP, and HTTPS. Enabling UFW applies the rules immediately — your existing SSH session stays connected because UFW handles established connections gracefully. ufw status verbose confirms the active rules. You should see Status: active at the top and the three ALLOW IN entries listed. Security patches should apply automatically. Install and configure the package: When prompted, select Yes to enable automatic updates. This writes the configuration to /etc/apt/apt.conf.d/20auto-upgrades. Verify the file looks correct: Both values set to "1" mean: refresh the package list daily and apply security upgrades daily. At this point your server has a working security foundation: If you want to automate this entire process with Ansible, see Manage DigitalOcean Infrastructure With Ansible. Templates let you quickly answer FAQs or store snippets for re-use. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse