TemperStack
Find Tools
Beginner8 min readUpdated Mar 13, 2026

Securing a DigitalOcean Droplet: Official Guide

Quick Answer

Enable SSH keys only (disable passwords), configure Cloud Firewall, update packages, install Fail2Ban, enable monitoring, and set backups.

Prerequisites

  1. DigitalOcean account with Droplet
  2. Basic Linux CLI knowledge
  3. SSH client and key pair
1

Add SSH Keys to DigitalOcean Account

Log into DigitalOcean Control Panel, go to Settings > Security, click Add SSH Key, paste public key, name it, and add. SSH keys control root access only; set up named users separately on OS.
Tip
Generate keys with ssh-keygen before adding. Cannot add retroactively if other keys exist.
2

Disable Password Authentication

SSH into Droplet as root, edit /etc/ssh/sshd_config: set PasswordAuthentication no and PermitRootLogin prohibit-password. Restart SSH: 
sudo systemctl restart ssh
Tip
Test new SSH connection in another terminal before restarting to avoid lockout.
3

Configure Cloud Firewall

In Control Panel, go to Droplet > Networking > Firewalls. Create firewall, add inbound rules (SSH: TCP 22 from your IP, HTTP/HTTPS: 80/443), outbound all, apply to Droplet. CLI: doctl compute firewall list.
Tip
Default deny policy; explicitly allow only needed ports. Use VPC for private traffic.
4

Update System Packages

Run 
sudo apt update && sudo apt upgrade -y
(Ubuntu/Debian) to apply security patches and refresh packages.
Tip
Schedule automatic updates or use unattended-upgrades for ongoing protection.
5

Install and Configure Fail2Ban

Install: 
sudo apt install fail2ban -y
. Edit /etc/fail2ban/jail.local to enable [sshd] jail. Start: 
sudo systemctl enable --now fail2ban
. Monitors logs, bans brute-force IPs.
Tip
Whitelist your IP in jail.local to avoid self-ban.
6

Enable DigitalOcean Monitoring

In Droplet details, enable Monitoring for CPU, memory, disk metrics. CLI: doctl compute droplet create --enable-monitoring for new ones. Check graphs in Control Panel.
Tip
Set alerts for unusual activity like high CPU from attacks.
7

Set Up Automated Backups

In Droplet settings, enable weekly backups (extra cost) or use SnapShooter. Manual: doctl compute snapshot create.
Tip
Test restore process periodically.
8

Harden Additional SSH Settings

In /etc/ssh/sshd_config, set MaxAuthTries 3, LoginGraceTime 30, ClientAliveInterval 300. Restart SSH.
Tip
Use non-standard port (e.g., 2222) but update firewall rule.

Troubleshooting

Locked out after SSH changes
Use DigitalOcean Console (web KVM) to revert sshd_config and restart SSH.
Firewall blocks legitimate traffic
Check rules in Control Panel, verify your IP, add exceptions, apply changes.
Fail2Ban bans your IP
Unban: fail2ban-client set sshd unbanip YOUR_IP, add to whitelist.
Outdated packages fail to install
Run apt update first, check repos, or switch to LTS OS.

Related Guides

More DigitalOcean Tutorials

How to create a Droplet

How to generate SSH keys

How to set up Cloud Firewall

How to configure production Droplet

Other Tool Tutorials

H

Hostinger Tutorials

C

Contabo Tutorials

C

Cloudways Tutorials

Ready to get started with DigitalOcean?

Put this tutorial into practice. Visit DigitalOcean and follow the steps above.

Visit DigitalOcean