🌐 Secure Setup: Create a Non-Root User on a DigitalOcean Droplet (Ubuntu 24.04-LTS)

Generate SSH keys 🔐

Create a new non-root user 👤

Give it sudo privileges ⚙️

Secure your server (disable root SSH) 🔒

Firewall Setup + Fail2Ban

🧰 What You Need

A DigitalOcean Droplet (Ubuntu 22.04 or 24.04)

Your local computer’s terminal

The Droplet’s IP address

Root password or SSH access to the Droplet

Step 1: Generate SSH Keys (on your local machine)

You’ll use SSH keys instead of passwords to log in — it’s far more secure.

On macOS / Linux / Windows (WSL or PowerShell)

Generating SSH Keys with Empty Passphrase (No Password)

ED25519 Key (Recommended)

Run:

ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -N ""

ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -N ""

Generating SSH Keys WITH Passphrase (More Secure)

ED25519 Key with Passphrase

ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_secure

ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_secure

The keys are saved in:

Private key: ~/.ssh/id_ed25519

Public key: ~/.ssh/id_ed25519.pub

To view (and later copy) your public key:

cat ~/.ssh/id_ed25519.pub

cat ~/.ssh/id_ed25519.pub

You’ll get a long line starting with ssh-ed25519 — copy this entire line.

🌐 Step 2: Connect to your Droplet as Root

From your terminal:

ssh root@droplet_public_ip

ssh root@droplet_public_ip

👤 Step 3: Create a New User

adduser demo

adduser demo

You’ll be asked to:

Set a password

Optionally fill in details (you can press Enter to skip)

⚙️ Step 4: Give the User Sudo Privileges

usermod -aG sudo demo

usermod -aG sudo demo

Now “demo” user can use sudo to run admin commands.

🔐 Step 5: Add Your SSH Public Key for the New User

You’ll now let your new user log in using the key you generated.

Run:

mkdir -p /home/demo/.ssh
vim /home/demo/.ssh/authorized_keys

mkdir -p /home/demo/.ssh
vim /home/demo/.ssh/authorized_keys

Paste your public key (the one from id_ed25519.pub) inside the file.
Then save and close

Set correct permissions:

chown -R demo:demo /home/demo/.ssh
chmod 700 /home/demo/.ssh
chmod 600 /home/demo/.ssh/authorized_keys

chown -R demo:demo /home/demo/.ssh
chmod 700 /home/demo/.ssh
chmod 600 /home/demo/.ssh/authorized_keys

🧪 Step 6: Test Logging in as the New User

From your local machine, open a new terminal and test:

ssh demo@droplet_ip

ssh demo@droplet_ip

If it connects successfully — you’re good! 🎉
Try:

sudo whoami

sudo whoami

It should say:

root

🚫 Step 7: Disable Root SSH Login (Recommended for Security)

After verifying the new user works:

Edit the SSH config:

sudo vim /etc/ssh/sshd_config

sudo vim /etc/ssh/sshd_config

Find and change:

PermitRootLogin no
PasswordAuthentication no

Save, then restart SSH:

sudo systemctl restart ssh

sudo systemctl restart ssh

⚠️ Important: Make sure your new user login works before doing this step – otherwise you could lock yourself out.

🧱 Step 8: Add Basic Security Enhancements

Enable Firewall (UFW)

sudo ufw allow OpenSSH
sudo ufw allow http
sudo ufw allow https
sudo ufw enable
sudo ufw status

sudo ufw allow OpenSSH
sudo ufw allow http
sudo ufw allow https
sudo ufw enable
sudo ufw status

Install Fail2Ban

Protects SSH from brute-force attacks:

sudo apt update && sudo apt install fail2ban -y

sudo apt update && sudo apt install fail2ban -y

Enable Automatic Security Updates

sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure --priority=low unattended-upgrades

sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure --priority=low unattended-upgrades

🧩 Step 9: Quick Checklist ✅

Generated SSH keys ✅
Created non-root user ✅
Added to sudo group ✅
Copied SSH key ✅
Tested login ✅
Disabled root SSH ✅
Enabled firewall & Fail2Ban ✅