This article will show Windows PC users how to set up a Linux virtual private server (VPS). The VPS in this article is running Ubuntu 16.04 Long-Term Support (LTS). If you choose a VPS running a different distribution of Linux, you will need to adjust the commands in this article accordingly.
Visit DigitalOcean and open and fund your account. If you use my link, they may reward you with an extra credit when you add funds for the first time.
PuTTY is the tool we will use to connect to the Linux VPS from a Windows PC.
Visit the PuTTY developer’s site at http://www.chiark.greenend.org.uk/~sgtatham/putty/.
Go to the latest downloads page on the PuTTY site.
For modern PCs running Windows, you will want the 64-bit Windows installer. For older PCs that are capable of running only 32-bit software, you will want the 32-bit Windows installer.
Click on the appropriate Windows installer file. You will be asked whether you want to save it. Click Save File.
Once the file is downloaded, double-click on it. You will be asked to confirm that you want to run the downloaded Windows installer package. Click Run to run the installer.
The installer will inform you of the folder in which it proposes to install
PuTTY. Make a note of the installation location. It will most likely be either
C:\Program Files\PuTTY or
(x86)\PuTTY. Click Next to accept the default
The PuTTY installer asks you which features you want to install. Accept the defaults, and click Install.
The setup wizard installs PuTTY and displays a progress bar as it proceeds. Once PuTTY is installed, the setup wizard displays a final screen. Click Finish to exit the PuTTY setup wizard.
Now we’re going to run the PuTTYgen utility to generate a secure shell (SSH) key pair.
Open the PuTTY file location, i.e., either
C:\Program Files\PuTTY or
Double-click on puttygen.exe.
A window appears titled PuTTY Key Generator. You can leave
the defaults as they are. The type is
SSH-2 RSA, and the number of
2048. Click the Generate button to begin
the process of generating an SSH key pair.
A progress bar appears. As the instructions on the screen indicate, move your mouse around randomly over the blank area immediately beneath the progress bar.
When the key is generated, it is displayed, along with fields for copying it from for subsequent pasting and for specifying a passphrase. There are also buttons for saving the private key, etc.
Create a folder to hold your public and private keys. For example, you might
create it inside your
Documents folder and name it
In the PuTTY Key Generator (PuTTYgen) dialogue box, you will see a field in
the box Public key for pasting into OpenSSH authorized keys
file. Select all of this field, being careful to make sure you have
the full contents, including any characters that may be hidden from view. This
field will begin with the key type, which is
ssh-rsa, and end with
a generated name such as
Copy the public key to your PC clipboard (Ctrl + C), open the Notepad program, then paste it into Notepad (Ctrl + V).
Save the public key from Notepad in a file within your
folder. Name it, for example,
Now, back in the dialogue box, fill in a Key passphrase, and type in the same passphrase in the Confirm passphrase field. This passphrase is your last line of defense in case someone finds your private key file. Press Save private key.
Save it in the same folder, i.e.
SSH, that you created a moment
ago for the public key. Name it, for example,
You now have two files in your
You can now close the PuTTY Key Generator (PuTTYgen) program.
Again using Notepad, open the file where you saved the public key, named for
rsa-key-20170702-public.txt. Press Ctrl+C
to copy the public key to your PC’s clipbpard.
Go to your browser and log on to your DigitalOcean account. Under Settings, choose Security, and then the Add SSH Key section.
Paste in your public key, give it a name (such as
rsa-key-20170702), and click Create SSH Key.
The new key is added to your DigitalOcean account’s Security area.
“Droplet” is DigitalOcean’s name for a virtual private server (VPS). We will now create a droplet with the public key pre-installed. In your DigitalOcean account, go to the Droplets page, and click Create Droplet.
We will assume in this article that you pick Ubuntu 16.04 as your operating system.
512 MB of random-access memory (RAM) is plenty for small-scale projects.
A region close to you is best, unless you have some other preference.
You must check the box to Add your SSH key to the droplet!!!
You can either leave the hostname as the default, or else enter a hostname and domain name that you own.
Wait about one minute. When the droplet creation process is complete, make a note of the IP address that DigitalOcean has allocated to your VPS.
Double-click on the putty.exe executable or on a desktop shortcut to PuTTY.
Paste in the IP address of your Digital Ocean droplet.
The default of port
22 is fine to begin with.
On PuTTY’s Window > Appearance page, you can change the font size if you wish. The default font of Courier 10-point is rather small, so you can change it to something like Lucida Console 12-point for improved legibility.
On PuTTY’s Connection > SSH >
Auth page, browse for the private key file you created with
PuTTYgen. In the example in this article, it is named
rsa-key-20170702-private.ppk. Select it and click
Your private key file’s location now appear in the private key field at the bottom of the right-hand pane on PuTTY’s SSH > Auth page.
Now we will save these settings for future use.
In the left-hand pane (the Category tree), click on the first page again (Session). Select the Default Settings session so that it is highlighted in blue. Click Save.
Your complete settings — IP address, port, font, and SSH private key location — are now saved.
Now in the main PuTTY window click Open.
The first time you connect to a server that you have not connected to before, a warning message box appears. Click Yes to say that you trust this host.
You are asked what id you want to log in as. Some VPS providers create a
non-root user id automatically. Since DigitalOcean did not create a non-root
id, you need to put
root here for now and create a non-root user in
a few moments.
You will be asked to enter the passphrase for your private key.
When you are successfully logged in, you will see a command prompt. It will
end in a dollar sign
$ when you sign in as a non-root user, and a
# when you sign in as
Before we go any further, you may need to correct the timezone on your
root, issue the command:
Choose the appropriate time zone for your VPS.
Some VPS providers creates a non-root user for you on Ubuntu servers. If
this is the case, you can skip this section. However, DigitalOcean and many
other VPS providers create only the
root user for you. In this
case, you are best advised to created your own non-root user. If you want the
non-root user to be named
derek, for example, you would issue the
commands as root:
The next command adds the new user to the group
derek can issue
root commands without being the
root user by prefixing the command with
usermod -a -G sudo derek
Now copy your private key from the
root account into
Create a directory for
derek’s SSH keys:
derek the owner of the new directory:
chown derek:derek /home/derek/.ssh
Restrict access to the directory to just
chmod 700 /home/derek/.ssh
Copy your SSH authorized keys file from the
root SSH directory
into the equivalent directory for user
cp ~/.ssh/authorized_keys /home/derek/.ssh/
derek the owner of the authorized keys file:
chown derek:derek /home/derek/.ssh/authorized_keys
Restrict access to the authorized keys file to just
chmod 600 /home/derek/.ssh/authorized_keys
Now exit your
root SSH session with your server:
Check that you can now SSH into the server as the non-root user. Open PuTTY
again, and connect to your server. This time, log in as the non-root user,
derek in our example.
We will use the non-root user from this point forward. Therefore commands
that are normally restricted to the
root user will be prefixed with
sudo from now on in this article.
Your SSH configuration file is located at
To edit this file, enter the command:
sudo nano /etc/ssh/sshd_config
You will be taken into the
nano editor. (More experienced Linux
users may prefer to use the
vi editor rather than
The most important special function keys in
nano are indicated
at the bottom of the screen. Ctrl+O writes your file out to
disk, and Ctrl+X exits the editor.
We will prevent
root login and prevent password login by
changing the appropriate lines to read as follows (these lines will not all be
in one place in the file, and you will need to look for their location in the
This means that only non-root users, with an SSH public key on the server, will be able to log in to the server.
Do Ctrl+O to write your file out to disk, and Ctrl+X to exit the editor.
Restart your SSH server to pick up these changes:
sudo service ssh restart
You will improve the security of your server if you always have the most up-to-date versions of all software packages. Update your package lists and your packages themselves by issuing the commands:
sudo apt-get update
sudo apt-get upgrade
(With Linux kernels above version 4.0, you no longer strictly need to reboot after every kernel upgrade.)
You should update your packages frequently from now on, typically weekly, or more frequently if you hear about a fix being issued for a serious security flaw.
We will use the
iptables firewall to restrict input traffic to
the server. All unauthorized packets will be dropped.
Allow input for connections that are already established:
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
(On this web page, long commands may appear to span multiple lines. Enter them as a single command.)
Allow input on the loopback interface. This is input directed from the VPS to localhost:
sudo iptables -A INPUT -i lo -j ACCEPT
Whitelist your own input on port 22. It is vitally important to protect port
22 (the SSH port) against intrusions. In the example given below, your local ISP
allocates IP addresses to you in the range
18.104.22.168. In classless inter-domain routing (CIDR) notation,
sudo iptables -A INPUT -p tcp --dport 22 -s 22.214.171.124/16 -j ACCEPT
If you can guarantee that you will always have a static IP address, you can
substitute it as the source, e.g.
-s 126.96.36.199/32. If you cannot
guarantee your IP address or the range it will come from, you must unfortunately
leave the source unspecified in the above, which leaves port 22 open to the
Allow PING requests to your VPS:
sudo iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
All other packets will be dropped as a policy:
sudo iptables -P INPUT DROP
To make your firewall rules persist across reboots, issue the command:
sudo apt-get install iptables-persistent
iptables-persistent was already installed, then instead of
installing it, reconfigure it with the command:
sudo dpkg-reconfigure iptables-persistent
You can review your
iptables rules with the commands:
sudo iptables -nvL
To exit your SSH session, enter the command:
You will be logged out, and PuTTY will close automatically.