I often find myself spawning random DigitalOcean FreeBSD
droplets for prototyping web services. Just because they are temporary does not
mean that they should not have secure defaults however. Here’s a short script
that sets up sshd as well as initializes the ipfw firewall.
For AWS instances we’re better off using VPC with sane security groups to do our
firewalling for us.
It can be run using
ssh user@host 'sh -s' < script
It disables password authentication and allows only public key based
authentication, disables root login, limits retries. As for ipfw, it only allows
tcp in on port 22 by default.