You just bought a VPS. Now what? A fresh VPS is barebones. You need to set it up before deploying anything.
This guide covers the essential first steps for any new VPS. No prior experience needed.
Step 1: Connect to Your VPS
You'll receive an IP address, username (usually root), and password from your provider. On Mac/Linux, open Terminal. On Windows, use PowerShell or install WSL.
ssh root@your_server_ip
Enter your password when prompted. You should see a welcome message.
Tip: If you see "connection refused," check that your provider has enabled SSH and that your firewall allows port 22.
Step 2: Update Your System
Always update a fresh VPS immediately. Outdated packages have security vulnerabilities.
For Ubuntu/Debian:
sudo apt update
sudo apt upgrade -y
For CentOS/AlmaLinux/Rocky:
sudo dnf update -y
This may take a few minutes. Wait for it to complete.
Step 3: Create a Non-Root User
Running everything as root is dangerous. One mistake can break your system. Create a regular user with sudo privileges.
sudo adduser yourname
sudo usermod -aG sudo yourname
Log out and log back in as your new user. Test that sudo works: sudo whoami should return "root".
Step 4: Set Up SSH Key Authentication
Passwords can be guessed. SSH keys are more secure. On your local machine, generate a key pair (if you don't have one):
ssh-keygen -t ed25519 -C "your_email@example.com"
Copy your public key to the VPS:
ssh-copy-id yourname@your_server_ip
Test logging in without a password. If it works, disable password authentication in /etc/ssh/sshd_config:
PasswordAuthentication no
ChallengeResponseAuthentication no
PermitRootLogin no
Restart SSH: sudo systemctl restart sshd
Warning: Keep your current SSH session open while testing the new configuration. If something breaks, you can still fix it.
Step 5: Set Up a Firewall (UFW)
A firewall blocks unwanted connections. Install UFW on Ubuntu/Debian:
sudo apt install ufw -y
Allow essential ports (change 22 to your SSH port if you changed it):
sudo ufw allow 22/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
Enable the firewall:
sudo ufw enable
Check status: sudo ufw status verbose
Step 6: Change the Default SSH Port (Optional but Recommended)
Port 22 is scanned constantly. Moving to a different port reduces automated attacks.
Edit /etc/ssh/sshd_config and change:
Port 2222
Then allow the new port in UFW:
sudo ufw allow 2222/tcp
Restart SSH and test the new port before closing your current session.
Step 7: Install Fail2ban
Fail2ban blocks IPs that repeatedly fail login attempts. Install it:
sudo apt install fail2ban -y
Create a configuration file:
sudo nano /etc/fail2ban/jail.local
Add this basic config:
[sshd]
enabled = true
port = 2222
maxretry = 3
bantime = 3600
Start and enable:
sudo systemctl start fail2ban
sudo systemctl enable fail2ban
Step 8: Set Up Automatic Security Updates
Enable unattended upgrades to keep your VPS secure:
sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure --priority=low unattended-upgrades
Follow the prompts and select "Yes" for automatic updates.
Step 9: Set Your Timezone
Correct timezone matters for logs and cron jobs:
sudo timedatectl set-timezone Asia/Shanghai
Check with date to confirm.
Step 10: Install Basic Tools
Install useful utilities:
sudo apt install htop git curl wget net-tools -y
htop shows system resources. git is for version control. curl and wget download files. net-tools includes ifconfig.
Next Steps
Your VPS is now secured. You can install a web server (Nginx/Apache), database (MySQL/PostgreSQL), or deploy your application.
Need a VPS to practice on? Check our recommended VPS providers.