You just bought a VPS. Now what? Security often gets ignored until something breaks. This checklist covers 10 essential steps you should complete within your first hour of server setup[reference:4].
1. Update Your System Immediately
Outdated software has known vulnerabilities. Run these commands on any fresh Ubuntu/Debian VPS:
sudo apt update
sudo apt upgrade -y
Enable automatic security updates to stay protected: sudo apt install unattended-upgrades -y[reference:5].
2. Create a Non‑Root User
Running everything as root is dangerous. One mistake can break your system. Create a regular user with sudo privileges:
sudo adduser yourname
sudo usermod -aG sudo yourname
Log out and log back in as your new user[reference:6].
3. Set Up SSH Key Authentication
Passwords can be guessed. SSH keys are much more secure. SSH key authentication is one of the most effective methods for securing access to your VPS[reference:7]. Unlike password authentication, it relies on cryptographic keys and significantly reduces the risk of brute‑force attacks[reference:8].
Generate a key pair and copy it to your VPS:
ssh-keygen -t ed25519 -C "your_email@example.com"
ssh-copy-id yourname@your_server_ip
4. Disable Password Authentication
Once SSH keys work, disable password login entirely. Edit /etc/ssh/sshd_config and change:
PasswordAuthentication no
ChallengeResponseAuthentication no
PermitRootLogin no
Restart SSH: sudo systemctl restart sshd[reference:9].
5. Change the Default SSH Port
Port 22 is scanned constantly. Moving to a different port (like 2222) reduces automated attacks. Update /etc/ssh/sshd_config:
Port 2222
Test the new port before closing your current session[reference:10].
6. Set Up a Firewall with UFW
A firewall blocks unwanted connections. Allow essential ports:
sudo ufw allow 2222/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable
Check status: sudo ufw status verbose[reference:11].
7. Install Fail2ban
Fail2ban blocks IPs that repeatedly fail login attempts. Install and configure:
sudo apt install fail2ban -y
sudo nano /etc/fail2ban/jail.local
Add [sshd] enabled = true and set maxretry = 3, bantime = 3600.
8. Set Up a Free SSL Certificate
Encrypt traffic to and from your websites. Use Let's Encrypt to secure access via HTTPS[reference:12]:
sudo apt install certbot python3-certbot-nginx -y
sudo certbot --nginx -d yourdomain.com
9. Disable Unused Services
Every running service is a potential attack vector. Disable daemons you don't use to reduce security risks[reference:13]:
sudo systemctl disable service_name
sudo systemctl stop service_name
10. Set Up Regular Backups
Backups won't prevent attacks, but they'll save you when something goes wrong. Use rsync with cron for daily automated backups.
Quick Reference
| Step | Task | Done? |
|---|---|---|
| 1 | Update system + enable auto upgrades | ☐ |
| 2 | Create non‑root user | ☐ |
| 3 | Set up SSH key authentication | ☐ |
| 4 | Disable password authentication | ☐ |
| 5 | Change SSH port | ☐ |
| 6 | Set up UFW firewall | ☐ |
| 7 | Install Fail2ban | ☐ |
| 8 | Set up SSL certificate | ☐ |
| 9 | Disable unused services | ☐ |
| 10 | Set up regular backups | ☐ |
Need a VPS to practice on? Check our recommended VPS providers.