You just deployed your VPS. The system is running, but you're not done yet. A fresh VPS is like an unlocked door – it works, but it's not safe. According to security data, a default‑configured VPS receives hundreds of SSH login attempts within 24 hours of deployment[reference:0].

This guide walks you through the essential security and performance steps you should complete immediately after deploying any Ubuntu VPS.

SSH Security – Securing Your Primary Entry Point

SSH is the most frequently attacked service on any VPS[reference:1]. Here are three must‑do steps.

1. Change the Default SSH Port

Port 22 is the first target for automated scanners. Moving to a high port (1024‑65535) filters out 99% of automated attacks[reference:2].

sudo sed -i 's/#Port 22/Port 2222/' /etc/ssh/sshd_config
sudo systemctl restart sshd

Critical: Test the new port in a separate terminal before closing your current session. If you get locked out, you still have a way back in[reference:3].

2. Disable Root Login

Root has unlimited system access. If compromised, your entire server is at risk. Create a regular user and use it for daily tasks[reference:4]:

sudo adduser yourname
sudo usermod -aG sudo yourname
echo "PermitRootLogin no" | sudo tee -a /etc/ssh/sshd_config
sudo systemctl restart sshd

3. Enable SSH Key Authentication

Password authentication is vulnerable to brute‑force attacks. SSH keys are much more secure[reference:5]:

# On your local machine
ssh-keygen -t ed25519 -C "your_email@example.com"
ssh-copy-id -p 2222 yourname@your_server_ip

Once keys work, disable password authentication entirely[reference:6]:

echo "PasswordAuthentication no" | sudo tee -a /etc/ssh/sshd_config
sudo systemctl restart sshd

Firewall Configuration – Controlling Traffic

UFW (Uncomplicated Firewall) is the simplest way to manage iptables on Ubuntu[reference:7]. Install and configure it[reference:8]:

sudo apt update && sudo apt install ufw -y
sudo ufw allow 2222/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw --force enable
sudo ufw status verbose

Never enable UFW without first allowing your SSH port. You will lock yourself out[reference:9].

Add rate limiting to protect against brute‑force attempts[reference:10]:

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw limit 2222/tcp

Fail2ban – Automatic Malicious IP Blocking

UFW is static. Fail2ban is dynamic – it watches logs and temporarily bans IPs that repeatedly fail login attempts[reference:11]:

sudo apt install fail2ban -y
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Edit /etc/fail2ban/jail.local and set maxretry = 3, bantime = 3600.

Performance Tuning – System‑Level Optimization

Adjusting a few kernel parameters improves performance under load[reference:12]:

sudo nano /etc/sysctl.conf

Add these lines:

vm.swappiness=10
net.core.somaxconn=4096

Apply changes:

sudo sysctl -p

These three steps – SSH hardening, firewall configuration, and Fail2ban – give your VPS a solid security foundation. Performance tuning ensures your server runs efficiently under load[reference:13].

Need a VPS to practice on? Check our recommended VPS providers.