You just deployed your VPS. The system is running, but you're not done yet. A fresh VPS is like an unlocked door – it works, but it's not safe. According to security data, a default‑configured VPS receives hundreds of SSH login attempts within 24 hours of deployment[reference:0].
This guide walks you through the essential security and performance steps you should complete immediately after deploying any Ubuntu VPS.
SSH Security – Securing Your Primary Entry Point
SSH is the most frequently attacked service on any VPS[reference:1]. Here are three must‑do steps.
1. Change the Default SSH Port
Port 22 is the first target for automated scanners. Moving to a high port (1024‑65535) filters out 99% of automated attacks[reference:2].
sudo sed -i 's/#Port 22/Port 2222/' /etc/ssh/sshd_config
sudo systemctl restart sshd
Critical: Test the new port in a separate terminal before closing your current session. If you get locked out, you still have a way back in[reference:3].
2. Disable Root Login
Root has unlimited system access. If compromised, your entire server is at risk. Create a regular user and use it for daily tasks[reference:4]:
sudo adduser yourname
sudo usermod -aG sudo yourname
echo "PermitRootLogin no" | sudo tee -a /etc/ssh/sshd_config
sudo systemctl restart sshd
3. Enable SSH Key Authentication
Password authentication is vulnerable to brute‑force attacks. SSH keys are much more secure[reference:5]:
# On your local machine
ssh-keygen -t ed25519 -C "your_email@example.com"
ssh-copy-id -p 2222 yourname@your_server_ip
Once keys work, disable password authentication entirely[reference:6]:
echo "PasswordAuthentication no" | sudo tee -a /etc/ssh/sshd_config
sudo systemctl restart sshd
Firewall Configuration – Controlling Traffic
UFW (Uncomplicated Firewall) is the simplest way to manage iptables on Ubuntu[reference:7]. Install and configure it[reference:8]:
sudo apt update && sudo apt install ufw -y
sudo ufw allow 2222/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw --force enable
sudo ufw status verbose
Never enable UFW without first allowing your SSH port. You will lock yourself out[reference:9].
Add rate limiting to protect against brute‑force attempts[reference:10]:
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw limit 2222/tcp
Fail2ban – Automatic Malicious IP Blocking
UFW is static. Fail2ban is dynamic – it watches logs and temporarily bans IPs that repeatedly fail login attempts[reference:11]:
sudo apt install fail2ban -y
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Edit /etc/fail2ban/jail.local and set maxretry = 3, bantime = 3600.
Performance Tuning – System‑Level Optimization
Adjusting a few kernel parameters improves performance under load[reference:12]:
sudo nano /etc/sysctl.conf
Add these lines:
vm.swappiness=10
net.core.somaxconn=4096
Apply changes:
sudo sysctl -p
These three steps – SSH hardening, firewall configuration, and Fail2ban – give your VPS a solid security foundation. Performance tuning ensures your server runs efficiently under load[reference:13].
Need a VPS to practice on? Check our recommended VPS providers.