How to Secure Your Linux VPS After Initial Setup

Why Server Security Matters Immediately

The moment a new VPS is provisioned and connected to the internet, automated bots begin scanning for open ports and vulnerabilities. Within minutes of launch, your server could be receiving brute-force SSH login attempts. Taking the right security steps immediately after setup is not optional — it's essential.

This guide walks through the most important hardening steps for a fresh Linux VPS running Ubuntu or Debian.

Step 1: Update All Packages First

Before anything else, ensure your system is fully up to date. Many vulnerabilities exist in outdated software packages:

apt update && apt upgrade -y

Reboot the server if kernel updates were applied: reboot

Step 2: Create a Non-Root User

Logging in directly as root is a security risk. Create a regular user and grant it sudo privileges:

adduser yourusername
usermod -aG sudo yourusername

From this point on, always log in as this user and use sudo when elevated privileges are needed.

Step 3: Set Up SSH Key Authentication

Password-based SSH logins are vulnerable to brute-force attacks. Switch to SSH key authentication instead:

1. On your local machine, generate a key pair: ssh-keygen -t ed25519
2. Copy the public key to your server: ssh-copy-id yourusername@your_server_ip
3. Test that key-based login works before proceeding to disable passwords.

Once confirmed, edit /etc/ssh/sshd_config and set:

• PasswordAuthentication no
• PermitRootLogin no

Restart SSH: systemctl restart sshd

Step 4: Change the Default SSH Port

Port 22 is the default SSH port and is constantly targeted by automated scanners. Changing it won't stop a determined attacker, but it dramatically reduces automated noise:

In /etc/ssh/sshd_config, change Port 22 to a high, non-standard port (e.g., Port 2222 or a random 5-digit number). Remember to open this port in your firewall first.

Step 5: Configure a Firewall (UFW)

UFW (Uncomplicated Firewall) is the easiest way to manage firewall rules on Ubuntu/Debian:

apt install ufw
ufw default deny incoming
ufw default allow outgoing
ufw allow 2222/tcp        # your custom SSH port
ufw allow 80/tcp          # HTTP
ufw allow 443/tcp         # HTTPS
ufw enable

Only open ports that your services genuinely require. Verify active rules with ufw status verbose.

Step 6: Install Fail2Ban

Fail2Ban monitors log files and automatically bans IP addresses that show signs of malicious activity (such as repeated failed SSH logins):

apt install fail2ban
systemctl enable fail2ban
systemctl start fail2ban

The default configuration protects SSH out of the box. You can extend it to monitor Nginx, Apache, and other services through jail configuration files in /etc/fail2ban/jail.d/.

Step 7: Enable Automatic Security Updates

Configure your server to automatically install security patches:

apt install unattended-upgrades
dpkg-reconfigure --priority=low unattended-upgrades

This ensures critical security patches are applied even if you don't log in to the server regularly.

Step 8: Disable Unused Services

Each running service is a potential attack surface. List enabled services and disable any you don't need:

systemctl list-unit-files --type=service --state=enabled

Disable services with: systemctl disable service-name

Quick Security Checklist

• ✅ System packages updated
• ✅ Non-root sudo user created
• ✅ SSH key authentication enabled
• ✅ Password and root SSH login disabled
• ✅ SSH port changed from default
• ✅ UFW firewall configured
• ✅ Fail2Ban installed and running
• ✅ Automatic security updates enabled
• ✅ Unused services disabled

Security Is an Ongoing Practice

These steps create a strong security baseline, but server security is never "done." Regularly review your logs (/var/log/auth.log, /var/log/syslog), keep software updated, and periodically audit your firewall rules and running services as your server's role evolves.