Update the System
Immediately update all packages to the latest versions to patch known security vulnerabilities.
# Ubuntu / Debian
apt update && apt upgrade -y
# AlmaLinux / Rocky Linux
dnf upgrade -yCreate a Non-Root User
Avoid using root for daily tasks. Create a regular user with sudo privileges.
# Create user and add to sudo group
adduser myuser
usermod -aG sudo myuser # Ubuntu/Debian
# or
usermod -aG wheel myuser # AlmaLinux/RockySet Up SSH Key Authentication
Generate an SSH key pair locally and upload the public key to your server for passwordless login.
# Run on your local machine
ssh-keygen -t ed25519
ssh-copy-id -i ~/.ssh/id_ed25519.pub myuser@server_ipDisable Root Login & Password Auth
Once key auth works, disable root remote login and password authentication to prevent brute-force attacks.
# Edit SSH config
sudo nano /etc/ssh/sshd_config
# Set these values:
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
# Restart SSH
sudo systemctl restart sshdChange SSH Port
Move SSH from the default port 22 to a non-standard port (e.g., 2222) to reduce automated scan attacks.
# In /etc/ssh/sshd_config:
Port 2222
# Restart SSH and update firewall
sudo systemctl restart sshdConfigure Firewall
Only open necessary ports and block all other inbound traffic.
# UFW (Ubuntu/Debian recommended)
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 2222/tcp # SSH (your custom port)
sudo ufw allow 80/tcp # HTTP
sudo ufw allow 443/tcp # HTTPS
sudo ufw enable
# firewalld (AlmaLinux/Rocky)
sudo firewall-cmd --permanent --add-port=2222/tcp
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reloadInstall Fail2Ban
Automatically ban IP addresses that have too many failed login attempts, preventing SSH brute-force attacks.
sudo apt install fail2ban -y # Ubuntu/Debian
sudo dnf install fail2ban -y # AlmaLinux/Rocky
# Enable and start
sudo systemctl enable --now fail2banSet Timezone & Time Sync
Correct system time is critical for log analysis, SSL certificates, and scheduled tasks.
# Set timezone (example: UTC)
sudo timedatectl set-timezone UTC
# Verify NTP sync is active
timedatectl status
# Should show: NTP synchronized: yesEnable Automatic Security Updates
Let the system automatically install security patches to reduce manual maintenance.
# Ubuntu/Debian
sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure -plow unattended-upgrades
# AlmaLinux/Rocky
sudo dnf install dnf-automatic -y
sudo systemctl enable --now dnf-automatic.timerCreate an Initial Snapshot
After completing all steps above, create a system snapshot as a "clean baseline" you can restore to if anything goes wrong.
# Create via your provider's control panel:
# Vultr: Snapshots โ Add Snapshot
# DigitalOcean: Backups โ Create Snapshot
# Or back up key configs via CLI:
sudo tar czf /root/config-backup.tar.gz /etc/ssh /etc/ufwโ
After completing these steps, your VPS has basic security hardening in place. You can now start deploying applications, websites, or other services. Regularly check system logs (/var/log/auth.log) and Fail2Ban status.