What’s your go-to process for securing a freshly provisioned VPS?

Emily Routledge · May 1, 2025

I’ve just spun up a new Ubuntu VPS and want to lock it down properly before deploying any sites or apps. What steps, tools, and configurations do you always apply e.g. SSH hardening, firewall rules, intrusion prevention, automatic updates to ensure a secure baseline?

Concrete examples or scripts are welcome!

CharityHost_org · May 2, 2025

Assuming you are not using a control panel and going headless, then:
1. Create and add ssh-key, so you do not use password login by ssh
2. Set root login in sshd_config to 'without-password' Or create a sudo user and set it to 'no'
3. Install CSF and tune the csf.conf, take your time to read the csf.conf carefully to set optimally
4. Check auto update settings, look for automatic updates from ubuntu community online docs.
5. Make sure you reboot every so often, once every month to 3 months to get the latest kernel updates. OR use ubuntu pro, which is a paid subscription in general.

Depending on what the use case is for your server, there are other optimizations you can do... Will vary.

If you plan to create and manage many servers, consider using ansible or something like it to manage the server configurations and updates/reboots.

Philippe Gaucher · Thursday at 4:22 PM

Nice move setting things up before going live, that’s the right way to do it. First thing I always do is disable root SSH login and change the default SSH port to something like 2222 to cut down on brute-force bots. Then I install ufw and set up basic rules, only allow SSH, HTTP, and HTTPS for now. Something like:

Code:

ufw allow 2222/tcp
ufw allow http
ufw allow https
ufw enable

Next, I install fail2ban, default settings work pretty well out of the box, especially for protecting SSH. Then I set up unattended upgrades so security patches install automatically:

Code:

sudo apt install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades

Also, create a new sudo user and disable password auth if you're using SSH keys way more secure. You might also want to install something like rkhunter or lynis for periodic scans. It’s also smart to monitor login attempts with something like logwatch.

Kaz Wolfe · Monday at 5:05 PM

Emily Routledge said:
I’ve just spun up a new Ubuntu VPS and want to lock it down properly before deploying any sites or apps. What steps, tools, and configurations do you always apply e.g. SSH hardening, firewall rules, intrusion prevention, automatic updates to ensure a secure baseline?

Nice move securing it early! Here’s a solid quick-start:

SSH Hardening: Disable root login, change the default port, use key-based auth only (/etc/ssh/sshd_config).
Firewall: Use ufw to allow only essential ports (e.g., 22, 80, 443).
Fail2Ban: Install it to block brute-force attempts automatically.
Automatic Updates: Enable with unattended-upgrades to patch security issues.
Remove unused packages/services and keep your system lean.
Create a non-root user with sudo access for daily tasks.

Hope it helps!

DariaVPS · 2025-05-14T09:58:54+0100

Get in, change the SSH port, kill password logins, and block root. Use keys only. Done.
Lock it down with UFW — allow your SSH port, HTTP, HTTPS, and shut everything else out.
Throw Fail2ban on there to slap away bots trying to brute-force you.
Set auto-updates so security patches don’t slip through.
Check what’s listening with ss -tulnp — if it shouldn’t be there, stop and remove it.
Make a normal user with sudo — stop running as root already
That’s the fast track to a safer box.

What’s your go-to process for securing a freshly provisioned VPS?

Emily Routledge

Active member

CharityHost_org

New member

Philippe Gaucher

Well-known member

Kaz Wolfe

Well-known member

DariaVPS

New member

Latest posts New threads

Latest posts

New threads

Latest Hosting Offers New Reviews

Latest hosting offers

Popular Contributors - Past 30 Days

Sponsors

Tag Cloud