What’s your go-to process for securing a freshly provisioned VPS?

Emily Routledge · May 1, 2025

I’ve just spun up a new Ubuntu VPS and want to lock it down properly before deploying any sites or apps. What steps, tools, and configurations do you always apply e.g. SSH hardening, firewall rules, intrusion prevention, automatic updates to ensure a secure baseline?

Concrete examples or scripts are welcome!

CharityHost_org · May 2, 2025

Assuming you are not using a control panel and going headless, then:
1. Create and add ssh-key, so you do not use password login by ssh
2. Set root login in sshd_config to 'without-password' Or create a sudo user and set it to 'no'
3. Install CSF and tune the csf.conf, take your time to read the csf.conf carefully to set optimally
4. Check auto update settings, look for automatic updates from ubuntu community online docs.
5. Make sure you reboot every so often, once every month to 3 months to get the latest kernel updates. OR use ubuntu pro, which is a paid subscription in general.

Depending on what the use case is for your server, there are other optimizations you can do... Will vary.

If you plan to create and manage many servers, consider using ansible or something like it to manage the server configurations and updates/reboots.

Philippe Gaucher · May 8, 2025

Nice move setting things up before going live, that’s the right way to do it. First thing I always do is disable root SSH login and change the default SSH port to something like 2222 to cut down on brute-force bots. Then I install ufw and set up basic rules, only allow SSH, HTTP, and HTTPS for now. Something like:

Code:

ufw allow 2222/tcp
ufw allow http
ufw allow https
ufw enable

Next, I install fail2ban, default settings work pretty well out of the box, especially for protecting SSH. Then I set up unattended upgrades so security patches install automatically:

Code:

sudo apt install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades

Also, create a new sudo user and disable password auth if you're using SSH keys way more secure. You might also want to install something like rkhunter or lynis for periodic scans. It’s also smart to monitor login attempts with something like logwatch.

Kaz Wolfe · May 12, 2025

Emily Routledge said:
I’ve just spun up a new Ubuntu VPS and want to lock it down properly before deploying any sites or apps. What steps, tools, and configurations do you always apply e.g. SSH hardening, firewall rules, intrusion prevention, automatic updates to ensure a secure baseline?

Nice move securing it early! Here’s a solid quick-start:

SSH Hardening: Disable root login, change the default port, use key-based auth only (/etc/ssh/sshd_config).
Firewall: Use ufw to allow only essential ports (e.g., 22, 80, 443).
Fail2Ban: Install it to block brute-force attempts automatically.
Automatic Updates: Enable with unattended-upgrades to patch security issues.
Remove unused packages/services and keep your system lean.
Create a non-root user with sudo access for daily tasks.

Hope it helps!

DariaVPS · May 14, 2025

Get in, change the SSH port, kill password logins, and block root. Use keys only. Done.
Lock it down with UFW — allow your SSH port, HTTP, HTTPS, and shut everything else out.
Throw Fail2ban on there to slap away bots trying to brute-force you.
Set auto-updates so security patches don’t slip through.
Check what’s listening with ss -tulnp — if it shouldn’t be there, stop and remove it.
Make a normal user with sudo — stop running as root already
That’s the fast track to a safer box.

Aaron Lavers · Aug 8, 2025

Here’s a concise secure baseline I always apply for a fresh Ubuntu VPS:

Update everything

Code:

apt update && apt upgrade -y

Create a new user (disable root SSH later)

Code:

adduser deploy
usermod -aG sudo deploy

SSH hardening
Edit the config file:

Code:

/etc/ssh/sshd_config

Add or modify these lines:

Code:

Port 2222
PermitRootLogin no
PasswordAuthentication no

Restart SSH:

Code:

systemctl restart sshd

UFW firewall

Code:

ufw allow 2222/tcp
ufw allow http
ufw allow https
ufw enable

Fail2ban

Code:

apt install fail2ban -y

Automatic security updates

Code:

apt install unattended-upgrades -y
dpkg-reconfigure --priority=low unattended-upgrades

SSH key authentication only
Generate SSH key on your local machine and add the public key to:

Code:

~/.ssh/authorized_keys

zayanhani · Nov 25, 2025

Honestly i usually start with the basics and then tweak as I go. First thing i do is update the OS and packages, set up a strong SSH key instead of password login, and change the default SSH port. Then I install a firewall (like UFW or CSF) and Fail2Ban to block repeated login attempts.

After that i look into securing services I actually need and disable everything else. I am still learning though anyone here has extra tips for really locking down a VPS without breaking functionality?

ITivan80 · 2025-12-05T23:53:33+0000

My Go-To VPS Hardening Process (Step-By-Step)
1. Update Everything Immediately

# Debian/Ubuntu
apt update && apt full-upgrade -y

# RHEL/CentOS/Alma/Rocky
dnf update -y

Why: Patches kernel vulns, SSH bugs, OpenSSL issues, etc.

2. Create a Non-Root User With Sudo

adduser ivan
usermod -aG sudo ivan # Debian/Ubuntu
# or
usermod -aG wheel ivan # RHEL-based

Logging in as root should be avoided.

3. Set Up SSH Key Authentication

Generate a key (on your local machine):

ssh-keygen -t ed25519

Upload it:

mkdir -p ~/.ssh
nano ~/.ssh/authorized_keys # paste key
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

4. Lock Down SSH

Edit:

nano /etc/ssh/sshd_config

Recommended changes:

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
Port 22 # optional: change to a different port

Then reload:

systemctl reload sshd

5. Install a Firewall (UFW or firewalld)
UFW example:

ufw default deny incoming
ufw default allow outgoing
ufw allow 22/tcp
ufw enable

firewalld example (CentOS/Alma/Rocky):

firewall-cmd --add-service=ssh --permanent
firewall-cmd --reload

6. Install Fail2Ban or SSHGuard

These ban repeated SSH brute-force attempts.

Fail2Ban:

apt install fail2ban -y
# OR
dnf install fail2ban -y
systemctl enable --now fail2ban

7. Configure Automatic Security Updates
Debian/Ubuntu:

apt install unattended-upgrades -y
dpkg-reconfigure unattended-upgrades

RHEL/Alma/Rocky:

dnf install dnf-automatic -y
systemctl enable --now dnf-automatic.timer

8. Set Up Basic Logging & Monitoring

Install logwatch
Configure systemd journal persistence
Optionally: install Netdata, Prometheus node exporter, or cockpit

Example:

apt install logwatch -y

9. Disable Unnecessary Services

Check active services:

systemctl list-units --type=service

Disable what you don’t need:

systemctl disable --now service_name

10. If You're Hosting Public Services: Run Them in Containers

Docker or Podman isolates each app from the system:

apt install docker.io

11. Optional: Kernel Hardening With Sysctl

Edit:

nano /etc/sysctl.d/10-security.conf

Recommended:

kernel.kptr_restrict = 2
kernel.dmesg_restrict = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_syncookies = 1

Apply:

sysctl --system

12. Setup Backups + Snapshots

Configure off-server backups (Backblaze B2, S3, rsync to another VPS).
Enable provider snapshots (OVH, Hetzner, DO, Linode, etc.)

13. Use a WAF if Hosting Websites

Options:

Cloudflare (free)
Nginx ModSecurity
Caddy security plugins

TL;DR Checklist

Patch system
Create sudo user
SSH keys
Disable root login
Firewall + Fail2ban
Auto security updates
Disable unnecessary services
Monitoring/logging
Snapshots + backups

What’s your go-to process for securing a freshly provisioned VPS?

Emily Routledge

Active member

CharityHost_org

New member

Philippe Gaucher

Well-known member

Kaz Wolfe

Well-known member

DariaVPS

Member

Aaron Lavers

Active member

zayanhani

New member

ITivan80

Well-known member

Latest posts New threads

Latest posts

New threads

Latest Hosting Offers New Reviews

Latest hosting offers

Popular Contributors - Past 30 Days

Sponsors

Tag Cloud