After purchasing a VPS, the server is already accessible from the internet, so it is better to secure it before installing websites, control panels, databases, or Docker applications. Basic security configuration helps reduce the risk of brute force attacks, close unnecessary ports, and protect the server from typical automated scans
1. Update the System
The first thing to do after logging in to the server is to update the packages. This fixes known vulnerabilities and bugs in already installed components.
For Debian/Ubuntu:
sudo apt update
sudo apt upgrade -yFor AlmaLinux/Rocky Linux/CentOS:
sudo dnf update -yAfter a major update, a reboot may be required:
sudo reboot2. Create a Separate User Instead of Using root
You should not work as root all the time. It is better to create a separate user and grant administrator privileges through sudo.
sudo adduser adminuser
sudo usermod -aG sudo adminuserCheck login with the new user:
ssh adminuser@SERVER_IPCheck sudo privileges:
sudo whoamiExpected response:
rootWarning
Before disabling root login, make sure the new user can successfully log in via SSH.
3. Configure SSH Keys and Disable Password Login
A password can be guessed through a brute force attack. SSH keys are much more secure, so it is better to use them.
Create a key on your local computer:
ssh-keygen -t ed25519 -C "admin@example.com"Copy the key to the server:
ssh-copy-id adminuser@SERVER_IPAfter checking that key-based login works, open the SSH configuration file:
sudo nano /etc/ssh/sshd_configSpecify:
PubkeyAuthentication yes
PasswordAuthentication no
KbdInteractiveAuthentication no
PermitRootLogin no
MaxAuthTries 3Check the configuration:
sudo sshd -tReload SSH:
sudo systemctl reload sshor:
sudo systemctl reload sshdImportant
Do not close the current SSH session until you test login in a new terminal tab.
4. Enable the Firewall and Leave Only the Required Ports Open
The firewall should allow only the ports that are actually needed. For a regular web server, the following ports are usually enough:
22/tcp — SSH
80/tcp — HTTP
443/tcp — HTTPS
Install UFW on Debian/Ubuntu:
sudo apt install ufw -yAllow the required ports:
sudo ufw allow 22/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcpEnable the firewall:
sudo ufw enableCheck the status:
sudo ufw status verboseA safer option is to allow SSH only from your IP:
sudo ufw allow from YOUR_TRUSTED_IP to any port 22 proto tcp
sudo ufw deny 22/tcp5. Check Open Ports and Disable Unnecessary Services
After configuring the firewall, check which services are listening on ports:
sudo ss -tulpnPay attention to the addresses:
0.0.0.0:PORT — the service is listening on all interfaces
127.0.0.1:PORT — the service is available only locally
Databases and internal services usually should not be exposed to the outside:
MySQL/MariaDB — 3306
PostgreSQL — 5432
Redis — 6379
MongoDB — 27017
Check running services:
systemctl --type=service --state=runningStop and disable an unnecessary service:
sudo systemctl disable --now SERVICE_NAME6. Install Fail2Ban
Fail2Ban protects SSH from mass login attempts. It analyzes logs and temporarily blocks IP addresses that make many failed authentication attempts.
Install it:
sudo apt install fail2ban -yCreate an SSH configuration:
sudo nano /etc/fail2ban/jail.d/sshd.localExample:
[sshd]
enabled = true
port = ssh
filter = sshd
backend = systemd
maxretry = 5
findtime = 10m
bantime = 1hStart Fail2Ban:
sudo systemctl enable --now fail2ban
sudo systemctl restart fail2banCheck the status:
sudo fail2ban-client status sshdConclusion
Basic VPS security hardening can be reduced to six main actions:
- update the system;
- create a separate administrator user;
- secure SSH;
- enable the firewall;
- close unnecessary ports and services;
- install Fail2Ban and configure backups.
These steps do not make the server completely invulnerable, but they significantly reduce the risk of common attacks and mistakes after purchasing a VPS.