After purchasing a VPS, the server is already accessible from the internet, so it is better to secure it before installing websites, control panels, databases, or Docker applications. Basic security configuration helps reduce the risk of brute force attacks, close unnecessary ports, and protect the server from typical automated scans
1. Update the System
The first thing to do after logging in to the server is to update the packages. This fixes known vulnerabilities and bugs in already installed components.
For Debian/Ubuntu:
sudo apt update
sudo apt upgrade -y
For AlmaLinux/Rocky Linux/CentOS:
sudo dnf update -y
After a major update, a reboot may be required:
sudo reboot
2. Create a Separate User Instead of Using root
You should not work as root all the time. It is better to create a separate user and grant administrator privileges through sudo.
sudo adduser adminuser
sudo usermod -aG sudo adminuser
Check login with the new user:
ssh adminuser@SERVER_IP
Check sudo privileges:
sudo whoami
Expected response:
root
Warning
Before disabling root login, make sure the new user can successfully log in via SSH.
3. Configure SSH Keys and Disable Password Login
A password can be guessed through a brute force attack. SSH keys are much more secure, so it is better to use them.
Create a key on your local computer:
ssh-keygen -t ed25519 -C "admin@example.com"
Copy the key to the server:
ssh-copy-id adminuser@SERVER_IP
After checking that key-based login works, open the SSH configuration file:
sudo nano /etc/ssh/sshd_config
Specify:
PubkeyAuthentication yes
PasswordAuthentication no
KbdInteractiveAuthentication no
PermitRootLogin no
MaxAuthTries 3
Check the configuration:
sudo sshd -t
Reload SSH:
sudo systemctl reload ssh
or:
sudo systemctl reload sshd
Important
Do not close the current SSH session until you test login in a new terminal tab.
4. Enable the Firewall and Leave Only the Required Ports Open
The firewall should allow only the ports that are actually needed. For a regular web server, the following ports are usually enough:
22/tcp — SSH
80/tcp — HTTP
443/tcp — HTTPS
Install UFW on Debian/Ubuntu:
sudo apt install ufw -y
Allow the required ports:
sudo ufw allow 22/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
Enable the firewall:
sudo ufw enable
Check the status:
sudo ufw status verbose
A safer option is to allow SSH only from your IP:
sudo ufw allow from YOUR_TRUSTED_IP to any port 22 proto tcp
sudo ufw deny 22/tcp
5. Check Open Ports and Disable Unnecessary Services
After configuring the firewall, check which services are listening on ports:
sudo ss -tulpn
Pay attention to the addresses:
0.0.0.0:PORT — the service is listening on all interfaces
127.0.0.1:PORT — the service is available only locally
Databases and internal services usually should not be exposed to the outside:
MySQL/MariaDB — 3306
PostgreSQL — 5432
Redis — 6379
MongoDB — 27017
Check running services:
systemctl --type=service --state=running
Stop and disable an unnecessary service:
sudo systemctl disable --now SERVICE_NAME
6. Install Fail2Ban
Fail2Ban protects SSH from mass login attempts. It analyzes logs and temporarily blocks IP addresses that make many failed authentication attempts.
Install it:
sudo apt install fail2ban -y
Create an SSH configuration:
sudo nano /etc/fail2ban/jail.d/sshd.local
Example:
[sshd]
enabled = true
port = ssh
filter = sshd
backend = systemd
maxretry = 5
findtime = 10m
bantime = 1h
Start Fail2Ban:
sudo systemctl enable --now fail2ban
sudo systemctl restart fail2ban
Check the status:
sudo fail2ban-client status sshd
Conclusion
Basic VPS security hardening can be reduced to six main actions:
- update the system;
- create a separate administrator user;
- secure SSH;
- enable the firewall;
- close unnecessary ports and services;
- install Fail2Ban and configure backups.
These steps do not make the server completely invulnerable, but they significantly reduce the risk of common attacks and mistakes after purchasing a VPS.