{"id":20088,"date":"2026-05-15T15:39:28","date_gmt":"2026-05-15T12:39:28","guid":{"rendered":"https:\/\/unihost.com\/help\/?p=20088"},"modified":"2026-05-15T15:39:28","modified_gmt":"2026-05-15T12:39:28","slug":"linux-vps-security-hardening","status":"publish","type":"post","link":"https:\/\/unihost.com\/help\/linux-vps-security-hardening\/","title":{"rendered":"Basic Linux VPS Security Hardening After Purchase"},"content":{"rendered":"

After purchasing a VPS, the server is already accessible from the internet, so it is better to secure it before installing websites, control panels, databases, or Docker applications. Basic security configuration helps reduce the risk of brute force attacks, close unnecessary ports, and protect the server from typical automated scans<\/span><\/p>\n

1. Update the System<\/b><\/span><\/h2>\n

The first thing to do after logging in to the server is to update the packages. This fixes known vulnerabilities and bugs in already installed components.<\/span><\/p>\n

For Debian\/Ubuntu:<\/span><\/p>\n

sudo apt update\n<\/span>sudo apt upgrade -y<\/span><\/span><\/pre>\n
For AlmaLinux\/Rocky Linux\/CentOS:<\/span><\/p>\n
sudo dnf update -y<\/span><\/pre>\n
After a major update, a reboot may be required:<\/span><\/p>\n
sudo reboot<\/span><\/pre>\n
2. Create a Separate User Instead of Using root<\/b><\/span><\/h2>\n
You should not work as root all the time. It is better to create a separate user and grant administrator privileges through sudo.<\/span><\/p>\n
sudo adduser adminuser<\/span>\nsudo usermod -aG sudo adminuser<\/span><\/span><\/pre>\n
Check login with the new user:<\/span><\/p>\n
ssh adminuser@SERVER_IP<\/span><\/pre>\n
Check sudo privileges:<\/span><\/p>\n
sudo whoami<\/span><\/pre>\n
Expected response:<\/span><\/p>\n
root<\/span><\/pre>\n
Warning<\/strong><\/span>
Before disabling root login, make sure the new user can successfully log in via SSH.<\/span><\/p>\n
3. Configure SSH Keys and Disable Password Login<\/b><\/span><\/h2>\n
A password can be guessed through a brute force attack. SSH keys are much more secure, so it is better to use them.<\/span><\/p>\n
Create a key on your local computer:<\/span><\/p>\n
ssh-keygen -t ed25519 -C \"admin@example.com\"<\/span><\/pre>\n
Copy the key to the server:<\/span><\/p>\n
ssh-copy-id adminuser@SERVER_IP<\/span><\/pre>\n
After checking that key-based login works, open the SSH configuration file:<\/span><\/p>\n
sudo nano \/etc\/ssh\/sshd_config<\/span><\/pre>\n
Specify:<\/span><\/p>\n
PubkeyAuthentication yes<\/span>\nPasswordAuthentication no<\/span>\nKbdInteractiveAuthentication no<\/span>\nPermitRootLogin no<\/span>\nMaxAuthTries 3<\/span><\/span><\/pre>\n
Check the configuration:<\/span><\/p>\n
sudo sshd -t<\/span><\/pre>\n
Reload SSH:<\/span><\/p>\n
sudo systemctl reload ssh<\/span><\/pre>\n
or:<\/span><\/p>\n
sudo systemctl reload sshd<\/span><\/pre>\n
Important<\/strong><\/span>
Do not close the current SSH session until you test login in a new terminal tab.<\/span><\/p>\n
4. Enable the Firewall and Leave Only the Required Ports Open<\/b><\/span><\/h2>\n
The firewall should allow only the ports that are actually needed. For a regular web server, the following ports are usually enough:<\/span><\/p>\n
22\/tcp \u00a0 \u2014 SSH
\n<\/span>80\/tcp \u00a0 \u2014 HTTP
\n<\/span>443\/tcp\u00a0 \u2014 HTTPS<\/span><\/span><\/p>\n
Install UFW on Debian\/Ubuntu:<\/span><\/p>\n
sudo apt install ufw -y<\/span><\/pre>\n
Allow the required ports:<\/span><\/p>\n
sudo ufw allow 22\/tcp<\/span>\nsudo ufw allow 80\/tcp<\/span>\nsudo ufw allow 443\/tcp<\/span><\/span><\/pre>\n
Enable the firewall:<\/span><\/p>\n
sudo ufw enable<\/span><\/pre>\n
Check the status:<\/span><\/p>\n
sudo ufw status verbose<\/span><\/pre>\n
A safer option is to allow SSH only from your IP:<\/span><\/p>\n
sudo ufw allow from YOUR_TRUSTED_IP to any port 22 proto tcp<\/span>\nsudo ufw deny 22\/tcp<\/span><\/span><\/pre>\n
5. Check Open Ports and Disable Unnecessary Services<\/b><\/span><\/h2>\n
After configuring the firewall, check which services are listening on ports:<\/span><\/p>\n
sudo ss -tulpn<\/span><\/pre>\n
Pay attention to the addresses:<\/span><\/p>\n
0.0.0.0:PORT\u00a0 \u00a0 \u00a0 \u2014 the service is listening on all interfaces
\n<\/span>127.0.0.1:PORT\u00a0 \u00a0 \u2014 the service is available only locally<\/span><\/span><\/p>\n
Databases and internal services usually should not be exposed to the outside:<\/span><\/p>\n
MySQL\/MariaDB\u00a0 \u2014 3306
\n<\/span>PostgreSQL \u00a0 \u00a0 \u2014 5432
\n<\/span>Redis\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u2014 6379
\n<\/span>MongoDB\u00a0 \u00a0 \u00a0 \u00a0 \u2014 27017<\/span><\/span><\/p>\n
Check running services:<\/span><\/p>\n
systemctl --type=service --state=running<\/span><\/pre>\n
Stop and disable an unnecessary service:<\/span><\/p>\n
sudo systemctl disable --now SERVICE_NAME<\/span><\/pre>\n
6. Install Fail2Ban<\/b><\/span><\/h2>\n
Fail2Ban protects SSH from mass login attempts. It analyzes logs and temporarily blocks IP addresses that make many failed authentication attempts.<\/span><\/p>\n
Install it:<\/span><\/p>\n
sudo apt install fail2ban -y<\/span><\/pre>\n
Create an SSH configuration:<\/span><\/p>\n
sudo nano \/etc\/fail2ban\/jail.d\/sshd.local<\/span><\/pre>\n
Example:<\/span><\/p>\n
[sshd]<\/span>\nenabled = true<\/span>\nport = ssh<\/span>\nfilter = sshd<\/span>\nbackend = systemd<\/span>\nmaxretry = 5<\/span>\nfindtime = 10m<\/span>\nbantime = 1h<\/span><\/span><\/pre>\n
Start Fail2Ban:<\/span><\/p>\n
sudo systemctl enable --now fail2ban<\/span>\nsudo systemctl restart fail2ban<\/span><\/span><\/pre>\n
Check the status:<\/span><\/p>\n
sudo fail2ban-client status sshd<\/span><\/pre>\n
Conclusion<\/span><\/h2>\n
Basic VPS security hardening can be reduced to six main actions:<\/span><\/p>\n
    \n
  • update the system;<\/span><\/li>\n
  • create a separate administrator user;<\/span><\/li>\n
  • secure SSH;<\/span><\/li>\n
  • enable the firewall;<\/span><\/li>\n
  • close unnecessary ports and services;<\/span><\/li>\n
  • install Fail2Ban and configure backups.<\/span><\/li>\n<\/ul>\n
    These steps do not make the server completely invulnerable, but they significantly reduce the risk of common attacks and mistakes after purchasing a VPS.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"
    After purchasing a VPS, the server is already accessible from the internet, so it is better to secure it before installing websites, control panels, databases, or Docker applications. Basic security configuration helps reduce the risk of brute force attacks, close unnecessary ports, and protect the server from typical automated scans 1. Update the System The […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[679],"class_list":["post-20088","post","type-post","status-publish","format-standard","hentry","tag-linux"],"yoast_head":"\nBasic Linux VPS Security Hardening After Purchase<\/title>\n<meta name=\"description\" content=\"Basic steps to secure a Linux VPS after purchase: system updates, a separate sudo user, SSH keys, firewall setup, open port checks, and Fail2Ban.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/unihost.com\/help\/linux-vps-security-hardening\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Basic Linux VPS Security Hardening After Purchase\" \/>\n<meta property=\"og:description\" content=\"Basic steps to secure a Linux VPS after purchase: system updates, a separate sudo user, SSH keys, firewall setup, open port checks, and Fail2Ban.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/unihost.com\/help\/linux-vps-security-hardening\/\" \/>\n<meta property=\"og:site_name\" content=\"Unihost.FAQ\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/unihost\/\" \/>\n<meta property=\"article:published_time\" content=\"2026-05-15T12:39:28+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/unihost.com\/help\/minio.php?.\/unihost-logo-alt.png\" \/>\n\t<meta property=\"og:image:width\" content=\"250\" \/>\n\t<meta property=\"og:image:height\" content=\"141\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Unihost Support\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@unihost\" \/>\n<meta name=\"twitter:site\" content=\"@unihost\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Unihost Support\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/unihost.com\/help\/linux-vps-security-hardening\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/unihost.com\/help\/linux-vps-security-hardening\/\"},\"author\":{\"name\":\"Unihost Support\",\"@id\":\"https:\/\/unihost.com\/help\/#\/schema\/person\/bb5ae95f38577c920e6a7507888b715a\"},\"headline\":\"Basic Linux VPS Security Hardening After Purchase\",\"datePublished\":\"2026-05-15T12:39:28+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/unihost.com\/help\/linux-vps-security-hardening\/\"},\"wordCount\":465,\"publisher\":{\"@id\":\"https:\/\/unihost.com\/help\/#organization\"},\"keywords\":[\"Linux\"],\"inLanguage\":\"en\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/unihost.com\/help\/linux-vps-security-hardening\/\",\"url\":\"https:\/\/unihost.com\/help\/linux-vps-security-hardening\/\",\"name\":\"Basic Linux VPS Security Hardening After Purchase\",\"isPartOf\":{\"@id\":\"https:\/\/unihost.com\/help\/#website\"},\"datePublished\":\"2026-05-15T12:39:28+00:00\",\"description\":\"Basic steps to secure a Linux VPS after purchase: system updates, a separate sudo user, SSH keys, firewall setup, open port checks, and Fail2Ban.\",\"breadcrumb\":{\"@id\":\"https:\/\/unihost.com\/help\/linux-vps-security-hardening\/#breadcrumb\"},\"inLanguage\":\"en\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/unihost.com\/help\/linux-vps-security-hardening\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/unihost.com\/help\/linux-vps-security-hardening\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Unihost\",\"item\":\"https:\/\/unihost.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Help\",\"item\":\"https:\/\/unihost.com\/help\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Basic Linux VPS Security Hardening After Purchase\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/unihost.com\/help\/#website\",\"url\":\"https:\/\/unihost.com\/help\/\",\"name\":\"Unihost.FAQ\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/unihost.com\/help\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/unihost.com\/help\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/unihost.com\/help\/#organization\",\"name\":\"Unihost\",\"alternateName\":\"Unihost\",\"url\":\"https:\/\/unihost.com\/help\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en\",\"@id\":\"https:\/\/unihost.com\/help\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/unihost.com\/help\/minio.php?2026\/01\/minio.png\",\"contentUrl\":\"https:\/\/unihost.com\/help\/minio.php?2026\/01\/minio.png\",\"width\":300,\"height\":300,\"caption\":\"Unihost\"},\"image\":{\"@id\":\"https:\/\/unihost.com\/help\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/unihost\/\",\"https:\/\/x.com\/unihost\",\"https:\/\/www.instagram.com\/unihost\/?hl=en\",\"https:\/\/www.linkedin.com\/company\/unihost-com\",\"https:\/\/www.youtube.com\/channel\/UCITKsxMDnslQY8brN3advgw\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/unihost.com\/help\/#\/schema\/person\/bb5ae95f38577c920e6a7507888b715a\",\"name\":\"Unihost Support\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en\",\"@id\":\"https:\/\/unihost.com\/help\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/a0c9db17c2a0d93e8a0d5ac123f8c5db750ad4d3d5657369c0c4e480f5af77b8?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/a0c9db17c2a0d93e8a0d5ac123f8c5db750ad4d3d5657369c0c4e480f5af77b8?s=96&d=mm&r=g\",\"caption\":\"Unihost Support\"},\"sameAs\":[\"https:\/\/unihost.com\/\"],\"url\":\"https:\/\/unihost.com\/help\/author\/support\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Basic Linux VPS Security Hardening After Purchase","description":"Basic steps to secure a Linux VPS after purchase: system updates, a separate sudo user, SSH keys, firewall setup, open port checks, and Fail2Ban.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/unihost.com\/help\/linux-vps-security-hardening\/","og_locale":"en_US","og_type":"article","og_title":"Basic Linux VPS Security Hardening After Purchase","og_description":"Basic steps to secure a Linux VPS after purchase: system updates, a separate sudo user, SSH keys, firewall setup, open port checks, and Fail2Ban.","og_url":"https:\/\/unihost.com\/help\/linux-vps-security-hardening\/","og_site_name":"Unihost.FAQ","article_publisher":"https:\/\/www.facebook.com\/unihost\/","article_published_time":"2026-05-15T12:39:28+00:00","og_image":[{"width":250,"height":141,"url":"https:\/\/unihost.com\/help\/minio.php?.\/unihost-logo-alt.png","type":"image\/png"}],"author":"Unihost Support","twitter_card":"summary_large_image","twitter_creator":"@unihost","twitter_site":"@unihost","twitter_misc":{"Written by":"Unihost Support","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/unihost.com\/help\/linux-vps-security-hardening\/#article","isPartOf":{"@id":"https:\/\/unihost.com\/help\/linux-vps-security-hardening\/"},"author":{"name":"Unihost Support","@id":"https:\/\/unihost.com\/help\/#\/schema\/person\/bb5ae95f38577c920e6a7507888b715a"},"headline":"Basic Linux VPS Security Hardening After Purchase","datePublished":"2026-05-15T12:39:28+00:00","mainEntityOfPage":{"@id":"https:\/\/unihost.com\/help\/linux-vps-security-hardening\/"},"wordCount":465,"publisher":{"@id":"https:\/\/unihost.com\/help\/#organization"},"keywords":["Linux"],"inLanguage":"en"},{"@type":"WebPage","@id":"https:\/\/unihost.com\/help\/linux-vps-security-hardening\/","url":"https:\/\/unihost.com\/help\/linux-vps-security-hardening\/","name":"Basic Linux VPS Security Hardening After Purchase","isPartOf":{"@id":"https:\/\/unihost.com\/help\/#website"},"datePublished":"2026-05-15T12:39:28+00:00","description":"Basic steps to secure a Linux VPS after purchase: system updates, a separate sudo user, SSH keys, firewall setup, open port checks, and Fail2Ban.","breadcrumb":{"@id":"https:\/\/unihost.com\/help\/linux-vps-security-hardening\/#breadcrumb"},"inLanguage":"en","potentialAction":[{"@type":"ReadAction","target":["https:\/\/unihost.com\/help\/linux-vps-security-hardening\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/unihost.com\/help\/linux-vps-security-hardening\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Unihost","item":"https:\/\/unihost.com\/"},{"@type":"ListItem","position":2,"name":"Help","item":"https:\/\/unihost.com\/help\/"},{"@type":"ListItem","position":3,"name":"Basic Linux VPS Security Hardening After Purchase"}]},{"@type":"WebSite","@id":"https:\/\/unihost.com\/help\/#website","url":"https:\/\/unihost.com\/help\/","name":"Unihost.FAQ","description":"","publisher":{"@id":"https:\/\/unihost.com\/help\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/unihost.com\/help\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en"},{"@type":"Organization","@id":"https:\/\/unihost.com\/help\/#organization","name":"Unihost","alternateName":"Unihost","url":"https:\/\/unihost.com\/help\/","logo":{"@type":"ImageObject","inLanguage":"en","@id":"https:\/\/unihost.com\/help\/#\/schema\/logo\/image\/","url":"https:\/\/unihost.com\/help\/minio.php?2026\/01\/minio.png","contentUrl":"https:\/\/unihost.com\/help\/minio.php?2026\/01\/minio.png","width":300,"height":300,"caption":"Unihost"},"image":{"@id":"https:\/\/unihost.com\/help\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/unihost\/","https:\/\/x.com\/unihost","https:\/\/www.instagram.com\/unihost\/?hl=en","https:\/\/www.linkedin.com\/company\/unihost-com","https:\/\/www.youtube.com\/channel\/UCITKsxMDnslQY8brN3advgw"]},{"@type":"Person","@id":"https:\/\/unihost.com\/help\/#\/schema\/person\/bb5ae95f38577c920e6a7507888b715a","name":"Unihost Support","image":{"@type":"ImageObject","inLanguage":"en","@id":"https:\/\/unihost.com\/help\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/a0c9db17c2a0d93e8a0d5ac123f8c5db750ad4d3d5657369c0c4e480f5af77b8?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/a0c9db17c2a0d93e8a0d5ac123f8c5db750ad4d3d5657369c0c4e480f5af77b8?s=96&d=mm&r=g","caption":"Unihost Support"},"sameAs":["https:\/\/unihost.com\/"],"url":"https:\/\/unihost.com\/help\/author\/support\/"}]}},"_links":{"self":[{"href":"https:\/\/unihost.com\/help\/wp-json\/wp\/v2\/posts\/20088","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/unihost.com\/help\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/unihost.com\/help\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/unihost.com\/help\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/unihost.com\/help\/wp-json\/wp\/v2\/comments?post=20088"}],"version-history":[{"count":3,"href":"https:\/\/unihost.com\/help\/wp-json\/wp\/v2\/posts\/20088\/revisions"}],"predecessor-version":[{"id":20092,"href":"https:\/\/unihost.com\/help\/wp-json\/wp\/v2\/posts\/20088\/revisions\/20092"}],"wp:attachment":[{"href":"https:\/\/unihost.com\/help\/wp-json\/wp\/v2\/media?parent=20088"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/unihost.com\/help\/wp-json\/wp\/v2\/categories?post=20088"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/unihost.com\/help\/wp-json\/wp\/v2\/tags?post=20088"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}