Bots scan the internet constantly looking for new servers. Within hours of provisioning a VPS, you'll see brute-force SSH attempts in your logs. Here are 10 essential steps to secure your server.
Step 1: Update Everything
sudo apt update && sudo apt upgrade -ychr(10)sudo apt install unattended-upgradeschr(10)sudo dpkg-reconfigure -plow unattended-upgradesStep 2: Create a Non-Root User
Never run services as root:
adduser yournamechr(10)usermod -aG sudo yournameStep 3: Disable Root SSH Login
Edit /etc/ssh/sshd_config:
PermitRootLogin noRestart: sudo systemctl restart sshd
Step 4: Change Default SSH Port
Port 2222This eliminates 99% of automated brute-force attempts.
Step 5: Set Up SSH Key Authentication
ssh-keygen -t ed25519 -C "your@email.com"chr(10)ssh-copy-id -p 2222 yourname@server_ipThen disable password auth: PasswordAuthentication no
Step 6: Configure UFW Firewall
sudo ufw default deny incomingchr(10)sudo ufw default allow outgoingchr(10)sudo ufw allow 2222/tcpchr(10)sudo ufw allow 80/tcpchr(10)sudo ufw allow 443/tcpchr(10)sudo ufw enableStep 7: Install Fail2Ban
sudo apt install fail2banchr(10)sudo systemctl enable fail2banConfigure /etc/fail2ban/jail.local with maxretry = 3 and bantime = 3600.
Step 8: Automatic Security Updates
Enable unattended-upgrades for security patches only — don't auto-update everything to avoid breaking applications.
Step 9: Disable Unused Services
sudo systemctl list-units --type=service --state=runningDisable anything you don't need: cups, avahi-daemon, bluetooth.
Step 10: Set Up Monitoring
- Uptime: UptimeRobot or Hetrix Tools (free tiers available)
- Server metrics: Netdata (lightweight, self-hosted)
- Logs: Check
/var/log/auth.logregularly
Bonus: Backups
Enable your VPS provider's snapshot backups and set up a cron job for critical data.
