A fresh VPS is exposed to the internet. Bots start scanning it within minutes. This checklist covers the essential security hardening steps to run through before deploying anything.

On GoZen managed VPS plans, we handle most of this for you. On unmanaged VPS, it’s your responsibility.

1. Update Everything

First thing, always:

  sudo apt update && sudo apt upgrade -y

Enable automatic security updates:

  sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure -plow unattended-upgrades
# Select "Yes" when prompted

This automatically installs security patches. You still need to reboot occasionally for kernel updates.

2. Create a Non-Root User

Don’t use root for daily operations:

  # Create a new user
sudo adduser yourusername

# Grant sudo privileges
sudo usermod -aG sudo yourusername

# Switch to the new user
su - yourusername

3. Set Up SSH Key Authentication

Password login is the #1 attack vector. Switch to SSH keys:

Generate a Key (on Your Local Machine) 

  ssh-keygen -t ed25519 -C "your-email@example.com"
# Press Enter for default location
# Set a passphrase (recommended)

Copy the Key to Your VPS 

  ssh-copy-id yourusername@your-server-ip

Or manually:

  # On your local machine
cat ~/.ssh/id_ed25519.pub

# On the VPS
mkdir -p ~/.ssh
nano ~/.ssh/authorized_keys
# Paste the public key and save

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

Disable Password Login

Once you’ve confirmed SSH key login works:

  sudo nano /etc/ssh/sshd_config

Change these settings:

  PasswordAuthentication no
PermitRootLogin no
PubkeyAuthentication yes

Restart SSH:

  sudo systemctl restart sshd

4. Change the SSH Port (Optional)

Moving SSH off port 22 stops most automated scanners:

  sudo nano /etc/ssh/sshd_config
  
  Port 2222
  
  sudo systemctl restart sshd

Update your firewall rules before restarting SSH:

  sudo ufw allow 2222/tcp

Connect with: ssh -p 2222 yourusername@your-server-ip

5. Configure the Firewall

UFW (Uncomplicated Firewall) is the standard on Ubuntu:

  # Set defaults
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH (use your custom port if changed)
sudo ufw allow 22/tcp

# Allow HTTP and HTTPS
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

# Enable the firewall
sudo ufw enable

# Check status
sudo ufw status verbose

Only open ports your services actually need. Check your open ports:

  sudo ss -tlnp

6. Install Fail2Ban

Fail2Ban monitors log files and bans IPs that show malicious behavior:

  sudo apt install fail2ban -y

Create a local configuration:

  sudo nano /etc/fail2ban/jail.local
  
  [DEFAULT]
bantime = 3600
findtime = 600
maxretry = 5

[sshd]
enabled = true
port = 22
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 86400

Start and enable:

  sudo systemctl enable fail2ban
sudo systemctl start fail2ban

# Check banned IPs
sudo fail2ban-client status sshd

7. Secure Shared Memory

Prevent shared memory from being used for attacks:

  sudo nano /etc/fstab

Add this line:

  tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0

8. Set Up Automatic Reboots for Kernel Updates 

  sudo apt install needrestart -y

Check if a reboot is needed after updates:

  sudo needrestart -r a

9. Monitor Login Attempts

Check who’s been trying to get in:

  # Failed login attempts
sudo grep "Failed password" /var/log/auth.log | tail -20

# Successful logins
sudo last -20

# Currently logged in users
who

10. Network Security Scan

After hardening, verify from the outside:

  # From another machine, scan your VPS
nmap -sV your-server-ip

Use GoZen Security Scanner to check your server’s security posture from the outside.

Quick Reference Checklist

StepStatus
System updated and auto-updates enabled
Non-root user created with sudo
SSH key authentication configured
Password login disabled
SSH port changed (optional)
UFW firewall enabled with minimal rules
Fail2Ban installed and configured
Shared memory secured
Unnecessary services disabled
External security scan clean

What to Do Next

Last updated 07 Apr 2026, 00:00 +0200. history

Was this page helpful?