A freshly deployed server is exposed to the internet and needs to be hardened before it's production-ready - especially an anonymous VPS you run for privacy. This guide covers the essential steps to harden a Linux server - the security checklist every server owner should follow.
Step 1: Keep the System Updated
Always run updates immediately after provisioning and regularly thereafter:
apt update && apt upgrade -y
Enable automatic security updates:
apt install unattended-upgrades -y
dpkg-reconfigure --priority=low unattended-upgrades
Step 2: Create a Non-Root User
Running everything as root is dangerous. Create a regular user with
sudo privileges:
adduser yourname
usermod -aG sudo yourname
Copy your SSH key to the new user:
rsync --archive --chown=yourname:yourname ~/.ssh /home/yourname
Test logging in as the new user in a new terminal window before closing your root session.
Step 3: Disable Root SSH Login
Edit the SSH configuration:
nano /etc/ssh/sshd_config
Find and update these lines:
PermitRootLogin no
PasswordAuthentication no
Restart SSH:
systemctl restart sshd
⚠️ Make sure you can log in as your new user via SSH key before disabling root login.
Step 4: Set Up a Firewall (UFW)
UFW (Uncomplicated Firewall) is the easiest way to manage firewall rules on Ubuntu.
apt install ufw -y
# Allow SSH (don't skip this or you'll lock yourself out)
ufw allow OpenSSH
# Allow web traffic if hosting a website
ufw allow 'Nginx Full'
# Enable the firewall
ufw enable
# Check status
ufw status verbose
Only allow ports that your server actually needs. Common ports:
| Port | Service |
|---|---|
| 22 | SSH |
| 80 | HTTP |
| 443 | HTTPS |
| 3306 | MySQL (only if needed externally) |
| 25565 | Minecraft |
Step 5: Install Fail2Ban
Fail2Ban automatically bans IP addresses that make too many failed login attempts.
apt install fail2ban -y
systemctl start fail2ban
systemctl enable fail2ban
Create a local config:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
nano /etc/fail2ban/jail.local
Ensure the SSH jail is enabled:
[sshd]
enabled = true
maxretry = 5
bantime = 3600
Restart Fail2Ban:
systemctl restart fail2ban
Check banned IPs:
fail2ban-client status sshd
Step 6: Use SSH Keys (Not Passwords)
If you haven't already, disable password authentication for SSH (done in Step 3) and use only SSH keys. This eliminates brute-force password attacks entirely.
Step 7: Change the Default SSH Port (Optional)
Changing the SSH port from 22 to a non-standard port reduces automated scanning:
nano /etc/ssh/sshd_config
Change:
Port 2222
Update your firewall:
ufw allow 2222/tcp
ufw delete allow OpenSSH
Restart SSH:
systemctl restart sshd
Connect with: ssh -p 2222 yourname@YOUR_SERVER_IP
Step 8: Enable Automatic Security Patches
Already covered in Step 1, but worth emphasising - unattended-upgrades
ensures critical patches are applied without manual intervention.
Security Checklist
- ✅ System is up to date
- ✅ Non-root user created with sudo access
- ✅ Root SSH login disabled
- ✅ Password authentication disabled - SSH keys only
- ✅ UFW firewall enabled, only necessary ports open
- ✅ Fail2Ban installed and running
- ✅ Automatic security updates enabled
With your VPS hardened, set up monitoring for suspicious activity and automated backups so you can detect and recover from incidents.
Questions? Email us at [email protected] - we reply in under 2 hours, 7 days a week.