How to Secure a Brand-New VPS (First 10 Minutes)
The handful of steps that block almost every automated attack against a fresh VPS, and why each one matters.
The moment your VPS gets a public IP, bots start knocking. Not "maybe," not "eventually." Within minutes there will be automated scripts trying to log in as root with common passwords. This is normal background noise on the internet, and the good news is that stopping it takes about ten minutes.
You do not need to be a security expert. You just need to close the obvious doors. Here is the short list, in the order I would do it.
1. Update everything first
Before anything else, pull the latest packages. A fresh image is rarely fully patched.
On Ubuntu or Debian:
apt update && apt upgrade -y
On AlmaLinux or Rocky:
dnf update -y
Two minutes, and you have closed any holes that were fixed since the image was built.
2. Make a real user account
Logging in as root all the time is asking for trouble. One typo in the wrong command and there is nothing standing between you and a wiped system. Create a normal user and give it sudo rights instead.
adduser james
usermod -aG sudo james
Swap james for whatever name you like. On the Red Hat family the group is wheel rather than sudo.
3. Switch to SSH keys and turn off password login
This is the single biggest thing you can do, so do not skip it. Passwords can be guessed. An SSH key cannot be, not in any realistic amount of time. Once your key works, you turn password login off entirely and the bots trying to brute force their way in simply have nothing to attack.
Generate a key on your own computer if you do not have one:
ssh-keygen -t ed25519
Copy it up to the server:
ssh-copy-id james@your-server-ip
Now log in with the key to confirm it works. Do not skip that test. Once you are sure, edit the SSH config:
sudo nano /etc/ssh/sshd_config
Set these two lines:
PasswordAuthentication no
PermitRootLogin no
Restart SSH:
sudo systemctl restart ssh
Keep your existing session open while you open a second one to test, just in case you locked yourself out. Everyone does it once.
4. Turn on a firewall
Block every port except the ones you actually use. On Ubuntu and Debian, ufw makes this painless:
sudo ufw allow OpenSSH
sudo ufw enable
If you are running a web server, add ports 80 and 443. If you are running a game server, open whatever port it needs. The principle is simple: if nothing is supposed to be listening there, do not leave it open.
5. Install Fail2ban
Even with password login off, Fail2ban is worth the thirty seconds. It watches your logs and temporarily bans any IP that misbehaves, which cuts down the noise and adds a second layer under your SSH keys.
sudo apt install fail2ban -y
It works sensibly out of the box. You can tune it later if you want.
That is the core of it
Update, make a user, use keys, close the ports, add Fail2ban. Do those five and you have shut out the overwhelming majority of automated attacks, which is what almost all attacks against a small server actually are.
A quick note worth making: none of this protects you from a DDoS attack, which is a completely different problem. That is about someone flooding your connection with traffic, not breaking into your box, and it gets handled at the network level rather than on your server. Every VPS we run sits behind Path.net DDoS filtering for exactly that reason, so the flood gets absorbed before it ever reaches you. Your job is the five steps above. The volumetric stuff is on us.