A fresh Linux VPS is exposed to automated attacks within minutes of going online. The good news: a handful of straightforward steps will block the overwhelming majority of them. Work through this checklist right after you provision a new server — it takes an afternoon and puts you far ahead of the threats that target everyone.
1. Update everything first
Before anything else, install the latest security patches. On Ubuntu/Debian run sudo apt update && sudo apt upgrade; on AlmaLinux/Rocky use sudo dnf upgrade. Outdated packages are the most common entry point for attackers.
2. Create a non-root user
Never use the root account for day-to-day work. Create a new user, give it sudo privileges, and use that instead. If that account is ever compromised, the attacker still doesn't have direct root access — an important extra layer.
3. Use SSH keys instead of passwords
Password logins can be brute-forced; SSH keys effectively can't. Generate a key pair with ssh-keygen, copy the public key to your server, then disable password authentication entirely in /etc/ssh/sshd_config by setting PasswordAuthentication no and restarting SSH.
4. Disable root SSH login
In the same sshd_config file, set PermitRootLogin no. Combined with key-only auth, this shuts down the two most common automated attack vectors at once.
5. Change the default SSH port (optional)
Moving SSH off port 22 won't stop a determined attacker, but it dramatically cuts the noise from bots scanning the default port. Pick a high port, update your firewall to match, and confirm it's reachable with our port checker.
6. Set up a firewall
Only expose the ports you actually use. On Ubuntu, ufw makes this simple: allow SSH and your web ports (80/443), then sudo ufw enable. Everything else stays closed. Verify what's reachable from outside with our port checker.
7. Install fail2ban
fail2ban watches your logs and automatically bans IP addresses that show malicious behavior, such as repeated failed logins. It's a few minutes to install and stops brute-force attempts cold.
8. Use strong, unique passwords
Where passwords are unavoidable (databases, control panels, application logins), make them long and random. Generate them with our password generator and store them in a password manager — never reuse credentials across services.
9. Enable automatic security updates
On Debian/Ubuntu, unattended-upgrades applies security patches automatically so you're never weeks behind. It's one of the highest-impact, lowest-effort protections you can enable.
10. Lock down your services
Bind databases like MySQL/PostgreSQL to localhost unless you genuinely need remote access. A database exposed to the internet is a frequent cause of breaches. The same applies to caches like Redis and Memcached — never leave them open to the world.
11. Set up monitoring and backups
You can't respond to what you can't see. Monitor resource usage and login attempts, and — critically — keep off-server backups. If the worst happens, a recent backup turns a disaster into an inconvenience. Test your restores periodically; an untested backup isn't a backup.
12. Keep your TLS certificates valid
If you serve traffic over HTTPS, make sure certificates auto-renew (Let's Encrypt + certbot handles this well) and never silently expire. Verify a certificate's status anytime with our SSL checker.
A quick security checklist
- Patched and updated, with automatic updates on
- Non-root sudo user, root SSH login disabled
- SSH keys only, password auth disabled
- Firewall enabled, only needed ports open
- fail2ban installed
- Databases bound to localhost
- Off-server backups, tested
- Valid auto-renewing TLS certificates
The bottom line
Security is layers, not a single switch. None of these steps is difficult on its own, and together they put your server far ahead of the automated threats that target everyone. Every Volt Serv Linux VPS includes free DDoS protection and a 99.99% uptime guarantee — and our team is available 24/7 if you'd like a hand hardening your server. New to servers? Start with What Is a VPS?