How to Secure Your Linux VPS: The First 10 Essential Steps

Follow this practical checklist to harden a fresh Linux VPS and protect it from attacks right out of the box

Before We Start: What You'll Walk Away With

By the end of this guide you’ll be able to lock down a fresh Linux VPS in minutes, just like you’d lock the front door before leaving the house.

First, you’ll know exactly which services to turn off, how to shape a firewall, and which SSH settings stop brute‑force attacks.

Second, you’ll walk away with a copy‑and‑paste checklist you can run on every new server without thinking.

Third, you’ll understand the why behind each tweak, so the same process works on Ubuntu, Debian, CentOS or any other distro you encounter.

• Service audit – Spot and disable anything you don’t need, like telnet or ftp, the way you’d skip dessert if you’re watching your carbs.

• Firewall rules – Open only the ports you actually use, similar to only unlocking the specific car doors you need for a short trip.

• SSH hardening – Switch to key‑based login, change the default port, and limit users, just as you’d change a PIN after a lost card.

Checklist snippet –

systemctl disable telnet
ufw allow 22/tcp
sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config

• Why it matters – Each open service is a potential backdoor; a tight firewall is your perimeter fence; hardened SSH stops the most common automated attacks.

• Adaptability – Replace ufw with firewalld or iptables based on your distro, just like swapping a familiar spice for a local one when cooking abroad.

Now you’re ready to move on and start the first concrete step toward a truly secure Linux VPS.

What Linux VPS Hardening Actually Is (No Jargon)

Hardening a Linux VPS means tightening every setting you can control so that only the services you truly need stay reachable, while everything else is locked down. It’s not a one‑time script; it’s a checklist of small tweaks that together shrink the attack surface dramatically.

Imagine you just bought a house. Before you unpack the boxes you’d slam a deadbolt on the front door, mount a security camera, and set up a motion sensor on the back porch. Those three steps don’t make the house indestructible, but they stop most burglars in their tracks. Securing a Linux VPS works the same way—you put a deadbolt on SSH, a camera on login attempts, and a sensor on network ports, then you move in and start using the server.

The 5 Mistakes Everyone Makes With Linux VPS Security

Here are the five blunders that keep most newcomers from a truly secure Linux VPS:

• Leaving the default root password unchanged. It’s like ordering a pizza and never changing the default delivery address—anyone who knows the address can walk right in. Change it immediately with passwd.

• Opening all ports with “allow all” firewall rules. Think of it as leaving all doors and windows wide open while you’re on vacation. Use ufw deny incoming and only allow the services you truly need.

• Running unnecessary services like FTP or Telnet. It’s like packing a suitcase full of gadgets you’ll never use, just to make the weight limit harder to hit. Disable them with systemctl disable vsftpd or uninstall them entirely.

• Ignoring regular updates and patches. Skipping updates is like refusing to check Google Maps for road closures—your route will soon hit a dead end. Set up automatic security upgrades or run apt-get update && apt-get upgrade -y daily.

• Using password‑only SSH without key‑based authentication. Imagine trusting a lock that only needs a single generic key that anyone could copy. Maria, a freelance developer, switched to SSH keys by generating ssh-keygen on her laptop and adding the public key to ~/.ssh/authorized_keys. She locked out password attacks instantly.

Stop these habits now, and the rest of your hardening steps will be much easier.

How to Secure Your Linux VPS: Step‑by‑Step

Update the OS and enable automatic security patches. Think of it like applying the latest safety recall to a car. Run

apt update && apt upgrade -y

then enable unattended upgrades with

dpkg-reconfigure -plow unattended-upgrades

.
Create a non‑root admin user and grant sudo privileges. It’s like giving a trusted friend a spare key instead of the master key. Add the user:

adduser alice

then add to sudoers:

usermod -aG sudo alice

.
Disable password authentication and set up SSH key login. Similar to switching from a lock‑picking combo to a fingerprint scanner. Edit /etc/ssh/sshd_config to set PasswordAuthentication no, then copy your public key with

ssh-copy-id alice@your.vps.ip

.

• Change the default SSH port and limit login attempts. Moving the entrance door to a less obvious spot reduces wandering eyes. Change Port 22 to something like Port 4242 in sshd_config, then install pam_faildelay or use MaxAuthTries 3 to throttle attempts.

Install and configure UFW (or nftables) with a minimal allow list. Imagine packing a suitcase with only what you’ll actually wear. For UFW:

Enable:

ufw enable

Allow SSH:

ufw allow 4242/tcp

Allow web traffic if needed:

ufw allow 80,443/tcp

Persona example: Maria, a freelance designer, runs a simple static site. She only opens ports 80 and 443, keeping the rest locked down.
Disable or uninstall unused services. Like removing appliances you never use to lower fire risk. Check active services with

systemctl list-unit-files --state=enabled

and purge anything unnecessary, e.g.,

apt purge vsftpd telnetd

.
Set up Fail2Ban to block brute‑force attacks. It works like a security guard who bans repeat offenders. Install with

apt install fail2ban

and enable the ssh jail.
Harden sysctl settings and enable kernel hardening modules. Think of it as reinforcing the walls of a house. Add to /etc/sysctl.conf:

net.ipv4.ip_forward = 0
kernel.randomize_va_space = 2
fs.suid_dumpable = 0

then run sysctl -p.
Install a rootkit/virus scanner for periodic checks. It’s like scheduling a home inspection.

apt install lynis

then run

lynis audit system

weekly.

• Schedule regular backups and test restoration procedures. Just as you’d keep a spare key in a safe place, automate snapshots with cron or a service like rclone, and run a restore test every month.

A Real Example: Securing a Ubuntu 22.04 VPS for a SaaS Startup

Maya just finished provisioning her Ubuntu 22.04 VPS and now she’s ready to lock it down.

First she brings the system up to date, just like checking a grocery list before cooking.

apt update && apt upgrade -y

Next she creates a dedicated account, adds it to sudo, and disables root SSH.

adduser mayaadmin
usermod -aG sudo mayaadmin
sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config

Key‑based login replaces passwords the way a hotel keycard replaces a lock‑pick.

ssh-keygen -t ed25519 -C "maya@laptop"
ssh-copy-id -i ~/.ssh/id_ed25519.pub mayaadmin@your-vps-ip
sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config

She moves SSH to a non‑standard port, then tells the firewall to expect traffic there—think of rerouting a delivery to a side door.

sed -i 's/#Port 22/Port 2222/' /etc/ssh/sshd_config
ufw allow 2222/tcp
ufw enable

Finally, she checks fail2ban to make sure brute‑force attempts are blocked.

fail2ban-client status sshd

Unneeded services are shut down, like removing extra toppings you never eat.

systemctl disable --now vsftpd
systemctl disable --now telnet

For a quick health check, Maya runs Lynis, which hands her a to‑do list the way a mechanic gives a car inspection report.

lynis audit system

She sets up a daily snapshot to a remote bucket, ensuring she can roll back if anything goes wrong—like packing a spare set of clothes for a trip.

rsync -a --delete /var/www/ user@backup‑bucket:/backups/$(date +%F)

• Tip: After each change, reload SSH with systemctl reload sshd.

• Cheat sheet: sudo ufw status, fail2ban-client status, lynis show report.

With these steps Maya’s VPS is now a solid foundation for her SaaS prototype.

The Tools That Make This Easier

Here’s a quick toolbox that turns hardening a fresh VPS into something as painless as ordering a pizza.

• UFW (Uncomplicated Firewall) – Think of it as the bouncer at the club door. You tell it who’s allowed in and it blocks everyone else. Install with apt install ufw, then enable with ufw enable and allow needed ports, e.g., ufw allow 22/tcp.

• Fail2Ban – Like a security guard that watches the CCTV and kicks out troublemakers after a few bad moves. It scans /var/log/auth.log for repeated failed SSH attempts and adds a temporary iptables rule. Set it up with apt install fail2ban and tweak /etc/fail2ban/jail.local.

• Lynis – Your personal health check‑up for the server. Run lynis audit system and it will hand you a report of weak points plus concrete hardening tips, much like a mechanic’s checklist before a road trip.

• Certbot – The automatic chef that serves up free TLS certificates from Let’s Encrypt. One command, certbot --nginx -d example.com, fetches and installs a certificate, then renews it silently every 90 days.

• Rclone – The suitcase that packs your backups and ships them to the cloud. Configure a remote with rclone config, then push snapshots with rclone sync /var/backups remote:myvps. Works with Google Drive, S3, Backblaze, and many others.

These five utilities give you a solid baseline for a secure Linux VPS without writing custom scripts.

Quick Reference: Linux VPS Hardening Cheat Sheet

Here’s the cheat sheet you’ll paste into a note and pull up whenever you spin a new server.

Update & enable unattended‑upgrades – Think of it like getting automatic grocery deliveries; you stay stocked without remembering to shop.

apt update && apt full-upgrade -y
apt install unattended-upgrades
dpkg-reconfigure --priority=low unattended-upgrades

Create a non‑root sudo user – Like giving a friend a spare key instead of the master key; they can get in, but you keep the vault locked.

adduser alice
usermod -aG sudo alice

Set up SSH keys, disable password auth – It’s the difference between a badge scanner and a handwritten password on a door.

ssh-keygen -t ed25519 -C "alice@vps"
ssh-copy-id alice@your.vps.ip
sed -i 's/^#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
systemctl reload sshd

Change SSH port & limit users – Moving the entrance to a side street and only letting trusted neighbors knock.

sed -i 's/^#Port 22/Port 2222/' /etc/ssh/sshd_config
echo "AllowUsers alice" >> /etc/ssh/sshd_config
systemctl reload sshd

Enable UFW: allow only required ports – Imagine a security guard who checks IDs before anyone enters the building.

Bob the Blogger only needs web and SSH:

ufw default deny incoming
ufw allow 2222/tcp   # SSH
ufw allow 80/tcp     # HTTP
ufw allow 443/tcp    # HTTPS
ufw enable

Disable unused services – Like unplugging appliances you never use to avoid accidental fires.

systemctl list-unit-files --type=service | grep enabled
systemctl disable telnet.service
systemctl stop avahi-daemon.service

Install Fail2Ban – A bouncer that kicks out repeated troublemakers after a few bad attempts.

apt install fail2ban
systemctl enable fail2ban
cat > /etc/fail2ban/jail.local 
**Apply sysctl kernel hardening** – Tightening the bolts on a car’s chassis to stop it from wobbling. 

bash
cat > /etc/sysctl.d/99-hardening.conf
Run Lynis audit monthly – Like scheduling a yearly health check‑up for your server.

apt install lynis
lynis audit system

Schedule automated backups with Rclone – Packing your valuables into a safe deposit box every night.

apt install rclone
rclone config   # set up remote “drive”
crontab -e
0 2 * * * /usr/bin/rclone sync /var/www drive:backup/vps-$(date +\%F)

Follow this list and your Linux VPS will have the core defenses most attacks never get past.

What to Do Next

Grab a coffee and run through the list – it’s the fastest way to feel confident about your secure Linux VPS.

• Run the checklist on your current VPS tonight. It’s like a quick health check before bed; open a terminal, copy the checklist script, and let it finish in under 15 minutes.

• Add Fail2Ban and tighten UFW rules for any new services you plan to deploy. Think of it as setting up a bouncer at the door for each new app you install.

• Set up nightly backups and do a test restore on a separate droplet. Treat it like packing a spare set of keys – you hope you never need them, but you’ll be glad they exist.

Checklist command:

curl -sSL https://example.com/vps-checklist.sh | bash

Fail2Ban install:

apt-get install fail2ban && systemctl enable fail2ban

UFW rule example:

ufw allow from 203.0.113.0/24 to any port 22

Backup script snippet:

rsync -a /var/www/ backup@backup-server:/backups/$(date +%F)

Once those three steps are done, you’ll have a solid baseline and a safety net for future changes.

Got a specific hardening challenge? Drop a comment and let’s troubleshoot together!

---

---

About the Author

Abdullah Sheikh is the Founder & CEO at Exteed, where he leads a team of skilled developers specializing in Web2 and Web3 applications, Custom Smart Contracts, and Blockchain solutions.

With 6+ years of experience, Abdullah has built CRMs, Crypto Wallets, DeFi Exchanges, E-Commerce Stores, HIPAA Compliant EMR Systems, and AI-powered systems that drive business efficiency and innovation.

His expertise spans Blockchain, Crypto & Tokenomics, Artificial Intelligence, and Web Applications; building reliable and smooth web apps that fit the client’s goals and requirements.

📧 info@abdullah-sheikh.com · 🔗 LinkedIn · 🌐 abdullah-sheikh.com