You just bought a shiny new VPS. You got an IP address, a root username, and a random password emailed to you. Logging in as root and dumping your code immediately is the fastest way to get your server hijacked by botnets within 2 hours. Let’s do it the right way instead.
Here is a step-by-step walkthrough to get your virtual server up, running, and hardened against common security threats.
Why your default VPS configuration is an accident waiting to happen
Setting up a VPS for the first time requires securing root access, configuring an isolated user, and restricting network ports. Default VPS deployments often expose SSH on port 22 with password logins enabled, making them easy targets for automated brute-force attacks.
The moment a public IP address goes live, automated botnets begin scanning it. They look specifically for open port 22 (the default SSH port) and attempt to brute-force the root account with thousands of common passwords. If you leave your default settings active, it is rarely a matter of if your server gets compromised, but when.
Learning how to manage and secure a server yourself is a massive superpower. Once you understand basic system hygiene, you can host your own databases, web applications, and development sandboxes with peace of mind.
Step 1: Accessing your VPS via SSH for the first time
To begin, open your computer's terminal (or Command Prompt/PowerShell if you are on Windows) and run the following command to connect as the administrative root user:
ssh root@your_server_ip
Handling the Host Authenticity Warning
Because this is your first time connecting, you will likely see a warning message like this:
The authenticity of host '123.456.78.90 (123.456.78.90)' can't be established.
ED25519 key fingerprint is SHA256:...
Are you sure you want to continue connecting (yes/no/[fingerprint])?
Do not worry—this is normal. It simply means your local computer has never seen this server before and is asking you to confirm its identity. Type yes and hit Enter. Your system will save this fingerprint to its known_hosts file to prevent future man-in-the-middle attacks.
Once connected, enter the temporary root password provided by your hosting provider.
Update Packages Instantly
Before installing anything else, you should update the system's package index and upgrade existing software to patch any known security vulnerabilities. For Debian- or Ubuntu-based systems, run:
sudo apt update && sudo apt upgrade -y
Pro-Tip: Skipping this step on day one is a recipe for dependency hell later on. New software installations often fail or conflict if your system's package repositories are outdated. Always pull the latest package lists first.
Step 2: Creating a sudo user (And why root access is a trap)
Running command-line operations as the root user leaves your server vulnerable to catastrophic typos and malicious exploits. Creating a dedicated non-root user with sudo privileges ensures that any administrative system changes require explicit confirmation and logging.
1. Create a new user
Let’s create a new, restricted system user. Replace devuser with whatever username you prefer:
adduser devuser
You will be prompted to enter and confirm a strong password. You can press Enter to skip the additional details like "Full Name" and "Room Number."
2. Grant admin privileges
To allow this new user to execute administrative tasks, add them to the sudo group:
usermod -aG sudo devuser
3. Test your new user session
Before you log out of your root terminal, open a new, separate terminal window on your local machine and try logging in as your new user:
ssh devuser@your_server_ip
Once logged in, verify you have administrative capabilities by running:
sudo apt update
If it prompts you for your user password and runs successfully, you have successfully configured a safe administrative account. Keep both terminal windows open for now.
Step 3: Hardening SSH access with Public Key Authentication
Using passwords to log into your server is highly vulnerable to brute-force attacks. SSH key authentication uses a pair of cryptographic keys (a public key on the server and a private key on your local machine) to verify your identity, which is virtually impossible to brute-force.
1. Generate SSH keys locally
On your local computer's terminal (not the VPS), generate an ED25519 key pair (which is faster and more secure than older RSA keys):
ssh-keygen -t ed25519
Press Enter to save it to the default location. For added security, you can enter a passphrase to protect your private key.
2. Copy the public key to your VPS
Still on your local computer, copy your newly generated public key to your new server user:
ssh-copy-id devuser@your_server_ip
Log back into your VPS using your new user. You should now be logged in automatically without being prompted for your account password.
3. Edit the SSH port configuration
Now, we need to tell the SSH service to stop accepting password logins and to stop listening on the standard port 22. Open the SSH daemon configuration file using the nano text editor:
sudo nano /etc/ssh/sshd_config
Scroll through the file and modify the following lines:
-
Change the port: Find
#Port 22(orPort 22), uncomment it by removing the#, and change the number to a custom value between 1024 and 65535 (for example,2288). This simple change avoids 99% of automated port scanners. -
Disable root login: Find
PermitRootLoginand change its value tono. -
Disable password authentication: Find
PasswordAuthenticationand set it tono.
Save the changes (press Ctrl + O, then Enter) and exit nano (Ctrl + X).
4. Restart the SSH service
Apply the new settings by restarting the SSH daemon:
sudo systemctl restart ssh
(Note: On some Linux distributions, the service might be named sshd instead of ssh.)
Do not close your current terminal window yet. Open a new terminal window to test your new configuration:
ssh -p 2288 devuser@your_server_ip
If you can log in successfully, your SSH hardening is complete.
Step 4: Building a wall with the UFW firewall
A firewall acts as a barrier, controlling which traffic is allowed into your server. The Uncomplicated Firewall (UFW) is a user-friendly frontend for managing iptables rules on Ubuntu and Debian.
Before enabling the firewall, you must explicitly allow connections to your new custom SSH port. If you enable the firewall without opening your custom port first, you will lock yourself out of your server.
Run the following commands to configure your firewall:
# Allow your custom SSH port (Replace 2288 with your chosen port)
sudo ufw allow 2288/tcp
# Allow standard web traffic if you plan to host a website
sudo ufw allow http
sudo ufw allow https
# Enable the firewall
sudo ufw enable
You will see a warning stating that the command may disrupt existing SSH connections. Type y and press Enter.
To check the active rules on your firewall, run:
sudo ufw status verbose
Your VPS is now configured, updated, and protected from public threats.
FAQ: Quick troubleshooting for first-time VPS admins
Q: Why can't I connect to my VPS via SSH?
Answer: The most common reasons you cannot connect to your VPS via SSH are a misconfigured firewall blocking your SSH port, an incorrect username (e.g., logging in as root after disabling root access), or a mismatch in your local SSH private key file permissions.
Q: What are the first things to do on a new VPS?
Answer: The first five steps to take on a new VPS are:
- Update system repository packages.
- Create a restricted, non-root user with
sudopermissions. - Set up SSH key pair authentication.
- Disable root logins and password-based authentication.
- Enable and configure a basic firewall (such as UFW).
Q: How do I choose the best VPS location?
Answer: Choose a server location closest to your target audience to reduce latency and improve load times. For users and traffic centered in Southeast Asia, selecting a hosting provider with physical data centers in Vietnam, such as InterData, ensures low ping rates, local compliance, and high throughput compared to US-based servers.
Need a reliable sandbox?
If you are looking for a high-performance sandbox to deploy your applications, check out InterData VPS Hosting. We offer pure NVMe enterprise storage, 10Gbps network connectivity, and localized customer support that actually speaks dev-language when things go sideways.
Top comments (0)