After successfully SSH-ing into your new server (for example 178.18.23.12), here's your step-by-step checklist to properly set it up for production use:
1. Verify Basic System Info
# Check OS version
cat /etc/os-release
# Check disk space
df -h
# Check memory
free -h
# Check CPU
lscpu
Why? Confirm you have the expected resources and OS version.
2. Change Default Passwords IMMEDIATELY
# Change root password (even if using SSH keys)
passwd
# If you created a sudo user:
passwd yourusername
Pro Tip: Use a 20+ character random password stored in a password manager.
3. Create a New Sudo User (Never Use Root Daily)
# Create user
adduser yourusername
# Grant sudo (Debian/Ubuntu)
usermod -aG sudo yourusername
# Grant sudo (CentOS/RHEL)
usermod -aG wheel yourusername
Now log out of root and use this user instead:
exit
ssh yourusername@178.18.243.142
4. Set Up SSH Key Authentication
On your local machine (not the server):
ssh-keygen -t ed25519 -a 100 # Creates ~/.ssh/id_ed25519.pub
ssh-copy-id yourusername@178.18.243.142
Then disable password logins:
sudo nano /etc/ssh/sshd_config
Set:
PasswordAuthentication no
PermitRootLogin no
Restart SSH:
sudo systemctl restart sshd
5. Enable Automatic Security Updates
Debian/Ubuntu
sudo apt install unattended-upgrades
sudo dpkg-reconfigure unattended-upgrades
CentOS/RHEL
sudo yum install yum-cron
sudo systemctl enable --now yum-cron
6. Configure a Firewall
UFW (Debian/Ubuntu)
sudo ufw allow 22/tcp # SSH
sudo ufw allow 80/tcp # HTTP (if needed)
sudo ufw enable
firewalld (CentOS/RHEL)
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --reload
7. Install Essential Tools
# For Debian/Ubuntu
sudo apt install -y htop nano git curl fail2ban
# For CentOS/RHEL
sudo yum install -y htop nano git curl epel-release
sudo yum install -y fail2ban
8. Set Up Basic Monitoring
Install and Configure Fail2Ban
sudo systemctl enable --now fail2ban
Check Logs Regularly
# Failed SSH attempts
sudo grep "Failed" /var/log/auth.log # Debian/Ubuntu
sudo grep "Failed" /var/log/secure # CentOS/RHEL
# Active connections
ss -tulnp
9. Secure Critical Files
# Make sensitive files immutable
sudo chattr +i /etc/passwd /etc/shadow /etc/group /etc/sudoers
# Restrict cron access
sudo rm /etc/cron.deny # Delete if exists
echo "yourusername" | sudo tee /etc/cron.allow
10. What Next? Depends on Your Use Case
For Web Servers:
sudo apt install nginx # or apache2
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
For Database Servers:
sudo apt install mysql-server
sudo mysql_secure_installation
For Development:
# Install Docker
curl -fsSL https://get.docker.com | sudo sh
sudo usermod -aG docker yourusername
Bonus: First Night Checklist
✅ All default passwords changed
✅ Root SSH login disabled
✅ SSH keys configured (password auth disabled)
✅ Firewall active with minimal ports open
✅ Automatic updates enabled
✅ Basic monitoring (Fail2Ban) running
✅ Critical files secured
After this: Proceed with your specific application setup (WordPress, Node.js, game server, etc.).
Emergency Reminder
Always keep a backup SSH session open when making critical changes! If you lock yourself out:
- Use your hosting provider's VNC console access
- For cloud servers (AWS/Azure/GCP), use their rescue mode
Top comments (0)