How to Harden a Linux VPS in 30 Minutes (Production Checklist)
You just spun up a new VPS. Before you deploy anything, run through this checklist.
These are the baseline hardening steps that prevent 90% of common attacks.
1. Update the System
sudo apt update && sudo apt upgrade -y
sudo apt autoremove -y
Run this first. Always.
2. Create a Non-Root User
# Add user
adduser deploy
# Give sudo access
usermod -aG sudo deploy
# Switch to new user
su - deploy
Never run your app as root.
3. Set Up SSH Key Authentication
# On your LOCAL machine, generate a key if you don't have one
ssh-keygen -t ed25519 -C "your-email@example.com"
# Copy your public key to the server
ssh-copy-id deploy@your-server-ip
# Or manually:
# cat ~/.ssh/id_ed25519.pub | ssh deploy@your-server-ip "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
Then disable password authentication:
sudo nano /etc/ssh/sshd_config
Change these lines:
PasswordAuthentication no
PermitRootLogin no
PubkeyAuthentication yes
sudo systemctl restart sshd
Test your SSH key login in a NEW terminal before closing your current session.
4. Configure the Firewall
sudo apt install ufw -y
# Deny everything by default
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow SSH (critical - don't forget this!)
sudo ufw allow ssh
# Allow HTTP and HTTPS
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
# Enable
sudo ufw enable
sudo ufw status verbose
5. Fail2ban (Block Brute Force)
sudo apt install fail2ban -y
sudo nano /etc/fail2ban/jail.local
[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 5
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
# Check status
sudo fail2ban-client status sshd
6. Disable Unused Services
# See what's running
sudo systemctl list-units --type=service --state=running
# Disable what you don't need
sudo systemctl disable bluetooth
sudo systemctl disable avahi-daemon
sudo systemctl disable cups # printing service
7. Set Up Automatic Security Updates
sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure -plow unattended-upgrades
Choose "yes" to enable automatic security updates.
8. Check for Open Ports
# See all open ports
sudo ss -tlnp
# Compare against what you expect
# Standard: 22 (SSH), 80 (HTTP), 443 (HTTPS)
# Anything else should be intentional
The Complete 30-Minute Checklist
# 1. Update
sudo apt update && sudo apt upgrade -y
# 2. Create non-root user
adduser deploy && usermod -aG sudo deploy
# 3. Set up SSH keys (from local machine)
ssh-copy-id deploy@your-server
# 4. Disable password auth
sudo sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo systemctl restart sshd
# 5. Firewall
sudo ufw default deny incoming && sudo ufw allow ssh && sudo ufw allow 80/tcp && sudo ufw allow 443/tcp && sudo ufw enable
# 6. Fail2ban
sudo apt install fail2ban -y && sudo systemctl enable fail2ban
# 7. Auto updates
sudo apt install unattended-upgrades -y
# 8. Verify open ports
sudo ss -tlnp
I built ARIA to solve exactly this.
Try it free at step2dev.com — no credit card needed.
Top comments (0)