Hire Me
VPS & Linux 9 min read

How to Secure Ubuntu VPS Servers: Standard Checklist

Step-by-step instructions to harden your Linux cloud VPS. Secure SSH keys, configure firewalls, and install Fail2ban filters.

1. Overview

When you boot up a new Linux VPS (Ubuntu or Debian) on DigitalOcean, AWS, or Vultr, the default configurations are not secure. Within minutes of being online, botnets will start scanning your public IP address, trying to guess your login passwords. Hiding ports and enforcing encryption keys is essential to prevent unauthorized access.

2. Signs & Symptoms

If your VPS is insecure, you will notice:

  • Your authentication log file (/var/log/auth.log) registering thousands of failed SSH login attempts.
  • High memory usage and CPU load spikes caused by network scans.
  • Unknown terminal processes executing background tasks on your server.

3. Technical Explanation

By default, servers listen for SSH connections on port 22, and root logins are enabled. Hackers use automated dictionary scripts that scan port 22 of public IPs, trying millions of common passwords. Disabling root passwords, forcing cryptographic SSH keys, and relocating the port stops these scans entirely.

4. Step-by-Step Fixes

Follow this checklist to secure your Ubuntu VPS:

  1. Create a Non-Root Admin: 
    # Add a new user:
adduser username

# Add user to sudo group:
usermod -aG sudo username
  2. Enforce SSH Key Login: Generate a key pair on your local computer, copy the public key to the server's ~/.ssh/authorized_keys, and modify the SSH config: 
    # Edit configuration file:
sudo nano /etc/ssh/sshd_config

# Change settings:
PasswordAuthentication no
PubkeyAuthentication yes
PermitRootLogin no
  3. Change the Default SSH Port: Inside the same sshd_config file, edit the port line: 
    Port 2288
    Save the file and restart SSH service: sudo systemctl restart sshd.
  4. Enable UFW Firewall: Deny all incoming traffic except web ports and your custom SSH port: 
    sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw allow 2288/tcp
sudo ufw enable
  5. Install Fail2ban: Protect services from brute force: 
    sudo apt update && sudo apt install fail2ban -y

5. Summary Checklist

To maintain a secure server:

  • Never use password authentication for SSH connections.
  • Keep the UFW firewall active, leaving only essential ports open.
  • Relocate the default SSH port to hide the service.
  • Enable Fail2ban to block persistent brute-force IPs automatically.
🟢 Online & Ready Average response < 1hr
Hire on Fiverr