How to Secure Your VPS: A Practical First-Day Checklist

Step 1: Stop logging in with passwords

Password logins are the single biggest risk on a new server, because bots guess them all day long. Generate an SSH key pair on your own computer, copy the public key to the server, then disable password authentication entirely. From then on only someone holding your private key can log in.

Step 2: Do not use root for daily work

Create a normal user with sudo rights and use that for everyday tasks. Running everything as root means a single mistake, or a single compromised process, has total control. A regular account with sudo gives you the same power when you need it, with a safety margin when you do not.

Step 3: Turn on a firewall

By default many ports are open to the world. A firewall lets you allow only what you actually use and block the rest. On most Linux systems UFW makes this a two-minute job.

• Allow SSH (your chosen port), HTTP (80) and HTTPS (443).
• Deny everything else inbound by default.
• Open extra ports only when a service genuinely needs them.

Step 4: Update everything, then keep it updated

The first command on any new server should update the package list and install security patches. Out-of-date software is how most servers get breached. Enable automatic security updates so you are not relying on memory.

Step 5: Add fail2ban for brute-force protection

fail2ban watches your logs and temporarily bans IP addresses that fail to log in too many times. It is a small install that quietly absorbs the constant background noise of automated attacks.

Step 6: Set up backups before you need them

Security is not only about keeping attackers out, it is about recovering fast if something goes wrong. Take snapshots, and keep at least one backup copy off the server itself. A backup you have never tested is just a hope, so restore one once to be sure it works.

SSH keys, a firewall, updates and backups. Four steps on day one stop almost every attack a small server will ever face.