logzly. VPS Insight

Secure Your First VPS: A Practical Checklist for Developers

Read this article in clean Markdown format for LLMs and AI context.

You just got your first virtual private server and the excitement is real—until you remember that a fresh VPS is also a fresh target for attackers. A few minutes of hardening now can save you hours of firefighting later, and it doesn’t have to be a scary, endless list of commands. Before you dive in, you might also want to read our guide on how to choose the right VPS for your SaaS startup.

Why security matters from day one

When I first spun up a VPS for a side project, I skipped the basics and went straight to installing my app. Within a day I saw strange traffic spikes, a few failed SSH logins, and a warning from my email provider about a compromised IP. The lesson was simple: a server is a public computer the moment it’s reachable on the internet. Treat it like a door—lock it before you walk through.

The checklist

Below is a step‑by‑step checklist that any developer can run through in under an hour. I’ve tried to keep the commands short and the explanations plain. Feel free to copy‑paste, tweak, and make it part of your deployment script.

1. Update the operating system

Out‑of‑the‑box images often ship with old packages that contain known bugs. Run the package manager’s update command right after login.

# Debian / Ubuntu
sudo apt update && sudo apt upgrade -y

# CentOS / RHEL
sudo yum update -y

A quick reboot (sudo reboot) ensures the new kernel and services start clean.

2. Create a non‑root user

Never run your app or daily work as root. Create a dedicated user and give it sudo rights only when needed.

sudo adduser devuser
sudo usermod -aG sudo devuser

Log out, then log back in as devuser. This small step limits the damage if the account is ever compromised.

3. Harden SSH access

SSH is the most common entry point. Here’s what I always do:

  • Disable password login – use key pairs instead.
  • Change the default port – moving from 22 to something like 2222 adds a tiny hurdle for bots.
  • Allow only your user – edit /etc/ssh/sshd_config.
# Edit the config file
sudo nano /etc/ssh/sshd_config

Set these lines (replace 2222 with any port you like):

Port 2222
PermitRootLogin no
PasswordAuthentication no
AllowUsers devuser

After saving, restart SSH:

sudo systemctl restart sshd

For a deeper dive into hardening a Linux VPS against ransomware, check out our dedicated guide.

4. Set up a firewall

A firewall blocks everything you don’t explicitly allow. On Ubuntu/Debian, ufw (Uncomplicated Firewall) does the job nicely.

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 2222/tcp   # SSH port you chose
sudo ufw allow 80/tcp     # HTTP if you serve web
sudo ufw allow 443/tcp    # HTTPS
sudo ufw enable

If you’re using a cloud provider’s security groups, double‑check they match your ufw rules.

5. Install fail2ban

Fail2ban watches log files for repeated failed login attempts and temporarily bans the offending IP. It’s a lightweight, set‑and‑forget tool.

sudo apt install fail2ban -y   # Debian/Ubuntu
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

The default configuration already protects SSH. If you later run other services (e.g., FTP), you can add extra “jails” later.

6. Turn on automatic security updates

You don’t have to remember to patch every month. Enable unattended upgrades so critical fixes are applied automatically.

sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure --priority=low unattended-upgrades

On CentOS, you can use yum-cron:

sudo yum install yum-cron -y
sudo systemctl enable yum-cron
sudo systemctl start yum-cron

7. Install and configure a host‑based IDS

A host‑based intrusion detection system (IDS) like rkhunter or chkrootkit can alert you to hidden backdoors. I prefer rkhunter for its simplicity.

sudo apt install rkhunter -y
sudo rkhunter --update
sudo rkhunter --propupd   # initialize baseline

Schedule a daily scan with cron:

echo "0 3 * * * root /usr/bin/rkhunter --check --quiet" | sudo tee -a /etc/crontab

8. Secure your application stack

Your VPS is only as strong as the software you run on it.

  • Use strong, unique passwords for any databases or admin panels.
  • Bind services to localhost when they don’t need external access (e.g., a Redis cache).
  • Enable TLS for any web traffic. Let’s Encrypt offers free certificates and a one‑liner install script (certbot).
sudo apt install certbot python3-certbot-nginx -y
sudo certbot --nginx -d yourdomain.com

9. Regular backups

Even the best security can’t protect against accidental deletion. Set up a simple backup routine to another server or cloud bucket.

# Example using rsync to a remote backup server
rsync -a --delete /var/www/ [email protected]:/backups/vps1/

Schedule it with cron to run nightly.

10. Monitor and log

Keep an eye on what’s happening. Tools like htop, journalctl, and netstat give you a quick view. For longer‑term tracking, consider a lightweight log shipper like filebeat that pushes logs to a central place (Logzly, for instance).

sudo apt install htop -y
htop   # press q to quit

A quick sanity check

Before you call the day done, run through this quick list:

  1. Can you SSH in with a key on the new port?
  2. Does ufw status show only the ports you need?
  3. Is fail2ban-client status sshd reporting no bans (or a few recent ones)?
  4. Did rkhunter --check finish without warnings?
  5. Are your backups scheduled and successful?

If you can answer “yes” to all, you’ve built a solid foundation. From here you can start tweaking performance, adding CI/CD pipelines, or scaling out with load balancers—without the nagging fear that a simple misconfiguration will expose your code to the world.

Closing thoughts

Securing a VPS isn’t a one‑time checklist you file away; it’s a habit you keep alive. The steps above are the basics I use on every new server at VPS Insight, and they’ve saved me countless headaches. Treat each item as a small habit, and soon the process will feel as natural as running git pull.

Happy hosting, and may your logs stay clean!

Reactions
Do you have any feedback or ideas on how we can improve this page?