Checklist: Bought a VPS — What’s Next?

Getting a new VPS is just the beginning. By default, the server is insecure and not ready for production use. This checklist will help you step by step to prepare your VPS: close security holes, enable updates, and configure the basic infrastructure.

1. First login and changing the root password

Connect to the server via SSH:

ssh root@YOUR_IP_ADDRESS

Change the temporary password to your own unique and complex one:

passwd

2. Create a new user with sudo

Working as root all the time is dangerous. Let’s create a regular user:

adduser username
usermod -aG sudo username

3. Setting up SSH keys

Passwords can be brute-forced, keys — almost never. Generate keys on your local machine:

ssh-keygen -t ed25519

Copy the public key to the server:

ssh-copy-id username@YOUR_IP_ADDRESS

Test the login. Then set the correct permissions:

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

4. SSH hardening: disable unnecessary options

Open the config:

sudo nano /etc/ssh/sshd_config

Change or add the following lines:

PermitRootLogin no
PasswordAuthentication no
Port 2222

⚠️ Don’t forget to allow the new port in the firewall, otherwise you’ll lose access. Restart SSH:

sudo systemctl restart ssh

5. Update the system

For Debian/Ubuntu:

sudo apt update && sudo apt upgrade -y
sudo apt autoremove -y

For CentOS/RHEL:

sudo dnf update -y

It’s recommended to enable automatic security updates:

sudo apt install unattended-upgrades
sudo dpkg-reconfigure unattended-upgrades

6. Basic firewall

UFW allows you to block everything unnecessary:

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 2222/tcp
sudo ufw allow http
sudo ufw allow https
sudo ufw enable

7. Fail2Ban against brute-force

Install and enable:

sudo apt install fail2ban -y
sudo systemctl enable --now fail2ban

Make a copy of the config:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

In jail.local you can configure bantime and maxretry.

8. Timezone and NTP

Correct time = correct logs and cron jobs.

timedatectl list-timezones
sudo timedatectl set-timezone Europe/Moscow
timedatectl status

9. Clean up unnecessary stuff

Check which ports the server is listening on:

ss -tuln

See enabled services:

sudo systemctl list-unit-files --state=enabled

Remove everything that’s not needed.

10. Backups

Backups are more important than any configuration. Minimum option:

rsync -a /important/data user@backup:/backups/server-name/

More reliable tools: BorgBackup, Restic, Duplicity. Best practice — store backups on another server or in the cloud. Periodically check that recovery actually works.

Conclusion

Now your VPS is protected against basic attacks, runs with up-to-date packages, and is ready for application deployment. Next steps — set up monitoring, containerization (Docker, Podman), and CI/CD, but the basic foundation is already in place.

Recommended resources

• Official SSH Documentation
• UFW — uncomplicated firewall for Linux
• Fail2Ban Documentation
• BorgBackup