Русский flag Русский

Checklist: Bought a VPS — What’s Next?

Published on 2025-09-22

Getting a new VPS is just the beginning. By default, the server is insecure and not ready for production use. This checklist will help you step by step to prepare your VPS: close security holes, enable updates, and configure the basic infrastructure.

1. First login and changing the root password

Connect to the server via SSH:

ssh root@YOUR_IP_ADDRESS

Change the temporary password to your own unique and complex one:

passwd

2. Create a new user with sudo

Working as root all the time is dangerous. Let’s create a regular user:

adduser username
usermod -aG sudo username

3. Setting up SSH keys

Passwords can be brute-forced, keys — almost never. Generate keys on your local machine:

ssh-keygen -t ed25519

Copy the public key to the server:

ssh-copy-id username@YOUR_IP_ADDRESS

Test the login. Then set the correct permissions:

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

4. SSH hardening: disable unnecessary options

Open the config:

sudo nano /etc/ssh/sshd_config

Change or add the following lines:

PermitRootLogin no
PasswordAuthentication no
Port 2222

⚠️ Don’t forget to allow the new port in the firewall, otherwise you’ll lose access. Restart SSH:

sudo systemctl restart ssh

5. Update the system

For Debian/Ubuntu:

sudo apt update && sudo apt upgrade -y
sudo apt autoremove -y

For CentOS/RHEL:

sudo dnf update -y

It’s recommended to enable automatic security updates:

sudo apt install unattended-upgrades
sudo dpkg-reconfigure unattended-upgrades

6. Basic firewall

UFW allows you to block everything unnecessary:

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 2222/tcp
sudo ufw allow http
sudo ufw allow https
sudo ufw enable

7. Fail2Ban against brute-force

Install and enable:

sudo apt install fail2ban -y
sudo systemctl enable --now fail2ban

Make a copy of the config:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

In jail.local you can configure bantime and maxretry.

8. Timezone and NTP

Correct time = correct logs and cron jobs.

timedatectl list-timezones
sudo timedatectl set-timezone Europe/Moscow
timedatectl status

9. Clean up unnecessary stuff

Check which ports the server is listening on:

ss -tuln

See enabled services:

sudo systemctl list-unit-files --state=enabled

Remove everything that’s not needed.

10. Backups

Backups are more important than any configuration. Minimum option:

rsync -a /important/data user@backup:/backups/server-name/

More reliable tools: BorgBackup, Restic, Duplicity. Best practice — store backups on another server or in the cloud. Periodically check that recovery actually works.

Conclusion

Now your VPS is protected against basic attacks, runs with up-to-date packages, and is ready for application deployment. Next steps — set up monitoring, containerization (Docker, Podman), and CI/CD, but the basic foundation is already in place.

Tags: #vps #linux #security #devops #guide
Did this help? Support me
Support on Boosty

Related reviews

Huge thanks to Mikhail — I contacted him about a very urgent server setup issue because I'm not strong in that area and needed to show the site to a client. Quick response, no-nonsense help, and very fast! Wishing you many orders and a better rating. Thank you so much!

Ekleo

Ekleo · VPS setup, server setup

A very powerful buyer

2025-11-28 · ⭐ 5/5

Many thanks to Mikhail — I reached out to him with a very urgent issue regarding server configuration, since I'm not very skilled in this myself and needed to show the site to the client. Quick response, help without unnecessary words and very fast! I wish you many orders and a better rating! Thank you so much!

Need help?

Get in touch with me and I'll help solve the problem

Hire Me

Related Posts