🔐 VPS Initial Security Setup (First 30 Minutes)

⚠️ The Situation

Fresh VPS = immediate bot scans + SSH brute force
Default configs = weak
If you delay → you will get hit

✅ Step 1: Create Non-Root User (With Sudo)

Command

adduser youruser
usermod -aG sudo youruser

What it does

Creates a normal user and gives admin privileges.

⚠️ Caution

Never continue using root for daily work

✅ Step 2: Setup SSH Key Authentication

🔹 Generate Key (Local Machine)

ssh-keygen-t ed25519-C"your-email@example.com"

🔹 Copy Key to Server

ssh-copy-id youruser@your-server-ip

ssh youruser@your-server-ip

⚠️ Caution

DO NOT disable password login before this works

🔹 Manual Key Setup (If ssh-copy-id not available)

sudo mkdir -p /home/youruser/.ssh
sudo nano /home/youruser/.ssh/authorized_keys

Paste public key, then:

sudo chown -R youruser:youruser /home/youruser/.ssh
sudo chmod 700 /home/youruser/.ssh
sudo chmod 600 /home/youruser/.ssh/authorized_keys
sudo chmod 755 /home/youruser

sudo nano /etc/ssh/sshd_config.d/60-hardening.conf

Add:

PasswordAuthentication no
PermitRootLogin no
PubkeyAuthentication yes
# random port number, pick your own (good practice but optional)
Port 6203

Restart SSH:

sudo systemctl reloadssh

⚠️ Caution

Wrong config = you lock yourself out
Keep another session open while testing
Changing port is optional, not real security

✅ Step 3: Enable Firewall (UFW)

Allow SSH (IMPORTANT FIRST)

sudo ufw limit6203/tcp

Allow Web Traffic

sudo ufw allow80/tcp
sudo ufw allow443/tcp

Enable Firewall

sudo ufw--force enable
sudo ufw status

⚠️ Caution

If you enable UFW without allowing SSH → you lose access

✅ Step 4: Install Fail2ban (Brute Force Protection)

Install

sudo apt update
sudo apt install fail2ban-y

Configure Jail

sudo nano /etc/fail2ban/jail.d/sshd.conf

Add:

[sshd]
enabled=true
port=6203
filter= sshd
logpath= /var/log/auth.log
maxretry=3
findtime= 10m
bantime= 10m

Start Service

sudo systemctl enable fail2ban
sudo systemctl start fail2ban

⚠️ Caution

Port must match your SSH port
Wrong config = Fail2ban useless

✅ Step 5: System Updates & Auto Patching

Update System

sudo apt update &&sudo apt upgrade-y

Install Auto Updates

sudo apt install unattended-upgrades-y
sudo dpkg-reconfigure-plow unattended-upgrades

⚠️ Caution

Skipping this = known vulnerabilities stay open

✅ Step 6: Verification (Don’t Skip)

Check SSH Config

sudo sshd-T |grep-E"(port|passwordauthentication|permitrootlogin)"

ssh -p 6203 youruser@your-server-ip

Firewall Status

sudo ufw status

Fail2ban Status

sudo fail2ban-client status sshd

Pending Updates

apt list--upgradable

sudo tail /var/log/auth.log

⚠️ Critical Mistakes to Avoid

Disabling password auth before testing key
Enabling firewall without allowing SSH
Changing SSH port but forgetting to update UFW / Fail2ban
Using root account regularly
Thinking “non-default port = secure” (it’s not)

⚠️ The Situation

✅ Step 1: Create Non-Root User (With Sudo)

Command

✅ Step 2: Setup SSH Key Authentication

🔹 Generate Key (Local Machine)

🔹 Copy Key to Server

🔹 Test Login

🔹 Manual Key Setup (If ssh-copy-id not available)

🔹 Disable Password Login + Harden SSH

✅ Step 3: Enable Firewall (UFW)

Allow SSH (IMPORTANT FIRST)

Allow Web Traffic

Enable Firewall

✅ Step 4: Install Fail2ban (Brute Force Protection)

Install

Configure Jail

Start Service

✅ Step 5: System Updates & Auto Patching

Update System

Install Auto Updates

✅ Step 6: Verification (Don’t Skip)

Check SSH Config

Test SSH Login

Firewall Status

Fail2ban Status

Pending Updates

Check Login Attempts

⚠️ Critical Mistakes to Avoid