A fresh VPS left on defaults with password login will be hit by internet-wide scanners within hours. The basic hardening below blocks 99% of automated attacks.

1. Create a non-root user

adduser deploy
usermod -aG sudo deploy

2. Set up SSH keys and disable password login

Generate a key locally and upload it:

ssh-keygen -t ed25519
ssh-copy-id deploy@your-server-ip

After confirming key login works, edit /etc/ssh/sshd_config:

PasswordAuthentication no
PermitRootLogin no

Reload: sudo systemctl reload sshd. Always confirm key login works before disabling passwords, or you may lock yourself out.

3. Configure the ufw firewall

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow OpenSSH
sudo ufw allow 80,443/tcp
sudo ufw enable
sudo ufw status

4. Install fail2ban to stop brute force

sudo apt install fail2ban -y
sudo systemctl enable --now fail2ban

5. Keep the system updated

sudo apt update && sudo apt upgrade -y

Enable automatic security updates (unattended-upgrades) too. With these five steps your VPS is already far safer than most servers online. For deeper hardening, contact sales @aliyun370.