A fresh VPS left on defaults with password login will be hit by internet-wide scanners within hours. The basic hardening below blocks 99% of automated attacks.
1. Create a non-root user
adduser deploy
usermod -aG sudo deploy
2. Set up SSH keys and disable password login
Generate a key locally and upload it:
ssh-keygen -t ed25519
ssh-copy-id deploy@your-server-ip
After confirming key login works, edit /etc/ssh/sshd_config:
PasswordAuthentication no
PermitRootLogin no
Reload: sudo systemctl reload sshd. Always confirm key login works before disabling passwords, or you may lock yourself out.
3. Configure the ufw firewall
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow OpenSSH
sudo ufw allow 80,443/tcp
sudo ufw enable
sudo ufw status
4. Install fail2ban to stop brute force
sudo apt install fail2ban -y
sudo systemctl enable --now fail2ban
5. Keep the system updated
sudo apt update && sudo apt upgrade -y
Enable automatic security updates (unattended-upgrades) too. With these five steps your VPS is already far safer than most servers online. For deeper hardening, contact sales @aliyun370.