Learn the critical first steps to secure and configure your new VPS properly. Ensure your server is safe and ready for deployment.

Congratulations on purchasing your first VPS! A Virtual Private Server gives you dedicated resources and full control over your hosting environment. But with great power comes great responsibility—and a checklist of essential tasks to complete before deploying anything.

In this guide, I'll walk you through the critical first steps to secure and configure your new VPS properly.

1. Connect to Your Server via SSH#

The first step is establishing a secure connection to your server. SSH (Secure Shell) is the standard protocol for remote server management.

On macOS/Linux:

Bash
1ssh root@your-server-ip

On Windows: Use PuTTY or Windows Terminal with the same command. You'll find your server's IP address and root password in the welcome email from your hosting provider.

2. Update Your System Packages#

Before doing anything else, update your server to patch any security vulnerabilities.

For Ubuntu/Debian:

Bash
1sudo apt update && sudo apt upgrade -y

For CentOS/RHEL/AlmaLinux:

Bash
1sudo dnf update -y

This ensures you're running the latest security patches and software versions.

3. Create a Non-Root User with Sudo Privileges#

Running everything as root is dangerous. Create a dedicated user account:

Bash
1# Create new user
2adduser yourusername
3
4# Add to sudo group
5usermod -aG sudo yourusername

From now on, use this account for daily operations and only elevate to root when necessary.

4. Set Up SSH Key Authentication#

Password-based authentication is vulnerable to brute-force attacks. SSH keys are far more secure.

On your local machine:

Bash
1# Generate SSH key pair
2ssh-keygen -t ed25519 -C "your_email@example.com"
3
4# Copy public key to server
5ssh-copy-id yourusername@your-server-ip

Once verified, disable password authentication in /etc/ssh/sshd_config:

Bash
1PasswordAuthentication no
2PermitRootLogin no

Restart SSH: sudo systemctl restart sshd

5. Change the Default SSH Port#

Port 22 is constantly scanned by bots. Changing it reduces noise:

Bash
1sudo nano /etc/ssh/sshd_config

Change Port 22 to something like Port 2222 (choose a port between 1024-65535).

Important: Update your firewall rules before restarting SSH, or you'll lock yourself out!

6. Configure Your Firewall#

A firewall is your first line of defense. UFW (Uncomplicated Firewall) makes this easy:

Bash
1# Install UFW
2sudo apt install ufw
3
4# Allow SSH (use your custom port)
5sudo ufw allow 2222/tcp
6
7# Allow HTTP and HTTPS
8sudo ufw allow 80/tcp
9sudo ufw allow 443/tcp
10
11# Enable firewall
12sudo ufw enable

Only open ports you actually need.

7. Install Fail2Ban#

Fail2Ban monitors log files and bans IPs showing malicious behavior:

Bash
1sudo apt install fail2ban -y
2sudo systemctl enable fail2ban
3sudo systemctl start fail2ban

It works out of the box but can be customized in /etc/fail2ban/jail.local.

8. Set Up Automatic Security Updates#

Enable unattended upgrades to automatically install security patches:

Bash
1sudo apt install unattended-upgrades
2sudo dpkg-reconfigure -plow unattended-upgrades

This keeps your server protected even when you're not actively monitoring it.

9. Install Your Web Stack#

Now you're ready to install the software for your use case.

For web hosting (with Caddy):

Bash
1sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https curl
2curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
3curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
4sudo apt update
5sudo apt install caddy

For containerized apps:

Bash
1curl -fsSL https://get.docker.com | sh
2sudo usermod -aG docker yourusername

For Node.js applications:

Bash
1curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash -
2sudo apt install nodejs -y

10. Point Your Domain (SSL is Automatic!)#

Update your domain's DNS A record to point to your VPS IP address. With Caddy, SSL certificates are automatically provisioned and renewed - no extra steps needed!

Bash
1# Edit your Caddyfile
2sudo nano /etc/caddy/Caddyfile
3
4# Example configuration:
5yourdomain.com {
6    root * /var/www/html
7    file_server
8}
9
10# Reload Caddy
11sudo systemctl reload caddy

Caddy automatically obtains and renews SSL certificates from Let's Encrypt. No certbot needed!

Bonus: Consider a Management Panel#

If you prefer a GUI, tools like Coolify or Dokploy provide a clean interface for deploying applications without memorizing commands.

The Golden Rule#

Security first, performance second, applications last. Reversing this order guarantees midnight emergencies.

Take your time with these initial steps. A well-configured VPS will serve you reliably for years. A hastily set up one will keep you awake at night.
VPSDevOps ToolsSecurity Monitoring