Securing newly created VPS instance

Last update: March 30, 2025 - by Saulius
blog vps security devops
How to secure a new VPS server instance

Summary

In this tutorial we cover the initial steps to configure initial security for a newly provisioned VPS instances. SSH config, firewall, fail2ban for invalid login attempts, non root user setup etc.

Newly provisioned VPS

With multiple providers offering cloud servers, spinning up a new VPS instance is automatic task.

After a new VPS gets provisioned, you will usually be provided with an external IP address and the root user account access to the instance.

As a next steps, you should ideally run the setup of initial security and protect your virtual server which is now available to all Internet.

SSH setup

First, check the SSH setup.

Some hosting companies will allow public key uploads during the instance provisioning, others don't.

Public key auth allows you to disable password based SSH logins and replace them with auth based on the key saved on your machine.

If your hosting provider didn't offer to upload SSH public key to VPS during the setup, you will have to do it manually.

See the following post on how to generate keys and upload them to VPS.

There are couple of additional configs for SSH service you should change.

# open /etc/ssh/sshd_config with you text editor
sudo vi /etc/ssh/sshd_config

# the below options will disable
# root access; remove X11 forwarding; mandate the usage v2 of protocol
# paste all below at the bottom of config file
Protocol 2
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AuthenticationMethods publickey
KbdInteractiveAuthentication no
X11Forwarding no

# make sure you have public key uploaded (see below in tutorial)
# before you restart ssh service

# save file and restart ssh service
sudo systemctl restart ssh

Firewall setup

Next, we will install and use UFW package to setup simple firewall for outgoing ports.

sudo apt install ufw
# deny all incoming ports
sudo ufw default deny incoming
# allow all outgoing connections
sudo ufw default allow outgoing
# allow port 22 for ssh (and any other ports like 80,443)
sudo ufw allow 22
# enable firewall
sudo ufw enable
# check the current firewall status
sudo ufw status verbose
# check the UFW logs
sudo ufw logging on
sudo ls /var/log/ufw*

Your VPS is now only accessible on the ports specified by UFW status command.

Fail2Ban

Next, ban the rogue SSH login attempts. Fail2Ban is a popular utility which auto scans access logs and bans IP addresses for multiple failed login attempts. Its a simple, yet very effective tool.

# install
sudo apt install fail2ban rsyslog -y
# create the fail2ban configuration file
sudo vi /etc/fail2ban/jail.local
# add the following settings. change
# any of them if needed.  
[DEFAULT]
bantime = 1d
findtime = 15m
maxretry = 3
backend = auto

[sshd]
port = 22

# restart the fail2ban service
sudo systemctl restart fail2ban.service
# see the fail2ban logs
sudo vi /var/log/fail2ban.log

Next is an optional step, which shows you how to setup / configure non-root Linux system user.

Its advised if the VPS is long lived, as opposed to temp / workflow related.

Setup new user

Having non root user on your Linux server with rights to do sudo for its tasks - is considered a good security practice.

See the comments below:

# create a new user. choose password during creation
adduser appuser
# add newly created user to sudo groups
usermod --append -groups sudo appuser
# assume the new user role
su appuser
# create the authorized_keys file within users home
# directory and paste the public SSH key for the
# newly created user. so he can SSH without password
# as we will disable password login later.
# generate / reuse existing public / private key pair
# on your local machine.
mkdir ~/.ssh
touch ~.ss/authorized_keys # and paste the public key in it
# go back to root
exit
# last step - disable the password challenge when new user
# is using sudo commands. decide if this is required for your
# setup - it will be more flexible but less secure.
# we would recommend to leave password on for production
# environments. visudo utility has to be used. it will open 
# the /etc/sudoers config file.
# repeat: you must use visudo as root
visudo
# add below as a last line in the file
# hit the "write out" to save  
appuser ALL=(ALL) NOPASSWD: ALL
# now you can test SSH login from a different terminal shell
# with a newly created user and it should work without password
# if you uploaded public keys correctly in previous step.
ssh appuser@vps_ip_address
# test if the sudo also works without password
sudo -n

You now have a new user setup on your VPS.

Disable a root user

It is good practice to lockout a root user on your VPS. Only run this step if you have already created the new user with the steps above.

sudo usermod root --shell /sbin/nologin
sudo passwd --lock root
# if required in the future you can use the following
# command to get into root shell
# sudo -s

Conclusion

All above steps will help harden and secure your new VPS servers. Some of the steps were influenced by this great walkthrough.

As additional steps, you can combine the steps to a shell script and automate as part of your VPS provisioning flow.

You can also use one of the open source Linux system scan scripts which will validate the security setup - and will give advice.

If you have comments, suggestions or want to share your setup - use the comments section below.

Similar posts:

Back to top