Setting Up and Securing VPS

13 May 2026

Author: Jan Kynčl

---

In my years in high school I wasn't really taught how to properly set up my own server, especially VPS, where I could host my apps. So I had to learn myself and I couldn't find one specific guide, where I would find everything that is essential for the set up. So this post is more like a guide, or just my 🤓 moment, how to change some configuration stuff and make it reasonably secure.

This setup is preferably for Ubuntu servers, but it probably will be the same in most cases. Why Ubuntu? Well to be honest for me it's the most simple way and for me it worked flawlessly. Probably if you run some really hardcore app, you would need something different, but that is not my case and probably not even yours.

DISCLAIMER: I'm not a security expert, so this guide may leave really important parts, which I don't know. If so let me know, I would be really happy to learn a thing or two ;).

First thing to do

When you get your hands on your very own VPS, update it. Trust me it's worth the time. You probably will have an up-to-date system, but it's better to be safe than sorry.

Update with:

sudo apt update
sudo apt upgrade

Connecting to domain

This part may and will differ for every domain registrar and host provider. But most likely you'll need to go in Domains section and DNS/Nameservers add/change A record to:

Type: A
Name: @
Points to: <Ip address of your VPS>

and add the record. This will take some time to rewrite all global DNSs (can take hours, max like 2 days).

Security

Security is one of the most important things you need to consider as you set up your VPS. There are so many bots that are trying to get into your VPS and start to mine bitcoin or any other crypto. But of course if you don't have problem with reinstalling every month your server, I guess you can skip this chapter.

SSH hardening

The main (and probably only) way we will connect to VPS is through SSH. With this we can make all changes with our server, of course something that we cannot allow an attacker to do.

Adding user

It's not necessarily a bad thing to use the root user if you know what you are doing. The main issue is that you run everything as an administrator. I think it's a much better idea to separate commands with sudo. This way, if a random script tries to do something dangerous, it will be blocked unless you explicitly type sudo. That extra step gives you a moment to pause and realize something is fishy.

adduser <NameOfUser>

After inserting some info stuff like full name, room number, etc ... (are not really that important) We will need this user to be sudo user.

usermod -aG sudo <NameOfUser>

Using ssh key instead of password

Generally you don't want to authenticate with password, because you make the bruteforce attack viable option. Instead we use your private key to authenticate.

In your local device do:

ssh-copy-id <NameOfUser>@addressOfYourVPS

This will make in the user's directory .ssh/authorized_keys where your public key is stored for key authentication. Now we need to remove password auth.

sudo nvim /etc/ssh/sshd_config

Now find property PasswordAuthentication and set it to no. If you use Hostinger there is /etc/ssh/sshd_config.d/50-cloud-init.conf, where is again PasswordAuthentication set it to no.

Removing root access

Bots that try to get inside your VPS will most likely target the Root user. This is pretty much optional, but it should help with like DDOS attacks (all attacks on root will be automatically unaccepted) and why shouldn't we make it more hardcore? Inside /etc/ssh/sshd_config set PermitRootLogin to no.

Changing port of ssh

Inside /etc/ssh/sshd_config.d/50-cloud-init.conf is property Port change it to other number. This change can be good for like bruteforce/ddos attacks, where an attack is trying to get inside the vps, but we will use tool for that later. Also some people may say it's useless, because of apps for scanning ports. It's true, but at the same time it's fast to change and it will make the attacker require another tool for the job. If you are lazy and don't see a purpose here, it's fine and totally justified (kind of).

Reload SSH

Before you restart SSH or enable UFW, keep your current terminal open! Open a second terminal to test if you can log in. If you messed up the config, your first terminal will still be connected and you can fix it without being locked out.

To reload SSH:

sudo systemctl reload ssh

Firewall

We can make our VPS even more secure by ignoring other port requests. We will use for this UFW

# install
sudo apt install ufw
# activate it
# allow only http/https and SSH
sudo ufw limit <Your_New_SSH_Port>/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw enable

DDOS/Bruteforce attacks

Thanks to package Fail2Ban we can ban specific IPs that are doing something weird.

# install
sudo apt install fail2ban

Create config for this package inside /etc/fail2ban/jail.local, like sudo nvim /etc/fail2ban/jail.local.

Config:

[DEFAULT]
ignoreip = 127.0.0.1/8 ::1
bantime = 3600
findtime = 600
maxretry = 5

[sshd]
enabled = true
port = <Your_New_SSH_Port>

To enable Fail2Ban run:

sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Setting up auto update cron

sudo apt install unattended-upgrades

in /etc/apt/apt.conf.d/20auto-upgrades make sure there is

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

Useful tools

Docker

If you are following this guide for actually setting up VPS for your side-projects, you should use Docker. Without it you'll need to install all dependencies and if an attacker somehow got into your VPS, you will most likely need to scrap the whole server and start over. You will still need to set up the VPS, but with Docker you're going to run just docker compose up and the app will be running again (I know, banger). Docker has really good documentation for this. Just follow it. I'm sure you can handle it :).

Tmux

A lot of people like Tmux. For me it's not really that great, but you may enjoy it. It's especially great because you can keep a Tmux session running in the background, or use it if you just need multiple terminals open on your server.

sudo apt install tmux

Neovim

For editing your files you can use vim, vi, emacs or nano, but I love and use Neovim.

sudo apt install neovim

Some day I will probably write a post about Neovim or at least on vim motions :D.

That’s it for my basic setup! Like I said, I'm still learning, so if you have any better ways to do this, let me know.

Big inspiration and sources for this were:

• Dreams of Code video
• Chris Titus video