LogoCodesByViral

How to secure VPS server in production

This guide explains how to secure a production VPS server using industry-standard practices. It covers system updates, automatic security upgrades, non-root user setup, SSH key-based authentication, SSH hardening, firewall configuration using UFW, brute-force protection with Fail2Ban, and optional two-factor authentication. The steps are designed to reduce attack surface and improve server security without complex tooling.

Dec 5, 2025

By Viral Mistry

Photo by Drew Beamer

This guide covers basic but essential production-level VPS security for Ubuntu/Debian servers. Follow the steps in order to avoid accidental lockout.

Update system packages

Always update package lists before installing anything.

shell
apt update

Enable automatic security updates

Automatically installs critical security patches.

shell
apt install unattended-upgrades
shell
dpkg-reconfigure --priority=low unattended-upgrades

Create a non-root user

Never use the root user for daily operations.

shell
adduser <username>

Grant sudo access.

shell
usermod -aG sudo <username>

Logout from root.

shell
logout

Login using the new user.

shell
ssh <username>@ip

Authentication key pair (SSH keys)

SSH keys are more secure than passwords.

Create SSH directory on server.

shell
mkdir ~/.ssh && chmod 700 ~/.ssh

Generate SSH key on your local machine.

shell
ssh-keygen -t ed25519 -C "your_email@example.com"

Add a passphrase if you want extra protection.

Go to .ssh directory on your local machine.

shell
cd .ssh

Copy public key to server (Windows).

powershell
scp $env:USERPROFILE/.ssh/id_rsa.pub <username>@ip:~/.ssh/authorized_keys

Copy public key to server (Linux / macOS).

bash
scp ~/.ssh/id_rsa.pub <username>@ip:~/.ssh/authorized_keys

SSH hardening (server-side)

Edit /etc/ssh/sshd_config and apply the following changes:

  1. Change SSH port (example: 717)
  2. Force IPv4
  3. Disable root login
  4. Disable password authentication
text
Port 717
AddressFamily inet
PermitRootLogin no
PasswordAuthentication no

Restart SSH service.

shell
sudo systemctl restart sshd

Login using the new port.

shell
ssh username@ip -p <portnumber>

Firewall (UFW)

Check open ports.

shell
sudo ss -tupln

Install UFW.

shell
sudo apt install ufw

Check firewall status.

shell
sudo ufw status

Allow custom SSH port.

shell
sudo ufw allow 717

Enable firewall.

shell
sudo ufw enable

Edit UFW rules for ICMP.

shell
sudo nano /etc/ufw/before.rules

Block ping requests (optional).

text
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP

Reboot server.

shell
sudo reboot

Configure Fail2Ban

Protects against brute-force SSH attacks.

shell
sudo apt install fail2ban -y

Create local config.

shell
sudo nano /etc/fail2ban/jail.local

Basic SSH jail configuration.

text
[sshd]
enabled = true
port = <your-port>
maxretry = 3
bantime = 15m

Restart Fail2Ban.

shell
sudo systemctl restart fail2ban

Check status.

shell
sudo systemctl status fail2ban

View active jails.

shell
sudo fail2ban-client status

Optional: Google Authenticator (2FA)

Adds two-factor authentication for SSH.

shell
sudo apt install libpam-google-authenticator
google-authenticator

Disable password authentication for a specific user.

text
Match User divya
	  PasswordAuthentication no
© 2026 CodesByViral. Made with 💖 by Viral Mistry

Built with Next.js