How to Secure Your VPS (SSH Keys, New User, Firewall)

A freshly provisioned VPS with root login enabled and a password is one of the most targeted things on the internet. Within minutes of going live, bots will start attempting brute-force logins. This guide walks through every step to properly lock down your VeerHost VPS on Ubuntu 22.04, Ubuntu 24.04, or Debian.

Step 1: Create a New Sudo User

Running everything as root is dangerous. One mistake can destroy your server. Create a regular user with sudo privileges:

adduser deploy

Follow the prompts to set a password. Then add the user to the sudo group:

usermod -aG sudo deploy

Test that sudo works by switching to the new user:

su - deploy
sudo whoami

You should see root as the output. Keep this terminal open — do not log out until SSH key login is confirmed.

Step 2: Generate an SSH Key Pair (on Your Local Machine)

SSH keys are far stronger than passwords. Run this on your own computer (not the server):

ssh-keygen -t ed25519 -C "[email protected]"

Press Enter to accept the default file location (~/.ssh/id_ed25519). Optionally add a passphrase for extra security. This creates two files:

• ~/.ssh/id_ed25519 — your private key (never share this)
• ~/.ssh/id_ed25519.pub — your public key (this goes on the server)

Step 3: Copy Your Public Key to the Server

From your local machine:

ssh-copy-id deploy@YOUR_VPS_IP

If ssh-copy-id isn’t available (e.g., Windows), manually copy the public key. On the server, run:

mkdir -p ~/.ssh
chmod 700 ~/.ssh
nano ~/.ssh/authorized_keys

Paste the contents of your id_ed25519.pub file, save and exit (Ctrl+X, then Y, then Enter). Then set permissions:

chmod 600 ~/.ssh/authorized_keys

Test SSH key login in a new terminal (do not close the current one yet):

ssh deploy@YOUR_VPS_IP

If you can log in without a password, SSH keys are working correctly.

Step 4: Disable Root SSH Login and Password Authentication

Now harden the SSH daemon config. On the server, edit the SSH config file:

nano /etc/ssh/sshd_config

Find and change (or add) these lines:

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

Save the file, then reload SSH (do not restart — reload keeps your current session alive):

systemctl reload sshd

Test that root login is blocked by opening a new terminal and trying:

ssh root@YOUR_VPS_IP

It should say Permission denied (publickey). If it does, you’re secure.

Step 5: Change the Default SSH Port (Optional but Recommended)

Port 22 is constantly scanned by bots. Changing to a custom port (e.g., 2299) greatly reduces log noise:

nano /etc/ssh/sshd_config

Find #Port 22 and change it to:

Port 2299

After saving, allow the new port in the firewall first (see Step 6), then reload SSH:

systemctl reload sshd

To connect with a custom port: ssh -p 2299 deploy@YOUR_VPS_IP

Step 6: Set Up UFW Firewall

UFW (Uncomplicated Firewall) is the easiest firewall tool on Ubuntu/Debian. Install and configure it:

apt install -y ufw

Set default rules (deny all incoming, allow all outgoing):

ufw default deny incoming
ufw default allow outgoing

Allow SSH (use port 22 or your custom port):

# If keeping default port 22:
ufw allow 22/tcp

# If you changed SSH to port 2299:
ufw allow 2299/tcp

Allow HTTP and HTTPS for websites:

ufw allow 80/tcp
ufw allow 443/tcp

Enable the firewall:

ufw enable

Check the status:

ufw status verbose

Step 7: Install Fail2Ban (Brute-Force Protection)

Fail2Ban automatically bans IPs that repeatedly fail SSH login attempts:

apt install -y fail2ban

Create a local config (never edit the default jail.conf directly):

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
systemctl enable fail2ban
systemctl start fail2ban

Check that the SSH jail is active:

fail2ban-client status sshd

Security Checklist

• ✅ New sudo user created (not using root for daily tasks)
• ✅ SSH key authentication enabled
• ✅ Root SSH login disabled
• ✅ Password authentication disabled
• ✅ UFW firewall enabled with minimal open ports
• ✅ Fail2Ban running