If you want to set up a production ready VPS, there are a few steps you should take.
This document goes through the list of steps that I personally take.
# Log in as root
ssh root@your-server-ip
# Create a new user
adduser newuser
# Add the user to the sudo group
usermod -aG sudo newuser
# Test the new user
su - newuser
sudo apt update
# On your local machine, generate an SSH key pair if you don’t already have one
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_vps -C "your_email@example.com"
# Copy the SSH key to the new user on the server
ssh-copy-id -i ~/.ssh/id_ed25519_vps.pub newuser@your-server-ip
# Test key-based login
ssh newuser@your-server-ip
# Open SSH configuration file
sudo nano /etc/ssh/sshd_config
# Modify the following in the file:
# PermitRootLogin no # Disable root login
# PasswordAuthentication no # Disable key based auth
# Restart SSH service
sudo systemctl restart ssh
# Test SSH with new settings before logging out
ssh newuser@your-server-ip
# Install UFW if not already installed
sudo apt install ufw
# Allow necessary ports
sudo ufw allow OpenSSH # SSH
sudo ufw allow 80/tcp # HTTP
sudo ufw allow 443/tcp # HTTPS
# Enable UFW
sudo ufw enable
# Check UFW status
sudo ufw status
# Install Fail2Ban
sudo apt install fail2ban
# Create a local configuration file
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
# Edit Fail2Ban configuration for SSH
sudo nano /etc/fail2ban/jail.local
# Ensure the following lines are set:
# [sshd]
# enabled = true
# port = 22 # Change this if you've modified your SSH port.
# maxretry = 5
# bantime = 3600
# Restart Fail2Ban service
sudo systemctl restart fail2ban
# Check Fail2Ban status
sudo fail2ban-client status
sudo fail2ban-client status sshd