A freshly provisioned VPS or dedicated server is a blank slate — which also means it's wide open. Here's a practical checklist for the first 30 minutes.
1. Create a Non-Root User
Set up a separate user with sudo privileges for daily use, and reserve direct root login for emergencies only.
2. Set Up SSH Key Authentication
Generate an SSH key pair and copy the public key to your server before disabling password authentication entirely.
3. Disable Root SSH Login
Once your sudo user is confirmed working, set PermitRootLogin no in your SSH daemon config to remove the most common brute-force target.
4. Change the Default SSH Port (Optional but Helpful)
Moving off port 22 won't stop a targeted attacker, but it dramatically cuts down noise from automated scanning bots hitting your logs.
5. Set Up a Firewall
Use ufw, firewalld, or your distribution's default firewall tool to allow only the ports you actually need — typically SSH, HTTP and HTTPS to start.
6. Install fail2ban
fail2ban automatically bans IPs after repeated failed login attempts, adding a meaningful layer of protection against brute-force attacks with minimal setup.
7. Apply System Updates
Run your package manager's update command immediately — a freshly imaged server can already be behind on security patches by the time it's provisioned.
8. Set Up Automatic Security Updates
Configure unattended upgrades (or your distro's equivalent) for security patches specifically, while keeping major version upgrades manual.
9. Configure Monitoring
Even basic uptime and resource monitoring will tell you about problems before your users do. Our Basic Monitoring add-on covers this if you don't want to self-host a monitoring stack.
10. Set Up Backups
None of the above matters if a bad deploy or disk failure wipes your data with no way back. Add off-server backup before you put anything important on the box — see our Cloud Backup plans.
None of these steps take long individually, but skipping them is how a server that was fine for six months suddenly isn't.