A freshly provisioned VPS or dedicated server is a blank slate — which also means it's wide open. Here's a practical checklist for the first 30 minutes.

1. Create a Non-Root User

Set up a separate user with sudo privileges for daily use, and reserve direct root login for emergencies only.

2. Set Up SSH Key Authentication

Generate an SSH key pair and copy the public key to your server before disabling password authentication entirely.

3. Disable Root SSH Login

Once your sudo user is confirmed working, set PermitRootLogin no in your SSH daemon config to remove the most common brute-force target.

4. Change the Default SSH Port (Optional but Helpful)

Moving off port 22 won't stop a targeted attacker, but it dramatically cuts down noise from automated scanning bots hitting your logs.

5. Set Up a Firewall

Use ufw, firewalld, or your distribution's default firewall tool to allow only the ports you actually need — typically SSH, HTTP and HTTPS to start.

6. Install fail2ban

fail2ban automatically bans IPs after repeated failed login attempts, adding a meaningful layer of protection against brute-force attacks with minimal setup.

Server Management add-on: If this list sounds like more than you want to manage yourself, our Standard and Fully Managed plans handle hardening, patching and firewall configuration for you.

7. Apply System Updates

Run your package manager's update command immediately — a freshly imaged server can already be behind on security patches by the time it's provisioned.

8. Set Up Automatic Security Updates

Configure unattended upgrades (or your distro's equivalent) for security patches specifically, while keeping major version upgrades manual.

9. Configure Monitoring

Even basic uptime and resource monitoring will tell you about problems before your users do. Our Basic Monitoring add-on covers this if you don't want to self-host a monitoring stack.

10. Set Up Backups

None of the above matters if a bad deploy or disk failure wipes your data with no way back. Add off-server backup before you put anything important on the box — see our Cloud Backup plans.

None of these steps take long individually, but skipping them is how a server that was fine for six months suddenly isn't.