Basic security hardening for a Linux VPS (SSH keys, firewall, updates)

When you deploy a new Linux VPS, it is important to harden it before running production websites or applications. Below is a practical baseline that works well for most GARMTECH VPS customers.

Important: Always keep an active SSH session open while changing SSH settings. Test a new login in a second terminal before closing the first one.

1) Update the operating system

Install security updates right away:

# Ubuntu/Debian
sudo apt update && sudo apt -y upgrade

# AlmaLinux/Rocky/CentOS
sudo dnf -y update

2) Create a non-root user with sudo

Do not use root for daily work.

adduser youruser
usermod -aG sudo youruser   # Ubuntu/Debian

# RHEL-based:
usermod -aG wheel youruser

3) Use SSH keys (recommended)

• Create an SSH key on your computer (for example: ssh-keygen).
• Copy the public key to the server (for example: ssh-copy-id youruser@SERVER_IP).
• Test login with the key before changing any SSH settings.

4) Harden SSH configuration

Edit /etc/ssh/sshd_config carefully and apply conservative changes:

• PermitRootLogin no (or prohibit-password if you still need root via keys)
• PasswordAuthentication no (only after you confirmed key login works)

Restart SSH service:

sudo systemctl restart sshd

5) Enable a firewall and open only necessary ports

Example with UFW (Ubuntu):

sudo ufw allow OpenSSH
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable
sudo ufw status

Only open ports you actually use (mail, database, admin panels, etc.).

6) Enable automatic security updates (optional but recommended)

On Ubuntu you can enable unattended security upgrades:

sudo apt -y install unattended-upgrades
sudo dpkg-reconfigure unattended-upgrades

7) Add brute-force protection

For SSH protection, many users install Fail2ban to automatically ban repeated failed login attempts.

8) Backups

Security hardening is not a replacement for backups. Make sure you have a backup plan (snapshots, remote backups, or scheduled backups).