Getting started with a Linux VPS: the first 10 things to do after you log in
14 min read · 08-Dec-2025
villagehosting.in team
8 December 2025
A fresh VPS is a blank slate. It is also completely unsecured. These are the first 10 things to do — in order — before you deploy anything.
Your VPS is being scanned within minutes of provisioning
Shodan and similar services continuously scan the internet for open ports. A new VPS IP appears in their databases within 2–5 minutes. Automated bots will attempt SSH brute force logins within the hour. Complete at least steps 1–4 of this guide before doing anything else with your server.
Before you start
You should have:
- Your VPS IP address from your hosting provider
- The root password (emailed to you, or set during signup)
- An SSH client (Terminal on Mac/Linux, PuTTY or Windows Terminal on Windows)
Connect to your server:
ssh root@your.server.ip.address
Enter the root password when prompted.
1. Change the root password
The emailed root password is potentially logged in multiple places. Change it immediately:
passwd
Use a strong password: 16+ characters, mixed case, numbers, symbols. Store it in a password manager.
2. Update the system
Before doing anything else, bring the system up to date:
apt update && apt upgrade -y
On Ubuntu/Debian. For CentOS/AlmaLinux:
dnf update -y
This patches known vulnerabilities and ensures you are building on a current base.
3. Create a non-root user
Running as root for day-to-day operations is dangerous. Create a regular user:
adduser yourname
Add them to the sudo group so they can run administrative commands:
usermod -aG sudo yourname
On Ubuntu, the group is sudo. On CentOS/AlmaLinux, it is wheel:
usermod -aG wheel yourname
4. Set up SSH key authentication
Password authentication is vulnerable to brute-force attacks. SSH keys are not.
On your local machine (not the server), generate a key pair if you do not already have one:
ssh-keygen -t ed25519 -C "your-email@example.com"
Press Enter to accept the default file location. Optionally add a passphrase.
Copy your public key to the server:
ssh-copy-id yourname@your.server.ip.address
Test that key login works before disabling password auth:
ssh yourname@your.server.ip.address
If that succeeds, disable password authentication:
sudo nano /etc/ssh/sshd_config
Change or add these lines:
PasswordAuthentication no
PermitRootLogin no
PubkeyAuthentication yes
Restart SSH:
sudo systemctl restart sshd
Do not close your current session until you have tested a new login in a second terminal window.
5. Configure UFW firewall
UFW (Uncomplicated Firewall) is the simplest way to manage firewall rules on Ubuntu/Debian:
sudo apt install ufw -y
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable
Check the status:
sudo ufw status
If you changed your SSH port (optional but reduces noise in logs), allow that port instead of ssh.
6. Install Fail2ban
Fail2ban watches your SSH log and automatically bans IPs that make too many failed login attempts:
sudo apt install fail2ban -y
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
Default configuration bans IPs for 10 minutes after 5 failed attempts. For most VPS deployments, the defaults are fine.
Check it is working:
sudo fail2ban-client status sshd
7. Add a swap file
Many budget VPS plans have limited RAM. A swap file provides overflow:
sudo fallocate -l 1G /swapfile
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile
echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab
Adjust the size based on your RAM: 1G swap for 1G RAM, 2G for 2G RAM.
8. Set the correct time zone
Many server logs and scheduled tasks depend on the correct time zone:
sudo timedatectl set-timezone Asia/Kolkata
timedatectl
This sets IST (UTC+5:30). Verify the output shows your time zone correctly.
9. Configure automatic security updates
Keep security patches applied automatically:
sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure --priority=low unattended-upgrades
Choose "Yes" to enable automatic updates. This handles security updates only — major version upgrades still require your review.
10. Install your web server
For most web applications, choose between:
NGINX (recommended for most use cases):
sudo apt install nginx -y
sudo systemctl enable nginx
sudo systemctl start nginx
Visit your server IP in a browser — you should see the NGINX welcome page.
Apache:
sudo apt install apache2 -y
sudo systemctl enable apache2
sudo systemctl start apache2
OpenLiteSpeed (best for WordPress performance): OpenLiteSpeed requires more setup. See our dedicated guide.
What to do next
With these 10 steps done, your server is reasonably secure for the next phase of setup:
- Install PHP (for WordPress or Laravel)
- Install MySQL or MariaDB
- Configure your web server for virtual hosts
- Install Certbot for free SSL certificates
- Set up your application
If you would rather not do this yourself
Managed VPS hosting handles server setup, security patching, and software stack configuration for you. You get root access if you need it, but you do not have to use it. This is what our managed VPS plans include — the server is secured, cPanel/Plesk is installed, and WordPress (or your stack) is ready before you log in.