Now That You've Purchased Your VPS, Let's Make It More Secure...

Now That You've Purchased Your VPS, Let's Make It More Secure...

1 3 12
calendar_todayschedule7 min read

Introduction

Having purchased our VPS, we're well on our way to setup Coolify. I'm getting excited and I hope you're excited about that, but before we actually get to that installation there is another step we must take. We must secure our VPS. My Linux OS is Ubuntu.

In this post we're going to look at 4 easy steps we can take to make our VPS a harder target to hit. There, will be other measures we can take in the future but these will get us prepped, to start setting up Coolify. The four basic steps we will look at are:

* Create Sudo User/ Disable Root Login
* Enable UFW Firewall
* Change the default SSH Port Number
* Install Fail2Ban

Let's get Started.

Create a Sudo User and Disable Root Login

The Root Username is Public Knowledge : Every single Linux server in the world has an account named root. Because hackers already know this username, they only have to guess your password or exploit one single vulnerability to take total control of your server. Creating a custom username forces hackers to guess both a unique username and a password, which is significantly harder to break.

Guardrails Against Accidental Destruction : The root user operates without any safety nets. If you run a destructive command by accident while logged in as root, the server will execute it instantly without asking questions.

Example: Running rm -rf / as root will delete your entire operating system instantly. A normal user requires you to type sudo before administrative tasks. This extra step acts as a warning prompt, forcing you to type your password and think twice before executing dangerous commands.

Protection Against Automated Bots : The moment your VPS goes online, malicious automated bots will start scanning its IP address. These bots constantly bombard the root user with thousands of automated password guesses per minute (known as a brute-force attack). By disabling root login entirely, you immediately render all of those automated attacks completely useless.

Better Accountability and Logs : If multiple people ever need access to your server, sharing the root account makes it impossible to know who did what. When everyone uses their own unique standard account and uses sudo for admin tasks, Ubuntu keeps a clean history log /var/log/auth.log). This log shows exactly which specific user executed which command, giving you a clear audit trail.

Commands

Creating a Sudo (Superuser Do) User

Create the new user
your-command-prompt:~$ adduser your_user_name_goes_here

Add the user to the sudo group
your-command-prompt:~$ usermod -aG sudo your_user_name_goes_here

Note : Log out of the root user and log in with the sudo user then disable the root account

Lock the Root Password (optional)
your-command-prompt:~$ sudo passwd -l root

Verify Root Account is locked
your-command-prompt:~$ sudo passwd -S root

Note : Your output will look like this - root L 05/12/2026 0 99999 7 -1 or this - root LK 2026-05-12 0 99999 7 -1

Disable Root Login via sshd_config file
your-command-prompt:~$ sudo nano /etc/ssh/sshd_config

In your sshd_config file look for the line that says PermitRootLogin yes. Its most likely at the bottom of the file. Change yes to no, then press ctrl O to apply the change, then press enter to confirm, ctrl X to exit.

Restart the sshd Daemon
your-command-prompt:~$ sudo systemctl restart sshd

Note: a and G are what you call flags in a linux operating system. Flags are used to modify the behaviour of a command.
-G: The uppercase -G stands for Groups. This flag tells the system that you want to add the user to the group name that follows it (in this case, the sudo group).
-a: If you use -G by itself (without the -a), it will overwrite your user's existing groups. The system will remove the user from every other group they belong to, leaving them only in the new group you specified. Instead of wiping out your user's existing groups and replacing them, it tells the system to simply add (append) the new group to the user's current list.
-aG: By combining them into -aG, you are telling Ubuntu: "Add this user to the sudo group, but keep all of their existing group memberships exactly as they are."

Test your new User
your-command-prompt:~$ groups your_user_name_goes_here

The UFW (Uncomplicated Firewall) Firewall

Blocks Brute-Force Attacks : Automations constantly guess passwords on exposed ports; a firewall shuts down unneeded entry points.

Restricts Open Ports : Database engines (like MySQL) or internal tools stay hidden from the public internet.

Limits Protocol Access : You can restrict sensitive services like SSH to only accept connections from your specific home or office IP address.

Mitigates Malicious Traffic : It helps drop unexpected incoming traffic, reducing the impact of basic denial-of-service attempts.

Prevents Exploitation : If an application you run has a hidden security flaw, a firewall can stop hackers from connecting to it.

Commands

Allow SSH connections so you don't lock yourself out
your-command-prompt:~$ sudo ufw allow OpenSSH or sudo ufw allow 22/tcp

Allow web traffic if you plan to host a website
your-command-prompt:~$ sudo ufw allow http or sudo ufw allow 80/tcp
your-command-prompt:~$ sudo ufw allow https or sudo ufw allow 443/tcp

Enable the Firewall
your-command-prompt:~$ sudo ufw enable

Check the Firewall Status
your-command-prompt:~$ sudo ufw status verbose

Change the default SSH port from 22 to something obscure

The reality is that the moment a VPS gets a public IP, automated bots start hammering port 22 within minutes. They're not targeted attacks — just scripts scanning the entire internet looking for default SSH ports to brute-force. Moving to port 54322 (or any non-standard port) makes you invisible to those dumb scanners.

The security community calls this, security through obscurity and generally considers it a weak standalone measure. But combined with the real hardening (SSH keys, no password auth, Fail2ban) it's a cheap quality-of-life improvement that keeps your logs clean.
The honest framing: it's not on the list because it makes you safer — it's on the list because it stops your logs from being flooded with bot noise, which makes it easier to spot actual suspicious activity.

Commands

Change the Port on the Server
your-command-prompt:~$ sudo nano /etc/ssh/sshd_config

In your sshd_config file look for the line that says #Port 22. Delete the hash and change the number to the port you want, then press ctrl O to apply the change, then press enter to confirm, ctrl X to exit.

Add your new SSH Port Number
your-command-prompt:~$ ufw allow 54322/tcp
your-command-prompt:~$ sudo ufw reload
your-command-prompt:~$ sudo systemctl restart sshd

Protect your Ubuntu server from automated brute-force password guesses: Fail2Ban

What is Fail2Ban

Fail2ban is a tool that scans log files for suspicious activity, like excessive failed login attempts, and blocks potentially harmful IP addresses. This free service protects Linux systems from brute force attacks by temporarily rejecting IPs exhibiting suspicious behavior, thereby reducing the risk of unauthorized access.

Why Consider Fail2Ban

Easy Setup & Free : Fail2ban is easy to install and configure, requiring minimal expertise. As a free, open-source tool, it provides an accessible and cost-effective way to enhance server security without added software costs.

Customizable Configuration : he tool provides extensive customization options. You can tailor it to monitor specific services, set the ban duration, or even whitelist trusted IPs, allowing you to adapt it to your unique security needs.

Brute Force Protection : It’s particularly effective at preventing brute force attacks by automatically banning IP addresses that show malicious behavior, such as repeated login failures.

Efficient Resource Usage : Fail2ban bans attackers at the firewall level, which helps reduce the load on your server by preventing malicious traffic from consuming resources.

Alerts and Notifications : Integration with notification services means you can get real-time alerts when suspicious activity is detected, helping you stay informed and responsive.

Limitations of Fail2Ban

Reactive Nature : It only blocks an IP after the attacker has already made a set number of failed attempts. It does not prevent the initial probe. 

False Positives : Legitimate users can be temporarily locked out if they mistype a password a few times in quick succession. 

Ineffective Against Distributed Attacks (DDoS) : Because it operates on IP addresses, it is easily bypassed by botnets that rotate through thousands of different IPs, making it a poor tool for stopping distributed traffic floods.

IP Spoofing : Attackers can spoof IP addresses, potentially tricking Fail2Ban into blocking innocent third-party IPs. 

Docker Conflicts : When run on a Docker host, Fail2Ban's default iptables rules frequently conflict with Docker's internal networking, causing bans to fail entirely or impact the wrong containers

There is a work around for the Docker Conflicts but I just thought I should mention it so you would be aware.

Commands

Update your Package List
your-command-prompt:~$ sudo apt update

Install Fail2Ban
your-command-prompt:~$ sudo apt install fail2ban -y

Note : Why the -y flag? It tells the package manager to automatically answer "yes" to all prompts and confirmations during the installation process, allowing the command to run completely unattended.
Warning!!! Only use the -y flag when you are 100% sure about the package you are installing.

Start and Enable the Service to Run on Boot
your-command-prompt:~$ sudo systemctl start fail2ban
your-command-prompt:~$ sudo systemctl enable fail2ban

Conclusion

That's it for now. There is always more that can be done but we have started with the basics. What is most important is not just implementing security measures but that we must have an attitude that defaults to a secure development environment.

Many security breaches starts in the mind, because we do things with out considering the consequences. This has got to stop. We can even translate this into how we live, where we go and what we do.

Always look for ways to make you VPS more secure and still allow it to perform efficiently.

Keep up the good Work!

4 Comments

1 vote
1
1 vote
2
🔥 Join developers growing publicly
Share your knowledge, build in public, and grow your developer presence with a global community.

More Posts

Your Backup Data Knows More Than You Think. HYCU aiR Is Finally Asking It the Right Questions.

Tom Smithverified - May 14

Your AI Doesn't Just Write Tests. It Runs Them Too.

Kevin Martinez - May 12

How I Built a React Portfolio in 7 Days That Landed ₹1.2L in Freelance Work

Dharanidharan - Feb 9

Your Tech Stack Isn’t Your Ceiling. Your Story Is

Karol Modelskiverified - Apr 9

5 Web Dev Pitfalls That Are Silently Killing Your Projects (With Real Fixes)

Dharanidharan - Mar 3
chevron_left
865 Points16 Badges
Trinidad & Tobagonorthernrangedigital.com
5Posts
4Comments
2Connections
I'm a self taught developer by industry standards, but I believe that a man is both spiritual and ph... Show more

Related Jobs

View all jobs →

Commenters (This Week)

1 comment
1 comment
1 comment

Contribute meaningful comments to climb the leaderboard and earn badges!