A fresh VPS is exposed to automated scans within minutes. Do these steps first, before installing your app.

The 10-minute checklist

  1. Update packages: sudo apt update && sudo apt upgrade -y
  2. Create a sudo user and stop using root.
  3. Add your SSH key to the new user.
  4. Disable password and root SSH login in /etc/ssh/sshd_config.
  5. Enable a firewall: sudo ufw allow OpenSSH && sudo ufw enable
  6. Install fail2ban: sudo apt install fail2ban -y
  7. Turn on automatic security updates.
  8. Set hostname and timezone.

Why order matters

Locking down SSH and enabling the firewall first means that even while you install everything else, your server is already protected against the most common brute-force attacks.

Ten minutes of hardening prevents the overwhelming majority of automated compromises. On a OneHost VPS with full root access you control every one of these layers.

Hardening is ongoing — revisit patches, backups and logs regularly.