A new Linux VPS is exposed to automated attacks within minutes of going online. This security checklist covers the essentials that stop the vast majority of them.

The checklist

  1. Update everything immediately and enable automatic security updates.
  2. Create a non-root user with sudo and stop logging in as root.
  3. Use SSH keys and disable password authentication.
  4. Disable root SSH login (PermitRootLogin no).
  5. Change or firewall the SSH port to cut down on noise (optional but helpful).
  6. Enable a firewall (UFW or nftables) and allow only the ports you need.
  7. Install fail2ban to auto-ban IPs that brute-force SSH or your app.
  8. Remove unused services to reduce the attack surface.
  9. Set up HTTPS with Let's Encrypt for any web service.
  10. Configure automatic backups and test that you can restore them.
  11. Monitor logs (/var/log/auth.log, your app logs) or use a monitoring tool.
  12. Keep secrets out of code — use environment variables, never commit credentials.

Two commands to start with

# firewall
sudo ufw allow OpenSSH && sudo ufw enable
# fail2ban
sudo apt install fail2ban -y && sudo systemctl enable --now fail2ban

Work through the list once and your server will be dramatically harder to compromise. On a OneHost VPS with full root access you control every layer of this stack.

Security is ongoing — revisit patches, backups and logs regularly rather than treating hardening as a one-time task.