A new Linux VPS is exposed to automated attacks within minutes of going online. This security checklist covers the essentials that stop the vast majority of them.
The checklist
- Update everything immediately and enable automatic security updates.
- Create a non-root user with sudo and stop logging in as root.
- Use SSH keys and disable password authentication.
- Disable root SSH login (
PermitRootLogin no). - Change or firewall the SSH port to cut down on noise (optional but helpful).
- Enable a firewall (UFW or nftables) and allow only the ports you need.
- Install fail2ban to auto-ban IPs that brute-force SSH or your app.
- Remove unused services to reduce the attack surface.
- Set up HTTPS with Let's Encrypt for any web service.
- Configure automatic backups and test that you can restore them.
- Monitor logs (
/var/log/auth.log, your app logs) or use a monitoring tool. - Keep secrets out of code — use environment variables, never commit credentials.
Two commands to start with
# firewall
sudo ufw allow OpenSSH && sudo ufw enable
# fail2ban
sudo apt install fail2ban -y && sudo systemctl enable --now fail2ban
Work through the list once and your server will be dramatically harder to compromise. On a OneHost VPS with full root access you control every layer of this stack.
Security is ongoing — revisit patches, backups and logs regularly rather than treating hardening as a one-time task.