← FastZire Blog

Ubuntu VPS Setup: A Security Checklist for the First 30 Minutes

By FastZire Editorial Team · · 5 min read

A new Ubuntu VPS should not go straight into production with default settings and an untested backup plan. The first setup session is the right time to update the system, reduce exposed services, protect administrator access, and document recovery.

Commands and package behavior can vary by Ubuntu version and provider image. Keep a recovery console available, confirm every firewall and SSH change before closing your working session, and adapt this checklist to the application.

1. Record the service details

Document the VPS identifier, IP addresses, Ubuntu release, location, plan resources, support contact, renewal date, and recovery-console path. Store this information in an approved password manager or operations system, not a public document.

Confirm that the installed release is supported. Plan upgrades before end of standard support.

2. Update installed packages

Refresh package metadata and install current updates:

sudo apt update
sudo apt upgrade

Review the proposed changes, especially on an existing application server. If a reboot is required, schedule it and verify that the server, SSH, firewall, and applications return correctly.

Ubuntu recommends regular updates and documents automatic security updates through unattended-upgrades. See the official Ubuntu automatic updates guide.

3. Create a named administrator

Avoid using the root account for every daily task. Create a named user, grant only the required administrative group membership, and test sudo access in a separate session before changing root login behavior.

Named accounts improve accountability. Give each administrator an individual account rather than sharing one password or private key.

4. Configure SSH keys

Use a modern SSH key generated on a trusted local device. Add the public key to the new user's authorized_keys file, verify ownership and permissions, and test login in a second terminal.

Do not disable password or root login until key-based access and the provider recovery console have been tested. A typo in sshd configuration can lock you out.

Protect private keys with appropriate local permissions and, where practical, a strong passphrase. Never upload the private key to the server it unlocks.

5. Harden SSH carefully

After testing key access, consider disabling direct root login and password authentication according to your recovery design. Limit which users can connect, use modern algorithms supported by the release, and add MFA for higher-risk administrative environments.

Changing the SSH port may reduce low-effort scanning noise but is not a substitute for keys, firewall restrictions, updates, and monitoring.

Ubuntu maintains current configuration guidance in its official OpenSSH server documentation.

6. Enable a host firewall

List the services the VPS genuinely needs. Allow SSH from a trusted source first, add only the required web or application ports, then enable the firewall. Verify access before ending the existing session.

Ubuntu's default firewall frontend is UFW. The official UFW guide explains status checks, allow and deny rules, source restrictions, and dry-run behavior.

A typical web server may need SSH for administration and HTTP/HTTPS for users. A private database normally should not be reachable from the entire internet.

7. Configure automatic security updates

Confirm whether unattended-upgrades is installed and enabled. Decide how reboots are handled, which repositories are trusted, what packages require manual testing, and where logs or alerts will be reviewed.

Automatic security updates reduce exposure time, but critical applications still need maintenance planning and recovery testing.

8. Set time, hostname, and DNS correctly

Accurate time is essential for logs, TLS certificates, authentication, scheduled tasks, and incident investigation. Check the timezone and time synchronization. Set a meaningful hostname and confirm forward and reverse DNS where the application requires them.

9. Install only what the workload needs

Every extra package, control panel, agent, and network service adds maintenance. Use official repositories or carefully evaluated sources, pin or document critical versions, and remove software that is not required.

Do not run unreviewed one-line installation scripts as root. Read the script, verify the publisher and checksum where provided, and understand the changes first.

10. Protect application secrets

Keep database passwords, API keys, encryption keys, and tokens out of source control and shell history. Use environment files with strict permissions or a dedicated secret-management system. Rotate temporary credentials after deployment.

Separate development, staging, and production secrets. A test integration should not have production privileges.

11. Configure logs and monitoring

Monitor disk space, memory, CPU, load, service health, login activity, firewall events, package updates, certificate expiry, and backup results. Send important alerts somewhere that remains available if the VPS fails.

Set log rotation so a noisy application cannot fill the disk. Establish a normal baseline before traffic grows.

12. Create and test backups

Back up application data, databases, configuration, certificates, and any irreplaceable uploaded files. Keep at least one copy outside the VPS and outside its administrator credentials.

Perform a restoration test. Document the order of operations, expected recovery time, DNS changes, and the person responsible.

13. Run a final exposure check

From an authorized external system, confirm which ports are reachable and compare them with the approved list. Verify SSH restrictions, web TLS, application authentication, update state, monitoring, and backups.

Do not scan systems you do not own or lack permission to test.

Frequently asked questions

Should I disable root login immediately?

Only after a named sudo user, SSH key access, and recovery method are tested. Security changes that lock out legitimate administrators can create a serious outage.

Is UFW enough for VPS security?

It is one useful layer. You also need secure authentication, updates, application hardening, monitoring, backups, and provider-level controls.

Do I need antivirus on Ubuntu?

Security is broader than one product. Assess the workload, uploaded content, compliance requirements, endpoint design, and threat model. Patching, least privilege, restricted services, and monitoring remain essential.

Choose a supported image and appropriate resources from FastZire Cloud VPS plans, then complete this checklist before placing the server into production.

Ready for a fast, secure Windows RDP?

Order secure remote infrastructure with verified activation, global locations, and expert support.

View FastZire Plans →