When buying a new VPS, many people’s first step is “installing applications,” but the correct sequence should be “harden first, then go live.” This article provides you with a security baseline that I’ve used long-term, suitable for personal blogs, small API services, and HomeLab public entrances.
1. Accounts and Permissions
- Create a new regular ops user, disable direct
rootconnections. - Give the ops user minimal
sudoprivileges. - Delete unnecessary system accounts and close unused login shells.
adduser leviusermod -aG sudo levipasswd -l root2. Minimal SSH Exposure
Edit /etc/ssh/sshd_config:
PermitRootLogin noPasswordAuthentication noPubkeyAuthentication yesChallengeResponseAuthentication noMaxAuthTries 3LoginGraceTime 20Before restarting, be sure to open a new terminal to test and confirm you can log in with keys, then execute:
sudo systemctl restart sshd3. Firewall Whitelisting
Deny incoming by default, only allow necessary ports (e.g., 22/80/443).
sudo ufw default deny incomingsudo ufw default allow outgoingsudo ufw allow 22/tcpsudo ufw allow 80/tcpsudo ufw allow 443/tcpsudo ufw enable4. Automatic Security Updates
- Debian/Ubuntu: Enable
unattended-upgrades. - RHEL-based: Enable
dnf-automaticupdate policy.
The core goal is to reduce the “known vulnerability window.”
5. Login Failure Protection
Install Fail2ban to block brute-force source IPs.
sudo apt install fail2ban -ysudo systemctl enable --now fail2banIt is recommended to at least enable the sshd jail and set a reasonable ban duration.
6. Service Minimization
Execute a service inventory check once:
sudo ss -tulpensudo systemctl list-unit-files --type=serviceAny public listening port that you “don’t know why it exists” should be disabled first, then verified.
7. Logs and Auditing
Ensure at least:
- SSH login logs are traceable.
- Sudo operations are traceable.
- System logs are rotated periodically.
It is recommended to retain the last 30-90 days of security logs for tracing anomalies.
8. Backup and Recovery Drills
Security isn’t just about “preventing intrusions”; it also includes “recoverability.”
- Configure daily snapshots or off-site backups.
- Do a recovery drill at least once a month.
- Backup content must include the site, database, certificates, and critical configurations.
Common Mistakes
- Turning off password login first, configuring keys later, resulting in locking yourself out.
- Changing too many firewall rules at once, accidentally blocking port 22.
- Only doing backups but never doing recovery verification.
Summary
Completing the baseline before deploying your business will elevate your server’s risk resistance by an order of magnitude. For personal sites, these 12 items already cover the vast majority of common attack surfaces.
If this article helped you, please share it with others!
Some information may be outdated





