GitHub

VPS Setup & Hardening

This guide summarizes the initial setup and security hardening steps for a new Ubuntu VPS. The process is automated in an idempotent, interactive script.

Script Overview

The setup script performs the following:

Creates users and adds them to sudo.
Installs and configures SSH keys.
Disables password auth and root login.
Optionally changes the SSH port.
Installs and enables UFW, Fail2Ban, and unattended upgrades.
Logs output to /var/log/vps-setup.log.

Usage

sudo bash vps-setup.sh

Key Steps (Manual Reference)

System Updates

sudo apt update && sudo apt upgrade -y

SSH Hardening

PasswordAuthentication no
PermitRootLogin no
PubkeyAuthentication yes

Config file: /etc/ssh/sshd_config

Firewall

sudo apt install ufw -y
sudo ufw allow OpenSSH
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw --force enable

Fail2Ban

sudo apt install fail2ban -y
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Automatic Updates

sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure -f noninteractive unattended-upgrades

Logging

All script output is written to /var/log/vps-setup.log with restricted permissions.

Troubleshooting

If SSH access breaks after changing ports, revert the port via console access.
Confirm SSH service is running: sudo systemctl status ssh.

Edit this page