Initial Server Setup: How to Secure and Harden an Ubuntu 24.04 LTS VPS
When provisioning a brand new cloud virtual private server (VPS), deployment speed can cause engineers to overlook critical structural baselines. By default, standard base operating system builds are open to global scanning engines within minutes of going online. This guide covers the essential security workflow designed to safely lock down Linux instances running Ubuntu 24.04 LTS.
Security Warning: Running infrastructure environments natively under root privilege access opens the runtime surface to destructive operational risks or injection compromises. Always transition processes into isolated environments.
1. System Index Updates & Patch Packages
Before modifying authentication states, immediately pull down package repository manifests and apply active security upgrades across foundational target dependencies.
sudo apt update && sudo apt upgrade -y2. Establish a Non-Root System Administrator
Operating exclusively under the default root account exposes your file systems to irreversible mistakes. Create an isolated, dedicated system user account explicitly mapped to the administrative sudo command elevation wheel group instead.
# Create user group asset
sudo adduser techadmin
# Map new profile inside the elevation permissions wheels
sudo usermod -aG sudo techadmin3. Modernize SSH Daemon Port Bindings
Automated crawler networks systematically target default port mapping assignments. Moving your SSH endpoint to a non-standard alternative listening lane dramatically cleans up system logging registers and blocks baseline automated scanning attempts.
Open the primary configuration map file using your preferred terminal text editor:
sudo nano /etc/ssh/sshd_configLocate the parameters within the file layout block and adjust variables precisely as displayed here:
Port 2222
PermitRootLogin no
PasswordAuthentication no
MaxAuthTries 3Save changes, exit the file layout matrix, and safely reset the active background processing daemon to load your edits:
sudo systemctl restart sshd4. Configure Netfilter Rules via UFW
Uncomplicated Firewall (UFW) acts as a high-level command layer interface wrapping raw netfilter parameters. Lock down the incoming traffic paths to reject all standard connection patterns except for your freshly assigned secure SSH operational lines.
# Block incoming routes by default
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow custom SSH path configuration
sudo ufw allow 2222/tcp
# Open web runtime paths for applications
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
# Enable firewall engine rule settings
sudo ufw enable5. Automated Brute-Force Bans via Fail2ban
Fail2ban monitors active tracking authentication logs across active container environments. It blocks source IP addresses that exhibit continuous brute-force behaviors.
sudo apt install fail2ban -yYour base configuration environment is now completely hardened against standard attacks. Continue monitoring live system health dashboards regularly to evaluate security metrics over time.