How I configure my New VPS
Enabled SSH key login
Here’s the standard, secure way to enable SSH key–based login to your Ubuntu VPS so you can connect from your Mac terminal without a password.
1️⃣ Generate an SSH key on your Mac (if you don’t already have one)
On your Mac:
ssh-keygen -t ed25519 -C "your_email@example.com"
Press Enter to accept defaults.
(Optional but recommended) set a passphrase.
This creates:
- Private key:
~/.ssh/id_ed25519(keep secret) - Public key:
~/.ssh/id_ed25519.pub
2️⃣ Copy your public key to the Ubuntu VPS
Option A (easiest): ssh-copy-id
ssh-copy-id username@VPS_IP
Enter your VPS password one last time.
Disabled SSH password login
Update this file
sudo nano /etc/ssh/sshd_config
Update ‘sshd_config’ file with the following contents
Port 22
Protocol 2
PermitRootLogin prohibit-password
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
After the update, restart SSH
sudo systemctl restart ssh
GIT enabled SSH login (without password)
Keep Your System Updated
Keep Your System Updated
Most hacks happen because of old software.
sudo apt update && sudo apt upgrade -y
sudo apt autoremove -y
To enable automatic security updates:
sudo apt install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades
Enable Firewall (UFW)
Allow only required ports (SSH, HTTP, HTTPS):
sudo ufw allow 22
sudo ufw allow 80
sudo ufw allow 443
sudo ufw enable
sudo ufw status
If you changed the SSH port, allow that port instead.
Install Fail2ban (Protection from brute-force bots)
Fail2Ban automatically blocks attackers.
sudo apt install fail2ban -y
Copy default config:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Make sure SSH protection is ON in jail.local.
Restart:
sudo systemctl restart fail2ban
Check status:
sudo fail2ban-client status
Change SSH Port (Optional but effective)
Most bots scan port 22. Changing the port reduces automated attacks.
Edit:
sudo nano /etc/ssh/sshd_config
Change:
Port 22 → Port 2222 (or any unused port)
Then allow the new port:
sudo ufw allow 2222/tcp
Restart SSH:
sudo systemctl restart ssh
Install anti-malware scanner (ClamAV)
It detects common malware, rootkits, and miners.
sudo apt install clamav clamav-daemon -y
sudo systemctl enable clamav-freshclam
Update definitions:
sudo freshclam
Scan full server:
sudo clamscan -r /
Install rootkit detector (chkrootkit or rkhunter)
sudo apt install chkrootkit -y
sudo chkrootkit
or:
sudo apt install rkhunter -y
sudo rkhunter --update
sudo rkhunter --check
Use a swap file (prevents crashes)
If your VPS has low RAM:
sudo fallocate -l 2G /swapfile
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile
Make it permanent:
echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab
Remove unused services
Disable anything you don’t use:
sudo systemctl disable --now apache2
