How I configure my New VPS
Enabled SSH key login
Here’s the standard, secure way to enable SSH key–based login to your Ubuntu VPS so you can connect from your Mac terminal without a password.
1️⃣ Generate an SSH key on your Mac (if you don’t already have one)
On your Mac:
ssh-keygen -t ed25519 -C "your_email@example.com"
Press Enter to accept defaults.
(Optional but recommended) set a passphrase.
This creates:
- Private key:
~/.ssh/id_ed25519(keep secret) - Public key:
~/.ssh/id_ed25519.pub
🔍 Check existing SSH keys
ls -al ~/.ssh
You may see files like:
id_ed25519(private key)id_ed25519.pub(public key)- or older ones like:
id_rsaid_rsa.pub
2️⃣ Copy your public key to the Ubuntu VPS
Option A (Run this from your Mac): ssh-copy-id
ssh-copy-id username@VPS_IP
Enter your VPS password one last time.
Disabled SSH password login
Update this file
sudo nano /etc/ssh/sshd_config
Find and change these lines
Search and set:
PasswordAuthentication no
PermitRootLogin prohibit-password
Also ensure:
PubkeyAuthentication yes
After the update, restart SSH
sudo systemctl restart ssh
GIT enabled SSH login (without password)
Keep Your System Updated
Keep Your System Updated
Most hacks happen because of old software.
sudo apt update && sudo apt upgrade -y
sudo apt autoremove -y
To enable automatic security updates:
sudo apt install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades
Enable Firewall (UFW)
Allow only required ports (SSH, HTTP, HTTPS):
sudo ufw allow 22
sudo ufw allow 80
sudo ufw allow 443
sudo ufw enable
sudo ufw status
If you changed the SSH port, allow that port instead.
Install Fail2ban (Protection from brute-force bots)
Fail2Ban automatically blocks attackers.
sudo apt install fail2ban -y
Copy default config:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Make sure SSH protection is ON in jail.local.
Restart:
sudo systemctl restart fail2ban
Check status:
sudo fail2ban-client status
Change SSH Port (Optional but effective)
Most bots scan port 22. Changing the port reduces automated attacks.
Edit:
sudo nano /etc/ssh/sshd_config
Change:
Port 22 → Port 2222 (or any unused port)
Then allow the new port:
sudo ufw allow 2222/tcp
Restart SSH:
sudo systemctl restart ssh
From now you should use this command to login from terminal:
ssh -p 2222 root@YOUR.IP.ADDRESS
Install anti-malware scanner (ClamAV)
It detects common malware, rootkits, and miners.
sudo apt install clamav clamav-daemon -y
sudo systemctl enable clamav-freshclam
Update definitions:
sudo freshclam
Scan full server:
sudo clamscan -r /
Install rootkit detector (chkrootkit or rkhunter)
sudo apt install chkrootkit -y
sudo chkrootkit
or:
sudo apt install rkhunter -y
sudo rkhunter --update
sudo rkhunter --check
Use a swap file (prevents crashes)
If your VPS has low RAM:
sudo fallocate -l 2G /swapfile
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile
Make it permanent:
echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab
Remove unused services
Disable anything you don’t use:
sudo systemctl disable --now apache2
Install Nginx
sudo apt update
sudo apt install nginx
Check Nginx status
sudo systemctl status nginx
Add firewall rules
sudo ufw allow 'Nginx HTTP'
# Check status
sudo ufw status
Install PHP
Install MySql
Install it
sudo apt install mysql-server
After installation, run the security script to remove insecure defaults and lock down database access:
sudo mysql_secure_installation
