How to secure your VPS: first steps
Published on 28.4.2026
Content
1 Change a default ssh port
IMPORTANT NOTE: if you just deployed the VPS, you should keep an eye on updates of ssh, since they can change your default configuration which was set up during the VPS's deploying. Usually, a programme, which updates the ssh package, will inform you on those changes.
If you use a GNU/Linux distro and you have ssh, go to (usually) /etc/ssh/sshd_config (i.e. open this file, e.g. by vim). There, find a line with #Port 22 (probably, you will have exactly this line, if you have created the VPS recently). Replace that line with Port , that is remove a symbol of commentary (#) and change a number of port like 15674. As advice, select the port which is greater than 1024, but less than 65536, the last one is the maximum number that's pre-determined by a standard of TCP (see https://datatracker.ietf.org/doc/html/rfc9293#name-header-format). Save and close the file.
Now, restart sshd service (daemon):
systemctl restart sshdOne of the security threats has been eliminated!
2 Replace root user with another
Add a new user like:
adduser user1and create a password for him (don't forget it!).
The next is to use sudo, if don't have this utility, install it by:
apt install sudo
After that, add user1 into sudo group:
usermod -aG sudo user1
Note: to use the command above, after -aG (i.e. add user into a group) you put the group, then username, not vice versa!
To check result, run:
id user1
user1's groups will be like groups=1001(user1),27(sudo),100(users).
The next is to go to /etc/ssh/sshd_config again. There, find PermitRootLogin yes and change yes to no.
Now, restart sshd service (daemon):
systemctl restart sshdThe second threat has been killed.
3 Add RSA-based authentication instead of password
Run a command in your computer!, not in the VPS:
ssh-keygen -t rsa -b 4096Then run:
ssh-copy-id username@server_ip
to copy a generated public key to your VPS, replace username and server_ip with respective data (REMEMBER: the root login is disabled and you have to log-in via the added user and his password, because we have not disabled this variant yet).
This pubkey will be saved into /home/addedUsername/.ssh/authorized_keys. You need to ensure the file permissions are correct:
-
600forauthorized_keys -
700for.sshdirectory
To see it, use the ls -la command: at first, in .ssh dir. You will see like:
drwx------ 2 addedUserName addedUserName 4096 Jan 11 04:23 .
-rw------- 1 addedUserName addedUserName 560 Jan 11 04:23 authorized_keys
The first line is .ssh dir, the second is the file with the pub. keys. If for the first line you see drwx------ it means 700 for dir, and if -rw-------, it means 600 for a file, which is not dir.
Now, go to the server and disable Password Authentication in /etc/ssh/sshd_config as:
-
Find
PasswordAuthenticationand set it tono -
Find
PubkeyAuthenticationand set it toyes
Note: don't forget to uncomment those lines.
Now, restart sshd service (daemon):
systemctl restart sshdThe last threat has been defeated!
And the last step is to check our tuning, run:
ssh -p @ Output will be like:
Linux server-haczau 6.1.0-43-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.162-1 (2026-02-08) x86_64
The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
user1@server-haczau:~$ _