Buying a Linux VPS is easy. Setting it up properly is where many people make mistakes.
A fresh VPS is a blank server connected directly to the internet. Within minutes, automated scanners can find it, test SSH, look for weak passwords, probe common web ports, and try old vulnerabilities. That does not mean running a VPS is unsafe. It means the first setup steps matter.
This guide gives you a practical Linux VPS setup checklist for the first 30 minutes after deployment.
It is written for Ubuntu and Debian, but most of the ideas apply to any Linux server. By the end, you will have:
- A patched server.
- A non-root sudo user.
- SSH key login.
- A basic firewall.
- Automatic security updates.
- Fail2ban protection.
- Swap configured if needed.
- Docker ready for apps.
- Nginx ready as a reverse proxy.
- A cleaner foundation for websites, bots, APIs, game panels, dashboards, monitoring tools, and self-hosted services.
If you are using a HYEHOST VPS or VDS, you can deploy the server from the panel, install your OS, open the console if SSH is not ready yet, monitor bandwidth, add storage, and manage networking from one place.
Who This Guide Is For
This guide is useful if you are searching for:
- What to do after buying a VPS.
- How to secure a new Linux server.
- Ubuntu VPS setup steps.
- Debian VPS hardening checklist.
- How to host a website on a VPS.
- How to set up Docker on a VPS.
- How to prepare a VPS for production.
It is not a full enterprise hardening standard. It is a sensible baseline that stops the common mistakes.
1. Log In and Update the Server
Start by logging in with the details from your provider.
ssh root@your_server_ip
Then update the system packages.
For Ubuntu or Debian:
apt update
apt upgrade -y
If a reboot is required, do it early before you start installing applications.
reboot
After the reboot, reconnect:
ssh root@your_server_ip
Keeping packages updated is one of the simplest and most important server security habits. Many real compromises happen because old services are left running for months without patches.
2. Create a Non-Root User
You should not use the root account for daily work.
Create a new user:
adduser deploy
Add it to the sudo group:
usermod -aG sudo deploy
Now copy your SSH key to the new user.
From your local machine:
ssh-copy-id deploy@your_server_ip
If ssh-copy-id is not available, you can manually create the key file:
mkdir -p /home/deploy/.ssh
nano /home/deploy/.ssh/authorized_keys
chown -R deploy:deploy /home/deploy/.ssh
chmod 700 /home/deploy/.ssh
chmod 600 /home/deploy/.ssh/authorized_keys
Test the new login before changing SSH settings:
ssh deploy@your_server_ip
3. Harden SSH
SSH is usually the first service attackers try.
Open the SSH server configuration:
sudo nano /etc/ssh/sshd_config
Recommended baseline:
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
Before restarting SSH, keep your current session open. Then test the config:
sudo sshd -t
Restart SSH:
sudo systemctl restart ssh
Open a second terminal and confirm you can still log in:
ssh deploy@your_server_ip
Do not close your original root session until the new login works.
Should You Change the SSH Port?
Changing the SSH port can reduce noisy login attempts in logs, but it is not a replacement for key-only login and a firewall.
The important protections are:
- Disable root login.
- Disable password login.
- Use strong SSH keys.
- Keep OpenSSH updated.
- Limit access where practical.
4. Configure a Firewall
For most new VPS setups, UFW is simple and effective.
Install it:
sudo apt install ufw -y
Allow SSH before enabling the firewall:
sudo ufw allow OpenSSH
If you plan to run a website, allow HTTP and HTTPS:
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
Enable the firewall:
sudo ufw enable
Check status:
sudo ufw status verbose
For a basic web server, your allowed ports may be only:
- SSH.
- HTTP.
- HTTPS.
Everything else should stay closed unless you know why it needs to be open.
5. Install Fail2ban
Fail2ban watches logs and blocks repeated failed login attempts.
Install it:
sudo apt install fail2ban -y
Create a local jail config:
sudo nano /etc/fail2ban/jail.local
Add:
[sshd]
enabled = true
maxretry = 5
findtime = 10m
bantime = 1h
Restart Fail2ban:
sudo systemctl restart fail2ban
Check status:
sudo fail2ban-client status sshd
Fail2ban is not magic, but it is a useful extra layer for public SSH.
6. Enable Automatic Security Updates
You do not want critical security patches waiting forever because you forgot to run apt upgrade.
Install unattended upgrades:
sudo apt install unattended-upgrades apt-listchanges -y
Enable it:
sudo dpkg-reconfigure unattended-upgrades
Check the config:
sudo nano /etc/apt/apt.conf.d/50unattended-upgrades
For most VPS users, automatic security updates are worth enabling. You should still log in regularly and run normal maintenance, but security updates reduce the risk of forgotten patching.
7. Set the Timezone and Hostname
Set your timezone:
sudo timedatectl set-timezone Europe/London
Check:
timedatectl
Set a useful hostname:
sudo hostnamectl set-hostname app01
Update /etc/hosts if needed:
sudo nano /etc/hosts
A clear hostname helps when you later manage multiple servers.
8. Add Swap on Small VPS Plans
If your VPS has 1 GB or 2 GB RAM, swap can prevent small memory spikes from killing processes.
Create a 2 GB swap file:
sudo fallocate -l 2G /swapfile
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile
Make it permanent:
echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab
Check:
free -h
Swap is not a replacement for enough RAM. If your application constantly uses swap, upgrade the server. But for small VPS plans, a modest swap file is sensible.
9. Install Basic Tools
Install common packages:
sudo apt install -y curl wget git unzip htop ncdu ca-certificates gnupg lsb-release
Useful commands:
htop
df -h
free -h
ss -tulpn
journalctl -xe
These tools make troubleshooting easier.
10. Install Docker
Docker is one of the most common ways to run apps on a VPS.
Install Docker using the official repository:
sudo install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
sudo chmod a+r /etc/apt/keyrings/docker.gpg
For Debian:
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
For Ubuntu, use:
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
Install Docker:
sudo apt update
sudo apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
Allow your user to run Docker:
sudo usermod -aG docker deploy
Log out and back in, then test:
docker run hello-world
11. Run a Test App with Docker Compose
Create a directory:
mkdir -p ~/apps/hello
cd ~/apps/hello
Create compose.yml:
services:
web:
image: nginx:stable-alpine
restart: unless-stopped
ports:
- "8080:80"
Start it:
docker compose up -d
Check:
docker ps
curl http://127.0.0.1:8080
At this point, the app is only directly available on port 8080 if the firewall allows it. For production websites, it is better to place Nginx or another reverse proxy in front.
12. Install Nginx as a Reverse Proxy
Install Nginx:
sudo apt install nginx -y
Create a site config:
sudo nano /etc/nginx/sites-available/example.com
Example:
server {
listen 80;
server_name example.com www.example.com;
location / { proxy_pass http://127.0.0.1:8080; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } ```
Enable it:
sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx
Point your domain DNS A record to your VPS IPv4 address, and your AAAA record to your VPS IPv6 address if you have one.
13. Add Free SSL with Certbot
Install Certbot:
sudo apt install certbot python3-certbot-nginx -y
Issue a certificate:
sudo certbot --nginx -d example.com -d www.example.com
Test renewal:
sudo certbot renew --dry-run
SSL is no longer optional. Modern browsers, APIs, payment systems, webhooks, and login flows expect HTTPS.
14. Add Basic Monitoring
At minimum, monitor:
- CPU usage.
- RAM usage.
- Disk usage.
- Network usage.
- Service uptime.
- Failed logins.
- Application logs.
On the server, useful commands include:
htop
df -h
free -h
journalctl -u nginx --since "1 hour ago"
docker stats
docker logs container_name --tail=100
If you use HYEHOST, the panel also shows VPS status, bandwidth usage, network graphs, billing, reinstall progress, console access, private networking, additional storage, and other service controls.
15. Set Up Backups Before You Need Them
Backups are easy to ignore until the first mistake.
Decide what needs backing up:
- Website files.
- Application uploads.
- Databases.
- Docker volumes.
- Config files.
- Environment files.
For a simple app, you might back up:
/home/deploy/apps
/etc/nginx/sites-available
/var/lib/docker/volumes
For databases, use proper database dumps rather than only copying raw files.
Example PostgreSQL dump:
pg_dump -U appuser appdb > appdb.sql
Example MySQL/MariaDB dump:
mysqldump -u appuser -p appdb > appdb.sql
Store backups away from the VPS. A backup on the same server is useful for quick restores, but it does not protect you from disk failure, account compromise, or accidental server deletion.
16. Avoid Common VPS Mistakes
Here are common problems that cause real issues:
Leaving Password SSH Enabled
Password login attracts brute force attempts. Use SSH keys.
Running Everything as Root
Use a normal user and sudo.
Opening Too Many Ports
Only expose what users need. Keep databases, admin panels and internal services private.
Ignoring IPv6
If your VPS has IPv6, secure it too. Firewall rules must cover IPv4 and IPv6.
Not Monitoring Disk Usage
Logs, Docker images and backups can fill disks quickly.
Useful cleanup commands:
docker system df
docker image prune
journalctl --disk-usage
No Recovery Plan
Know how to access console, reinstall, restore backups, reset networking, and recover from a firewall mistake.
HYEHOST provides panel console access, reinstall options, power controls, traffic graphs and ticket support, which helps when SSH or networking is misconfigured.
17. A Simple Production Layout
For many small apps, a clean VPS layout looks like this:
Internet
|
| 80/443
v
Nginx reverse proxy
|
| localhost or Docker network
v
Docker apps
|
v
Database / volumes / uploads
Firewall:
Allow SSH
Allow HTTP
Allow HTTPS
Deny everything else
This works well for:
- Personal websites.
- SaaS prototypes.
- Discord bot dashboards.
- API backends.
- Game control panels.
- Status pages.
- Monitoring dashboards.
- Small business websites.
- Development environments.
18. When to Use Shared Hosting Instead of a VPS
A VPS gives control, but it also gives responsibility.
Use shared hosting or budget web hosting if you want:
- A website without server administration.
- Email accounts and domains managed through a panel.
- Lower maintenance.
- Simpler WordPress or PHP hosting.
- No need for root access.
Use a VPS if you want:
- Root access.
- Docker.
- Custom services.
- Node.js, Python, Go, Rust or custom stacks.
- Private networking.
- BGP or advanced routing.
- Full control over Nginx, firewall and system packages.
HYEHOST offers both options, so users can choose simple web hosting for normal sites or VPS/VDS hosting for full control.
HYEHOST Services for Linux VPS Setup
The checklist works on any sensible Debian or Ubuntu server, but it maps especially well to how HYEHOST customers actually build. You can start with a small VPS, add storage in 100 GB blocks when the project grows, use resource pools for multiple servers, and keep private services off the public internet with private networking.
- Cloud VPS for websites, APIs, Docker stacks and production applications.
- VDS hosting when you want stronger isolation and more predictable resources.
- VPS resource pools when you want to split CPU, RAM, disk and IPs across multiple virtual servers.
- Bot hosting for Discord bots, automation workers and long-running scripts.
- The HYEHOST panel for reinstalls, console access, bandwidth graphs, private networking and upgrade controls.
19. How HYEHOST Fits Into This Setup
HYEHOST is useful for users who want more than a basic VPS order form.
From the HYEHOST panel, depending on the service, you can manage:
- VPS and VDS services.
- OS reinstall and rebuild progress.
- Serial and VNC console access.
- Bandwidth usage and traffic graphs.
- Additional storage.
- Additional bandwidth.
- IPv4 and IPv6 address options.
- Private networking between VMs.
- BGP sessions for VPS/VDS users.
- V4 via tunnel services.
- IPv6 leasing.
- IP transit over tunnel.
- Bot hosting.
- Shared, reseller and budget web hosting.
- Dedicated servers and colocation.
- Support tickets, billing and service controls.
For a Linux VPS setup, the most useful panel features are:
- Console access if SSH breaks.
- Reinstall if you want to start fresh.
- Traffic graphs to understand usage.
- Upgrade options as your app grows.
- Private networking for internal services.
- Additional storage for backups or large data.
- Support if routing, firewall or service setup gets confusing.
20. Final Linux VPS Checklist
Use this quick checklist after deploying a new server:
- Update packages.
- Reboot if required.
- Create a non-root sudo user.
- Add SSH keys.
- Disable root SSH login.
- Disable password SSH login.
- Enable UFW.
- Allow only required ports.
- Install Fail2ban.
- Enable unattended security updates.
- Set hostname and timezone.
- Add swap on small servers.
- Install basic tools.
- Install Docker if needed.
- Put Nginx or another reverse proxy in front of apps.
- Add SSL certificates.
- Set up backups.
- Monitor CPU, RAM, disk and bandwidth.
- Document what is running.
This baseline will not make every server perfect, but it puts you ahead of most poorly configured VPS deployments.
Frequently Asked Questions
What should I do first after buying a VPS?
Update the system, create a non-root user, add SSH keys, disable password login, enable a firewall, and install automatic security updates. Do this before hosting public applications.
Is Ubuntu or Debian better for a VPS?
Both are good choices. Ubuntu is popular for newer users because tutorials often target it. Debian is stable, lightweight and widely used for servers. HYEHOST supports common Linux distributions, so choose the one you are most comfortable maintaining.
Do I need Docker on a VPS?
No, but Docker makes it easier to run and isolate applications. It is especially useful for self-hosted apps, APIs, dashboards, bots and development environments.
Should I use Nginx or Caddy?
Nginx is widely documented and flexible. Caddy is simpler for automatic HTTPS. Either can work well. The important part is to use a reverse proxy and avoid exposing every app port directly.
Is a VPS secure by default?
A fresh VPS is not automatically production-ready. It needs updates, SSH hardening, firewall rules, monitoring and backups.
Can I host multiple websites on one VPS?
Yes. You can use Nginx virtual hosts or a reverse proxy to serve multiple domains from one VPS. Make sure the server has enough RAM, CPU and disk for the sites you run.
Can I run a Discord bot or automation bot on a VPS?
Yes. A VPS is a good fit for bots that need full control, custom dependencies or persistent processes. HYEHOST also offers Bot Hosting if you want a more managed bot-focused environment.
What VPS size should I start with?
For a small website or bot, 1-2 vCPU and 1-4 GB RAM is often enough. For Docker stacks, databases, game panels or heavier apps, start larger or choose a plan you can upgrade.
Related HYEHOST Guides and Services
- Debian vs Ubuntu for a VPS
- Nginx reverse proxy on a VPS
- VPS backup strategy for small projects
- HYEHOST Cloud VPS plans
- VPS resource pools and per-resource upgrades
- Self-hosting VPS
Start With a Clean VPS Foundation
A Linux VPS gives you control, but the first 30 minutes decide whether that control is useful or risky.
Patch the system. Lock down SSH. Use a firewall. Add monitoring. Plan backups. Then deploy your application.
If you want a VPS provider with a custom panel, console access, traffic visibility, upgrade options, private networking, IPv6 support and room to grow into more advanced services like BGP, IPv6 leasing or transit, HYEHOST gives you a practical place to start.
