5/27/2025 / 42 views / 9 minutes read
Today, I’m going to walk through a practical way of configuring a Linux VPS server and the basic steps we should take when we get a fresh, raw VPS. In future articles, I’ll show you how to set up Nginx and use it as a reverse proxy, and how to deploy Next.js, Angular, and React apps on your VPS using pm2 and Docker for managing web applications and Cloudflare as a DNS resolver. But for today, let's just stick to configuring the server.
You need some basic knowledge about bash commands. Things like navigating directories (cd, ls), copying files (cp), and understanding how to run commands will be super helpful. That’s it!
When you choose a VPS server plan, they'll ask you what kind of OS you want to install. That's totally up to you and your experience. I just use Ubuntu because it's the only Linux distribution that I'm happy with, but generally, the process is the same since we're mostly using bash commands in this article. Ubuntu is often a top recommendation for web servers, and for good reason! After your machine is ready, they'll give you a username, password, and an IP address to connect to your VPS. The initial user is typically root, which can basically do anything on your machine. So, if you don't want to struggle with your host provider's support tickets, better be careful! So far, you have an IP, a username (likely root), and a password.
To connect to your machine, you'll need a command-line terminal. If you're on Windows, you can use PowerShell or Command Prompt. If you're already on Linux or macOS, you can use your standard terminal (bash, zsh, etc.). Either way you choose, you can connect to the server using the ssh command:
ssh <username>@<your_vps_ip>
When you run this command, you'll be prompted to enter your password. After that, you'll likely see a welcome message. From here, there are a series of actions you should take for a solid start to configure and secure your server:
Once you've done these actions, you'll have a good starting point. You can always improve it by reading and searching more!
The first action you need to do when you're connected to your server is to create an admin user. It's neither safe nor professional to use the root user for everyday tasks. On the bash command line, you can use:
adduser <username>
After running this command, you'll need to set a password for the new user and answer some optional questions. At the end, you can type Y and hit Enter to confirm user creation. Your next move is to add this user to the sudo group. This group allows your user to run commands with superuser privileges (like root) by prefixing them with sudo. This way, you only use root power when explicitly needed, which is much safer. Simply run this command:
usermod -aG sudo <username>
With these two simple commands, you have an admin user. However, it hasn't yet taken the place of the root user for your main connection.
The root user is powerful and a common target for attackers, so we need to disable direct login via SSH for it. You could remove the password from it, but I don't feel good about that way. I prefer updating the SSH configuration to disable root login. For disabling root login and a bunch of other configurations, you need to open a specific file with a text editor. I'm using nano here (Always add sudo for editing system config files.):
sudo nano /etc/ssh/sshd_config
To disable root login via SSH, look for the line PermitRootLogin yes and change it to:
PermitRootLogin no
Now you've disabled root login via SSH, but there's more to do with this file. Next, you should (it's a very good idea!) change the default SSH login port. The default is 22, which is well-known to attackers. Look for a line that simply says Port 22 and change 22 to whatever port number you prefer (e.g., 2222, but choose something unique and above 1023). Port 2222 # Example: choose your own port
After you're happy with your changes, save the file by pressing Ctrl + X, then Y to confirm saving, and then Enter.
Please note: Before you log out for the last time with the root user, test if you can log in with the new user you've created.
Open a new terminal window on your local machine and try to connect using your new user:
ssh <your_new_username>@<your_vps_ip>
Enter the password for your new user. If you log in successfully, you are safe to close your root SSH connection. If not, troubleshoot from the root session you still have open!
Once you've confirmed you can log in with your new user, you'll need to restart the SSH service on your VPS for the changes to take effect:
sudo systemctl restart sshd
Using passwords every time you want to connect to one of your servers isn't ideal, especially if you have different passwords to remember. Instead, we can set up SSH key-based authentication between your local machine and your server. This is generally more secure and much more convenient! For this purpose, you need to walk through these steps:
On your local machine (whatever OS it is: macOS, Windows, or Linux), run this command:
ssh-keygen -t rsa -b 4096 -C "[email protected]"
After running the command, it'll ask a couple of questions. The first one is where it should store the key; it shows the default path in parentheses. Note that if you change the path to a custom path, you might then need to introduce that path to the ssh-agent. I'll show you how because personally, I love to change defaults to whatever I want. The next question is "Enter passphrase," where you can add a passphrase for more security.
After you repeat your passphrase (or leave it blank), you'll see your key's randomart image, and it means your key has been generated.
Next, you need to place the public key on your VPS so you can log in without a password. For this purpose, navigate to the path where your key was generated in the previous step and open the file with the .pub extension (that's your public key) in a text editor and copy its content.
Connect to your VPS using SSH and your password (with your new admin user). Once you're logged in, you need to find the .ssh directory under your user's home directory. For this, you can run:
ls -lah # or ls -lah ~
You should see the .ssh directory listed among other directories. Now, you need to create a file named authorized_keys inside the .ssh directory. If it doesn't exist, create it. If it does, you'll append your new key.
nano ~/.ssh/authorized_keys
Then, paste the public key you copied from your local machine and save it (Ctrl + X, then Y, then Enter).
Next, you need to change the permissions of this file for security. It should only be readable and writable by the owner:
chmod 600 ~/.ssh/authorized_keys
You also need to ensure the .ssh directory itself has the correct permissions:
chmod 700 ~/.ssh
After this, restart the SSH service on your VPS (as shown before):
sudo systemctl restart sshd
Now it's time to test what we've done so far. For this, close your current connection to the VPS by:
exit
Then, try to connect to the server using the ssh command. This time, you shouldn't be prompted to enter your password and should automatically be logged in to the server (or prompted for your passphrase if you set one for your key).
Before going to the next step of removing password login: If you changed the default path during key generation and are having trouble logging in to the server (and still need to type your password), you might need to introduce the new path to ssh-agent! (Mostly Windows users might face this issue, but it's good practice for any OS.)
To address this issue, you need to make sure ssh-agent is currently running. Run this command on Windows PowerShell (which should be run with Administrator permission):
Get-Service -Name ssh-agent
You should see a table with "Status" as "Running" or "Stopped." If the result is an error, you might need to ask an AI how to install ssh-agent (I'm not going to step into that here!). If you see the result and the status is "Stopped," then you need to run these commands:
Set-Service -Name ssh-agent -StartupType Manual ssh-add "C:\path\to\your\custom_private_key"
You should, of course, replace "C:\path\to\your\custom_private_key" with your actual custom path to your private key. If everything goes as expected, you'll see a message like:
Identity added: C:/path/to/your/key ([email protected]).
And you are now good to go and log in without a password (or by only entering your passphrase).
Before you do this, make absolutely sure your key-based login works perfectly and that you have a backup of your SSH private key! If you have other users who can log in to the VPS, it's safer in case you lose your SSH key.
Now, log in to your VPS server again (using your key!) and open the SSH config file:
sudo nano /etc/ssh/sshd_config
Make sure these lines are set as follows:
PasswordAuthentication no PubkeyAuthentication yes
Save the file and reload the SSH service:
sudo systemctl reload sshd
By default, most VPS providers ship servers with no firewall rules, meaning all ports may be open. This exposes you to port scanning, brute-force login attempts, and exploits targeting unused or misconfigured services.
You can use UFW (Uncomplicated Firewall) to mitigate these threats. First, you need to install it if it's not already on your VPS (common for Ubuntu):
sudo apt update sudo apt install ufw
After this, it's a good practice to block all incoming requests by default, then only accept those you specifically need and are aware of.
sudo ufw default deny incoming
And allow outgoing requests (this is generally safe and needed for your server to function):
sudo ufw default allow outgoing
Right now, you're in a risky situation because you've blocked all incoming requests. So, before you enable UFW, make sure you open the SSH port you are using (default 22, but I advised you to change it, remember?).
If you are using the default SSH port (22), run:
sudo ufw allow ssh
If you changed the default port (e.g., to 2222), run:
sudo ufw allow 2222/tcp # Example: replace 2222 with your chosen port
Now, if you're going to use this VPS as a web server for your applications, you'll also need to allow web traffic (HTTP and HTTPS):
sudo ufw allow 80/tcp # HTTP $ sudo ufw allow 443/tcp # HTTPS
Now it's time to enable the UFW service:
sudo ufw enable
You'll be prompted to confirm; type y and press Enter. And then check the status with:
sudo ufw status verbose
You can use this summary cheat sheet for using UFW:
| Command | Description |
|---|---|
| ufw default | deny incoming Block all incoming traffic |
| ufw allow ssh | Allow SSH access (22/tcp) |
| ufw allow 80,443/tcp | Allow HTTP and HTTPS |
| ufw enable | Enable UFW firewall |
| ufw status verbose | View active rules |
| ufw delete allow 22 | Remove a rule (example) |
| ufw reset | Reset all UFW rules |
In this article, I showed you how to perform basic configuration on your VPS server. From here, you need to dig deeper and learn more to make your VPS even more secure and customized to your needs. I'm going to use this exact configuration in my next articles to show you how to set up Nginx as a reverse proxy and deploy JavaScript frameworks like Angular and Next.js using pm2 and Docker for application management, along with Cloudflare as a DNS resolver.