← Back to Blog

How to Secure a Linux VPS in 2026 — The Essentials

Published May 2, 2026  ·  10 min read  ·  Dakota Hopson, Galaxy Cloud Solutions

When I check the logs on our servers, I see hundreds of SSH brute force attempts every day — bots constantly probing for weak passwords and default configurations. Most people set up a VPS and jump straight into installing their application without thinking about security first. This guide covers the basics I do on every new server before anything else.

None of this is advanced stuff. But skipping it is how servers get compromised.

⚡ Need a VPS? Start from $5/mo — Use code LAUNCH2026 for 50% off

1. Update Everything First

Always start here:

apt update && apt upgrade -y

Running outdated packages is one of the most common ways servers get compromised. Do this before anything else.

2. Create a Non-Root User

Running everything as root is asking for trouble. Create a regular user and give it sudo access:

adduser yourname
usermod -aG sudo yourname

From now on, log in as this user instead of root.

3. Set Up SSH Key Authentication

Password authentication for SSH is weak. SSH keys are much stronger. On your local machine (not the server), generate a key pair if you don't have one:

ssh-keygen -t ed25519 -C "[email protected]"

Copy your public key to the server:

ssh-copy-id yourname@your_server_ip

Test that key login works before disabling password auth. Log in with your key first:

ssh yourname@your_server_ip

4. Disable Password Authentication and Root Login

Only do this after confirming your SSH key works:

nano /etc/ssh/sshd_config

Find and change these lines:

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes

Restart SSH:

systemctl restart sshd
Don't lock yourself out: Keep your current SSH session open while testing in a new window. If something goes wrong you can fix it in the existing session.

5. Configure the Firewall

UFW (Uncomplicated Firewall) is built into Ubuntu and easy to use:

ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
ufw enable

Then add rules for whatever your server actually needs:

ufw allow 80/tcp    # HTTP
ufw allow 443/tcp   # HTTPS
ufw status          # Check what's open

Only open ports you actually need. Every open port is a potential attack surface.

6. Install Fail2Ban

Fail2Ban watches your logs and automatically bans IPs that are brute-forcing your SSH:

apt install fail2ban -y
systemctl enable fail2ban
systemctl start fail2ban

The default config protects SSH. Check what's been banned:

fail2ban-client status sshd

7. Change the SSH Port (Optional but Helpful)

This won't stop a determined attacker but it eliminates a huge amount of automated noise:

nano /etc/ssh/sshd_config

Change Port 22 to something like Port 2222. Then update your firewall:

ufw allow 2222/tcp
ufw delete allow ssh
systemctl restart sshd

8. Keep It Updated Automatically

Set up unattended security updates so you're not manually patching every week:

apt install unattended-upgrades -y
dpkg-reconfigure --priority=low unattended-upgrades

This automatically applies security patches. You'll still want to handle major upgrades manually.

9. Check What's Listening

Know what ports are open on your server:

ss -tlnp

If you see something listening that you don't recognize, investigate it before moving on.

On Galaxy Cloud Solutions VPS: We already run fail2ban on the network level and have Cloudflare DDoS protection in front of everything. But you should still follow these steps on your VM — defense in depth is the right approach.

Related Articles

How to Set Up Fail2ban on a VPS How to Set Up SSH Keys on a VPS How to Set Up an Ubuntu VPS for the First Time How to Back Up a VPS

Start with a clean, secure VPS from $5/mo

All Galaxy Cloud Solutions VPS come with Ubuntu 24.04, full root access, and Cloudflare DDoS protection already in place. The security setup above takes about 15 minutes on top of that. Use code LAUNCH2026 for 50% off your first month.

Get Started