First boot — Ubuntu hardening checklist
The things to do in the first ten minutes of a new Ubuntu VPS.
4 min read
A new Ubuntu VPS is reasonably secure out of the box, but there's a short checklist worth running through before exposing real workloads.
Update everything: `sudo apt update && sudo apt full-upgrade -y` followed by `sudo apt autoremove`. Reboot if a kernel update was applied.
Create a non-root user: `adduser deploy`; add to sudo with `usermod -aG sudo deploy`. Copy your SSH key in: `mkdir -p /home/deploy/.ssh && cp /root/.ssh/authorized_keys /home/deploy/.ssh/ && chown -R deploy: /home/deploy/.ssh && chmod 700 /home/deploy/.ssh && chmod 600 /home/deploy/.ssh/authorized_keys`. Verify the new account can log in before locking root.
Lock down SSH: in `/etc/ssh/sshd_config.d/60-hardening.conf` set `PermitRootLogin no`, `PasswordAuthentication no`, and `AllowUsers deploy`. Reload with `systemctl reload ssh`. Verify from a second terminal before logging out of the first.
Enable unattended security updates: `sudo apt install unattended-upgrades && sudo dpkg-reconfigure --priority=low unattended-upgrades`. Pick the security-only origin to avoid surprise major-version moves.
Set up fail2ban: `sudo apt install fail2ban && sudo systemctl enable --now fail2ban`. Defaults are fine. Re-tune jails for your specific services (sshd is always on by default).
That's it. Your VPS is now in roughly the same place an ops team would put it before deploying anything real. Bigger hardening — auditd, SELinux/AppArmor profiles, kernel-level lockdown — depends on workload.