Goal of this article:
You’ve just installed a Linux server for the first time (on a VPS or physical machine) and don’t know where to start to secure it? This guide is for you. I’ll walk you through 5 essential steps to protect your server right after installation.

πŸ›‘ 1. Create a non-root user with sudo

On Linux, the root user has full control over the system. But logging in directly as root is dangerous: a single typo can break your system, and it’s also a top target for attackers.

➀ Steps:

βœ… On Debian / Ubuntu:

adduser admin
usermod -aG sudo admin

βœ… On CentOS / Fedora / RHEL:

adduser admin
passwd admin
usermod -aG wheel admin

Then log in with the new user:

ssh admin@YOUR_SERVER_IP

πŸ” 2. Secure SSH (and disable root login)

Most attacks on the internet target the SSH service. It’s crucial to:

  • disable root login
  • disable password authentication
  • enforce SSH key login

➀ Steps:

  1. Edit the SSH configuration file:
sudo nano /etc/ssh/sshd_config
  1. Add or modify the following lines:
PermitRootLogin no
PasswordAuthentication no
  1. Generate an SSH key pair on your local machine:
ssh-keygen -t ed25519
  1. Copy your public key to the server:
ssh-copy-id admin@YOUR_SERVER_IP
  1. Restart the SSH service:

Debian / Ubuntu:

sudo systemctl restart ssh

CentOS / Fedora / RHEL:

sudo systemctl restart sshd

πŸ”₯ 3. Enable a firewall

A firewall protects your server by blocking unwanted connections. By default, everything is blocked β€” you only allow what’s necessary (like SSH).

➀ Debian / Ubuntu (UFW):

sudo apt update
sudo apt install ufw
sudo ufw allow OpenSSH
sudo ufw enable
sudo ufw status

➀ CentOS / Fedora / RHEL (firewalld):

sudo dnf install firewalld   # or 'yum install'
sudo systemctl enable firewalld --now
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --reload
sudo firewall-cmd --list-all

πŸ” 4. Enable automatic updates

Security patches are released regularly. To avoid missing them, you should automate updates.

➀ Debian / Ubuntu:

sudo apt install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades

➀ CentOS / RHEL / Fedora:

sudo dnf install dnf-automatic
sudo systemctl enable --now dnf-automatic.timer

πŸ›‘οΈ 5. Enable SSH brute-force protection (Fail2ban)

Fail2ban monitors SSH login attempts and blocks IPs that fail too many times. It’s simple, lightweight, and effective.

➀ Debian / Ubuntu:

sudo apt install fail2ban

➀ CentOS / Fedora / RHEL:

sudo dnf install fail2ban
sudo systemctl enable --now fail2ban

Then configure a basic jail file:

sudo nano /etc/fail2ban/jail.local

Add this:

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log     # or /var/log/secure for CentOS/RHEL
maxretry = 5

Restart Fail2ban:

sudo systemctl restart fail2ban

βœ… Conclusion

Congratulations! By following these 5 steps, you’ve already secured your server against the most common threats:

  • πŸ”’ No more direct root login
  • πŸ” SSH key authentication only
  • 🧱 Active firewall
  • πŸ“¦ Automatic updates
  • 🚫 SSH brute-force protection enabled

If you have questions or suggestions, feel free to comment or reach out via the contact page of the blog.