You just spun up a new VPS or game server, and right now it's about as safe as a house with the front door propped open. The good news is that the stuff that actually keeps attackers out is not complicated. It's a short list of small jobs you do once, on day one, before you forget. Here's what we run through on every fresh box.
Why day one matters
A fresh server starts getting poked within minutes of coming online. Automated bots scan the whole internet looking for open SSH ports, default logins and old software. They are not targeting you specifically. They just try millions of addresses and see what sticks. If your server has a weak root password and password login turned on, you are part of the lottery whether you like it or not.
So the goal today is simple. Close the easy doors. None of this takes long, and you only have to do it once.
Sort out passwords first
If your provider emailed you a default password, change it now. Same goes for any control panel login, database password or app password that came pre set. Default credentials are the first thing a bot tries.
When you set new ones, make them long and make them different from each other. A password you reuse on three services is one breach away from being useless on all three. Honestly, the easiest fix here is a password manager. Let it generate a 20 character random string for each thing and you never have to remember any of them. If you are typing passwords by hand, length beats clever symbols. A long passphrase of a few unrelated words is both stronger and easier to live with than P@ss1!.
Stop using root for everything
Logging in as root all day is a habit worth dropping. Root can do anything, including wipe the whole system with one mistyped command, and if an attacker gets a root session they own the box outright. The fix is a normal user account that can become root only when it needs to.
On most Linux servers it looks like this:
adduser dominic
usermod -aG sudo dominic
That creates a user called dominic and adds them to the sudo group, which means you can run admin commands by typing sudo in front of them. From now on you log in as that user and only reach for root powers when a task actually needs them. It's a small change that catches a lot of accidents.
Switch SSH to keys instead of passwords
This is the single biggest win on the list. A password can be guessed. An SSH key effectively cannot, because it's a huge random file that lives on your own machine and never travels across the network.
On your own computer, generate a key pair:
ssh-keygen -t ed25519 -C "your-email"
Then copy the public half up to the server:
ssh-copy-id dominic@your-server-ip
Test that you can log in with the key before you change anything else. Open a brand new terminal and connect. If it lets you in without asking for your account password, the key is working. Only then turn off password login, by editing /etc/ssh/sshd_config and setting:
PasswordAuthentication no
Then restart SSH with sudo systemctl restart ssh. A quick warning here, and we mean it. Keep that first session open while you test the change in a second window. If you disable passwords and something is misconfigured, the open session is what saves you from locking yourself out. We have all done it once. You only do it once.
Put up a firewall
By default your server may be listening on more ports than you realise. A firewall flips the logic around so that everything is closed except the handful of things you actually use. On Ubuntu and Debian, ufw makes this painless.
sudo ufw allow OpenSSH
sudo ufw enable
That allows SSH and blocks the rest. From there you open only what you need. Running a website? Allow ports 80 and 443. Running a Minecraft server? Allow 25565. The idea is to keep the allow list short. If you are not using a service, its port should not be open to the internet.
sudo ufw allow 80
sudo ufw allow 443
sudo ufw allow 25565
sudo ufw status
That last command shows you exactly what is open, which is handy to glance at every so often.
Update everything
A fresh image is often weeks or months behind on patches. Plenty of attacks rely on bugs that were fixed ages ago and just never installed. Run the updates before you put anything important on the box:
sudo apt update
sudo apt upgrade
And don't treat this as a one time thing. Set yourself a reminder to come back and run it every week or two. On a server you mostly leave alone, unattended security updates are worth turning on so the critical patches land on their own. The whole point is that you stop being an easy target the moment a new flaw goes public.
Add fail2ban for brute force attempts
Even with key only SSH, you will see endless login attempts in your logs. They are bots, hammering away. fail2ban watches those logs and temporarily bans any address that fails too many times in a row.
sudo apt install fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
The defaults are sensible out of the box, so you can install it and move on. It quietly trims the noise and shuts down the more persistent guessers. In our experience it's one of those tools you set up once and never think about again, which is exactly what you want.
Turn off services you are not using
Every running service is another possible way in. Some images ship with extra stuff enabled that you will never touch. To see what is listening for connections:
sudo ss -tulpn
If you spot something you don't recognise or don't need, stop it and disable it:
sudo systemctl disable --now servicename
The fewer things running, the fewer things that can break or be attacked. A mail server you never set up, an old database engine, a sample web app left over from the image, all of it is just risk sitting there doing nothing for you.
Enable 2FA on your control panel
Your hosting panel is the keys to everything. If someone gets into it they can reset passwords, reinstall the OS or pull your backups, no SSH required. So protect that login as hard as you protect the server itself.
Turn on two factor authentication wherever it's offered. On our panel at panel.bytte.cloud you can enable it from your account settings, and it takes about a minute. Use an authenticator app rather than text messages if you have the choice, since SMS codes can be intercepted. This one step alone stops the most common way small hosting accounts get taken over, which is a leaked or reused password.
Set up backups before you need them
Security has two halves. One is keeping people out. The other is being able to recover when something goes wrong, whether that's an attack, a bad update or your own slip of the keyboard. A server with no backups is one mistake away from gone.
Decide what actually matters. For a game server that's the world files, the configs and any plugin or mod data. For a website it's the files and the database. Then automate a copy on a schedule that fits how active things are, and keep at least one copy somewhere other than the same server. A backup that lives only on the machine it's protecting is not really a backup.
And here's the part everyone skips. Test a restore. A backup you have never restored is just a guess. Pull one back at least once so you know the process works and the files are good. Far better to find out today than during a real emergency.
A short recap before you move on
If you only have ten minutes today, do these in order: change default passwords, make a non root user, switch SSH to keys, turn on the firewall, run updates, install fail2ban, kill services you don't use, enable 2FA on your panel, and set up a backup. That covers the overwhelming majority of how small servers get compromised.
None of it is fancy, and that's the point. The boring basics are what keep you off the easy target list, and they buy you the room to get on with the actual reason you got the server in the first place. Set them up once, and you can stop worrying about the front door.



