The First 10 Things to Do After You Get a New VPS

You just got the root password and IP in your dashboard. Do these before you deploy anything — most take under a minute.

1. Update everything

apt update && apt upgrade -y    # Debian/Ubuntu
dnf upgrade -y                  # AlmaLinux/Rocky

2. Create a non-root user

adduser deploy
usermod -aG sudo deploy   # 'wheel' on RHEL-family

3. Set up SSH keys and disable password login

On your laptop: ssh-copy-id deploy@your-ip. Then in /etc/ssh/sshd_config set PasswordAuthentication no and PermitRootLogin no, and systemctl restart sshd. Test a new session before closing the old one.

4. Turn on a firewall

ufw allow OpenSSH
ufw enable

Open only the ports you actually need (80, 443, etc.) as you go.

5. Enable automatic security updates

unattended-upgrades on Debian/Ubuntu, dnf-automatic on RHEL-family. This single step closes most of the window attackers rely on.

6. Install fail2ban

Bans IPs that hammer SSH with bad logins. apt install fail2ban and you are done.

7. Add swap if you have little RAM

A 1–2 GB swapfile keeps a small server from being OOM-killed during spikes:

fallocate -l 2G /swapfile && chmod 600 /swapfile
mkswap /swapfile && swapon /swapfile
echo '/swapfile none swap sw 0 0' >> /etc/fstab

8. Set the timezone and enable NTP

timedatectl set-timezone UTC (UTC on servers saves you headaches) and make sure systemd-timesyncd is active.

9. Set a hostname and a record

hostnamectl set-hostname app01 and point a DNS record at the IP so logs and TLS certs make sense.

10. Decide your backup story now

The worst time to think about backups is after you need one. At minimum: a nightly pg_dump/mysqldump to object storage, plus snapshots of anything you cannot regenerate. VPSoto can take Postgres and volume snapshots — and if you ever need a hand, open a ticket.

Bookmark this and run it on every new box.