Initial Server Setup Checklist After Buying a VPS (Ubuntu/CentOS)

Initial Server Setup Checklist After Buying a VPS (Ubuntu/CentOS)

A freshly provisioned VPS is a blank, exposed Linux box on the public internet — bots start probing it within minutes. This checklist takes about 30 minutes and covers the essentials for both Ubuntu/Debian and CentOS/AlmaLinux/Rocky.

1. Update Everything

# Ubuntu/Debian
apt update && apt upgrade -y

# CentOS/Alma/Rocky
dnf upgrade -y

Reboot if a new kernel was installed.

2. Create a Non-Root User With sudo

adduser deploy
usermod -aG sudo deploy # Ubuntu
usermod -aG wheel deploy # CentOS

Day-to-day work as root is one typo away from disaster; use sudo instead.

3. Set Up SSH Keys and Harden SSH

On your local machine, generate a key if you don't have one:

ssh-keygen -t ed25519
ssh-copy-id deploy@your-server-ip

Then in /etc/ssh/sshd_config:

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes

Restart SSH — but keep your current session open and test the new login in a second terminal before closing it.

4. Enable a Firewall

# Ubuntu (UFW)
ufw allow OpenSSH
ufw allow 80/tcp
ufw allow 443/tcp
ufw enable

# CentOS (firewalld)
firewall-cmd --permanent --add-service={ssh,http,https}
firewall-cmd --reload

Default-deny everything else. Open ports only when a service actually needs them.

5. Install fail2ban

apt install fail2ban # or: dnf install fail2ban

The default SSH jail bans IPs after repeated failed logins — it removes the vast majority of brute-force noise from your logs.

6. Set the Timezone and Time Sync

timedatectl set-timezone UTC
timedatectl set-ntp true

Accurate clocks matter for TLS, logs, and cron.

7. Add Swap (Small Servers)

On a 1–2 GB VPS, a modest swap file prevents the kernel's OOM killer from taking down MySQL during brief memory spikes:

fallocate -l 2G /swapfile
chmod 600 /swapfile
mkswap /swapfile && swapon /swapfile
echo '/swapfile none swap sw 0 0' >> /etc/fstab

8. Enable Automatic Security Updates

# Ubuntu
apt install unattended-upgrades
dpkg-reconfigure -plow unattended-upgrades

# CentOS
dnf install dnf-automatic
systemctl enable --now dnf-automatic.timer

9. Set the Hostname and Check Backups

hostnamectl set-hostname web1.example.com

Finally, confirm your backup situation: does your provider snapshot the VPS, and have you tested restoring? A backup you've never restored is a hope, not a plan.

Done — Now Install Your Stack

With the foundation secured, you're ready to install Nginx, PHP, Node.js, or Docker. For deeper protection, read our follow-up guide on VPS security hardening with firewalls, SSH tuning, and fail2ban.

Deploy your server ← Back to blog