The initial server setup hardening for an Ubuntu 24.04 VPS is a critical first step to protect against unauthorized access and common cyber threats. This checklist details essential security practices, including securing SSH access, configuring a robust firewall with UFW, deploying intrusion detection with Fail2Ban, and ensuring timely system updates. Implementing these measures immediately after provisioning your server, as of April 2026, establishes a strong security posture for any self-hosted application or service, whether you're hosting Plausible Analytics or running a custom workflow with n8n.

Foundational Security: User Management and SSH Access

Securing the primary access vector, SSH, is paramount for any remote server. Ubuntu 24.04, codenamed "Noble Numbat," ships with OpenSSH server by default, providing a secure shell for administrative tasks. The goal here is to minimize attack surfaces and implement strong authentication mechanisms.

Creating a New Sudo User

Operating as the root user directly is risky because a single mistake can have catastrophic system-wide consequences. Instead, create a dedicated non-root user with sudo privileges. This user can perform administrative tasks by prefixing commands with sudo, requiring password authentication for each privileged action. This separation of duties significantly reduces the potential damage from accidental commands or compromised credentials.

sudo adduser nelsaadmin
sudo usermod -aG sudo nelsaadmin

The first command creates the user nelsaadmin and prompts for a password. The second command adds nelsaadmin to the sudo group, granting administrative capabilities.

Disabling Root Login

Direct SSH access for the root user is a common target for brute-force attacks. After creating your sudo user and verifying its functionality, disable root login entirely. This forces attackers to guess both a username and password, rather than just a password for the known root user.

Edit the sshd_config file located at /etc/ssh/sshd_config. Find the line PermitRootLogin and change its value to no.

sudo nano /etc/ssh/sshd/sshd_config

Change:
#PermitRootLogin prohibit-password or PermitRootLogin yes
To:
PermitRootLogin no

After saving the change, restart the SSH service for it to take effect. This ensures that any direct attempts to log in as root via SSH will be rejected.

sudo systemctl restart sshd

SSH Key-Based Authentication

Password-based authentication, while convenient, is susceptible to dictionary attacks and brute-force attempts, especially if the password is weak. SSH key pairs offer a much stronger and more secure alternative. A key pair consists of a private key (kept secret on your local machine) and a public key (placed on the server). Only a client possessing the correct private key can authenticate.

Here are the steps to set up SSH key-based authentication:

  1. Generate an SSH key pair on your local machine if you haven't already. Use a strong passphrase for your private key.
    ssh-keygen -t ed25519 -C "nelsaadmin@your_vps_name"
    This command creates a new key pair using the secure Ed25519 algorithm, saving id_ed25519 (private) and id_ed25519.pub (public) in your ~/.ssh/ directory.
  2. Copy your public key to the Ubuntu VPS. Replace nelsaadmin and your_vps_ip with your actual username and server IP.
    ssh-copy-id nelsaadmin@your_vps_ip
    Alternatively, if ssh-copy-id isn't available or fails, manually copy the public key:
    cat ~/.ssh/id_ed25519.pub | ssh nelsaadmin@your_vps_ip "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"
    The authorized_keys file must have strict permissions (600) to be honored by the SSH daemon, as detailed in the OpenSSH documentation.
  3. Test your SSH login using the key.
    ssh nelsaadmin@your_vps_ip
    You should be prompted for your private key's passphrase (if you set one), not your user's password.
  4. Disable password authentication for SSH. This is a crucial step to prevent any fallback to less secure methods. Edit /etc/ssh/sshd_config again.
    sudo nano /etc/ssh/sshd_config
    Set:
    PasswordAuthentication no
    ChallengeResponseAuthentication no
    Then restart the SSH service:
    sudo systemctl restart sshd

Hardening SSH Daemon Configuration

Beyond key-based authentication, a few other sshd_config parameters can further enhance security. Changing the default SSH port (22) to a non-standard, high-numbered port (e.g., 2222 or 49152-65535 range) can reduce log noise from automated port scanners, though it doesn't add significant security against a determined attacker.

sudo nano /etc/ssh/sshd_config

Add or modify the following lines:
Port 2222
ClientAliveInterval 300
ClientAliveCountMax 2
MaxAuthAttempts 3
AllowUsers nelsaadmin
LoginGraceTime 30
TCPKeepAlive no
X11Forwarding no
PermitEmptyPasswords no
PermitUserEnvironment no
AllowTcpForwarding no
Banner /etc/issue.net (create this file with a custom warning message)

Remember to restart sshd after any changes. The AllowUsers directive is particularly effective, ensuring only specified users can log in via SSH.

"The Secure Shell (SSH) Protocol is a protocol for secure remote login and other secure network services over an insecure network. The goal of the protocol is to provide a secure channel over an insecure network." — IETF RFC 4251, The Secure Shell (SSH) Protocol Architecture.

Firewall Configuration with UFW

A firewall acts as the first line of defense, controlling network traffic to and from your VPS. Ubuntu 24.04 includes UFW (Uncomplicated Firewall), a user-friendly frontend for iptables. UFW simplifies firewall management, allowing you to define rules quickly and effectively. It's crucial to configure UFW before deploying any services, ensuring only necessary ports are open to the internet.

Enabling UFW and Default Policies

Start by setting default policies to deny all incoming connections and allow all outgoing connections. This "deny by default" approach is a fundamental security principle. Then, explicitly allow SSH on the port you configured (e.g., 2222).

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 2222/tcp comment 'Allow SSH on custom port'
sudo ufw enable
sudo ufw status verbose

The ufw enable command will prompt you to confirm, as it may disrupt existing SSH connections if you haven't allowed your current port. Always ensure SSH access is allowed before enabling UFW.

Allowing Essential Services

Depending on your VPS's purpose, you'll need to open additional ports. Common services include web servers (HTTP/HTTPS), email (SMTP, IMAP, POP3), and databases. For example, to allow web traffic:

sudo ufw allow http comment 'Allow HTTP traffic'
sudo ufw allow https comment 'Allow HTTPS traffic'

These commands automatically translate to ports 80 and 443 respectively. If you're running a specific application that uses a non-standard port, you'll need to specify it directly, such as sudo ufw allow 8080/tcp. Regularly review sudo ufw status to ensure only intended ports are open. Ubuntu's official documentation provides detailed guides on UFW usage.

Intrusion Prevention with Fail2Ban

Even with strong SSH keys and a configured firewall, brute-force attacks remain a persistent threat. Fail2Ban is a powerful intrusion prevention framework that scans log files (e.g., SSH, web server logs) for malicious patterns like repeated failed login attempts. Upon detection, it automatically creates iptables rules to temporarily or permanently ban the offending IP address. This significantly reduces the burden on your server and protects against relentless probing.

Installing and Configuring Fail2Ban

Installation is straightforward on Ubuntu 24.04. After installation, copy the default configuration file to jail.local to prevent your changes from being overwritten during updates.

sudo apt update
sudo apt install fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Now, edit jail.local to customize its behavior. At a minimum, ensure bantime (how long an IP is banned), findtime (time window for failures), and maxretry (number of failures before ban) are set appropriately. You might also want to set destemail to receive notifications.

sudo nano /etc/fail2ban/jail.local

Example jail.local modifications:
[DEFAULT] bantime = 1h findtime = 10m maxretry = 5 banaction = ufw destemail = [email protected] sendername = Fail2Ban [sshd] enabled = true port = 2222 # Your custom SSH port
The banaction = ufw line ensures Fail2Ban integrates with your Uncomplicated Firewall. After making changes, restart Fail2Ban.

sudo systemctl restart fail2ban
sudo systemctl enable fail2ban
sudo fail2ban-client status sshd

The fail2ban-client status sshd command shows currently banned IPs and statistics for the SSH jail. Fail2Ban's official wiki offers extensive documentation for advanced configurations, including jails for web servers (nginx, Apache), email services, and more.

Keeping Your System Updated

Software vulnerabilities are regularly discovered and patched. Running an outdated system is like leaving your front door unlocked. Regular updates are critical for maintaining a secure environment on your Ubuntu 24.04 VPS.

Automatic Security Updates

While manual updates are important, automating security-critical patches ensures your system remains protected even if you forget. Ubuntu provides the unattended-upgrades package for this purpose.

sudo apt install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades

During reconfiguration, you'll be asked if you want to enable automatic updates; select "Yes." You can further customize which types of updates are applied automatically by editing /etc/apt/apt.conf.d/50unattended-upgrades. Ensure at least the Ubuntu:noble-security origin is uncommented.

To verify that automatic upgrades are active and configured correctly, check the log file:

tail -f /var/log/unattended-upgrades/unattended-upgrades.log

This log will show when the system checked for and applied updates. As of 2026-04, unattended-upgrades is the recommended method for hands-off security patching on Ubuntu servers.

Advanced Security Measures

Beyond the essentials, several advanced configurations can further harden your Ubuntu 24.04 VPS against specific attack vectors and enhance overall system integrity.

Securing Shared Memory

Shared memory segments, particularly /dev/shm, can sometimes be exploited by malicious local applications to escalate privileges. Mounting /dev/shm with noexec and nosuid options prevents execution of binaries and ignores SUID/SGID bits, respectively.

Edit /etc/fstab to add these options:

sudo nano /etc/fstab

Find the line for /dev/shm (it might look like tmpfs /run/shm tmpfs defaults 0 0) and modify it:
tmpfs /dev/shm tmpfs defaults,noexec,nosuid 0 0
Then, remount tmpfs to apply the changes without rebooting:

sudo mount -o remount /dev/shm

Verify the settings with mount | grep /dev/shm.

Disabling Unnecessary Services

Every running service consumes resources and potentially introduces a vulnerability. Review all active services and disable any that are not essential for your server's function. This reduces the attack surface.

List all active services:

sudo systemctl list-units --type=service --state=running

For instance, if your VPS isn't running a desktop environment, you can disable display managers. If you don't need a specific database or web server, disable it.
To disable a service:

sudo systemctl disable service_name
sudo systemctl stop service_name

Always research a service before disabling it to avoid breaking critical system functions.

Implementing a Basic Auditing System

For critical production servers, an auditing system like auditd provides detailed logs of system calls, file access, and other security-relevant events. While configuring auditd extensively can be complex, a basic setup offers valuable insights for incident response.

sudo apt install auditd audispd-plugins
sudo systemctl enable auditd
sudo systemctl start auditd

You can then add rules to /etc/audit/rules.d/ to monitor specific files or directories, for example, configuration files in /etc/. Audit logs are typically found in /var/log/audit/audit.log.

Regular Backups and Monitoring

Even the most hardened server can experience data loss due to hardware failure, accidental misconfiguration, or unforeseen attacks. Implementing a robust backup strategy and continuous monitoring are indispensable for business continuity and rapid recovery.

Setting Up Automated Backups

Automated, off-site backups are non-negotiable. Tools like rsync can synchronize files to another server, while restic provides encrypted, deduplicated backups to various cloud storage providers. Schedule these with cron for daily or hourly execution.

Example cron entry for a simple rsync backup (run crontab -e):

0 2 * * * rsync -avzh --delete /var/www/html/ nelsaadmin@backup_server_ip:/path/to/backup/ >/dev/null 2>&1

This example uses rsync to back up web content nightly at 2 AM. For more comprehensive solutions, consider a managed VPS provider like Valebyte, which often includes automated snapshot and backup features as part of their service, simplifying this crucial task.

Basic System Monitoring

Monitoring helps identify issues before they become critical. Tools like htop or glances provide real-time resource usage, while Prometheus and Grafana offer advanced metrics collection and visualization. At a minimum, regularly check your system's health.

free -h # Check memory usage
df -h # Check disk space
uptime # Check load average and uptime

For external monitoring, services like UptimeRobot or Healthchecks.io can ping your server to ensure it's responsive.