This article summarises my experiences in strengthening the security of the servers after purchasing a VPS.

The VPS used in this article is from wap.ac

# Login to the Server

First, open your system’s terminal and connect to the server via SSH using the following command. The username is usually root, and the server IP is typically sent to your email.

ssh [username]@[server IP]

If you purchased an IPv6 server, but your local machine lacks IPv6 support, you won’t be able to connect. Before purchasing, check your IPv6 connectivity using test IPv6.

The default port is usually 22. If the server uses a different port, specify it in the command.

ssh -p [port] [username]@[server IP]

When you are typing the password, it will not display anything. If no password was set beforehand, check the earlier email for details.

# Basic Setup

The guide uses Debian/Ubuntu as an example.

Update the system packages. Run the following commands and press y to accept the update.

sudo apt update
sudo apt upgrade

Disable the default ufw service.

sudo systemctl stop ufw
sudo systemctl disable ufw
sudo ufw --force reset

Install firewall-cmd, start the service, and enable it when booting.

sudo apt install firewalld
sudo systemctl start firewalld
sudo systemctl enable firewalld

Verify the firewall-cmd service is running.

sudo systemctl status firewalld

Here are some commonly used commands in firewall-cmd.

# Restart the service

sudo systemctl restart firewalld

# Disable the service when booting

sudo systemctl disable firewalld

# Reload after making changes

sudo firewall-cmd --reload

# List current rules

sudo firewall-cmd --list-all

# Check the active zone

sudo firewall-cmd --get-active-zones

# List ports for a specific zone (e.g., public)

sudo firewall-cmd --zone=public --list-ports

# Restrict Login

Use this website to check your IP address and restrict SSH access to your VPS for trusted IPs using firewall-cmd.

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="[your IP]" service name="ssh" accept'
sudo firewall-cmd --reload

If the SSH port is not the default 22, modify the command to match the port.

Using the root account to log in will increase the risk of brute-force attacks. It is recommended to create a new user, disable root login, and only use public keys for login.

Create a new user.

sudo adduser [new username]

You will be required to set a password. It is recommended to use a random password generator to create at least a 15-character password with symbols. Copy the generated password into the terminal and store it securely.

You can skip setting additional details by pressing Enter.

Switch to the new user.

su [new username]

Create a .ssh folder to store the public key.

mkdir -p ~/.ssh
chmod 700 ~/.ssh

Store your trusted public key in this folder.

If you don’t have a public key, you can use the following steps to create one.

On Windows, open the terminal and use ssh-keygen to generate an RSA key.

ssh-keygen -t rsa -b 2048

ssh-keygen -t rsa -b 2048

Save the key in the default location (C:\Users\[your username]\.ssh\). It will name the private key id_rsa and the public key id_rsa.pub.

Store the public key on the server.

echo "[your public key]" > ~/.ssh/authorized_keys

Allow new user to use sudo command.

sudo usermod -aG sudo [new username]

Switch to root.

sudo su root

Modify the SSH configuration file to disable root login and only allow public keys for login.

vim /etc/ssh/sshd_config

1. SetPermitRootLogin to no

2. Set PubkeyAuthentication to yes

3. SetPasswordAuthentication to no

Restart the SSH service after changing.

systemctl restart sshd

Using Termius to save your SSH settings and public keys is recommended, as it can synchronise across devices.