Ubuntu Server Setup Guide: Securing and Optimizing Your VPS From Scratch

Ubuntu is the most popular Linux distribution for VPS hosting and it is not even close. Roughly 40 percent of all Linux servers on the internet run some version of Ubuntu, and there are good reasons for that. The package manager is straightforward, the community support is massive, and nearly every tutorial or guide you find online assumes you are running Ubuntu.

But choosing Ubuntu is just the first step. Setting it up properly on a VPS determines whether you end up with a fast, secure server or a vulnerable mess that gets compromised within weeks. This guide walks through the entire process from the moment you provision your VPS to having a production ready Ubuntu server.

This is the first decision most people get wrong. Ubuntu Desktop includes a full graphical interface that wastes 500MB to 1GB of RAM. On a VPS where every megabyte costs money, running a desktop environment is like paying rent on rooms you never enter.

Ubuntu Server ships without a graphical interface. Everything happens through the command line. It boots faster, uses less RAM, and has a smaller attack surface. For a VPS, Ubuntu Server is almost always the right choice. If you need GUI applications, install a lightweight desktop like XFCE on top of Ubuntu Server rather than using the full Desktop edition.

Ubuntu releases a new version every six months, but the ones that matter for servers are the LTS (Long Term Support) releases. LTS versions come out every two years and receive security updates for five years.

The current LTS release is Ubuntu 24.04, codenamed Noble Numbat. This is what you should install on a production VPS. Non-LTS releases like 24.10 or 25.04 get security updates for only nine months. Unless you have a specific reason to run a non-LTS version, stick with 24.04 LTS.

The moment your VPS is provisioned, you receive an IP address and root credentials. The first 15 minutes of setup are the most important because your server is at its most vulnerable right now. Automated bots scan the internet constantly for new servers with default configurations, and they will find yours within hours.

Connect to your server using SSH:

ssh root@YOUR_SERVER_IP

On Windows, use PowerShell's built-in OpenSSH client or PuTTY. The first command you run should update everything:

apt update && apt upgrade -y

If the kernel was updated, reboot the server:

reboot

Running everything as root is dangerous. One wrong command and you can destroy your entire system. Create a regular user with sudo privileges:

adduser yourusername
usermod -aG sudo yourusername

Set a strong password when prompted. Log out and log back in as your new user to verify:

ssh yourusername@YOUR_SERVER_IP
sudo whoami  # should output: root

Password authentication is the weakest link in server security. Bots try thousands of password combinations per hour. Key-based authentication eliminates this attack vector entirely.

On your local machine, generate an SSH key pair:

ssh-keygen -t ed25519 -C "[email protected]"

Copy the public key to your server:

ssh-copy-id yourusername@YOUR_SERVER_IP

Test logging in without a password. If it works, disable password authentication:

sudo nano /etc/ssh/sshd_config

Find and change these settings:

PasswordAuthentication no
PermitRootLogin no
PubkeyAuthentication yes

Restart SSH to apply:

sudo systemctl restart sshd

Important: keep your current SSH session open while testing a new connection in a separate terminal. If something is misconfigured, you will not be locked out of your existing session.

Ubuntu comes with UFW (Uncomplicated Firewall). By default it is disabled, meaning all ports are open. Fix that immediately:

sudo ufw allow OpenSSH
sudo ufw enable
sudo ufw status

Only allow the ports you actually need. For a web server:

sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

The fewer open ports, the smaller your attack surface. Do not open database ports (3306, 5432) to the internet unless you have a specific reason.

Moving SSH from port 22 to a random high port eliminates 99 percent of automated brute force attempts:

sudo nano /etc/ssh/sshd_config
# Change: Port 22 to Port 49152 (or any high port)

sudo ufw allow 49152/tcp
sudo systemctl restart sshd

# Test the new port before removing the old rule:
ssh -p 49152 yourusername@YOUR_SERVER_IP

# If it works, remove the old port:
sudo ufw delete allow OpenSSH

For most new projects, Nginx is the better choice. It handles static files faster, uses less memory, and works as a reverse proxy:

sudo apt install -y nginx
sudo systemctl enable nginx
sudo systemctl start nginx

Verify it is running by visiting your server's IP in a browser. You should see the Nginx welcome page. Configuration files live in /etc/nginx/:

# Create a new site configuration
sudo nano /etc/nginx/sites-available/mysite

# Example server block:
server {
    listen 80;
    server_name yourdomain.com www.yourdomain.com;
    root /var/www/mysite;
    index index.html;

    location / {
        try_files $uri $uri/ =404;
    }
}

# Enable the site
sudo ln -s /etc/nginx/sites-available/mysite /etc/nginx/sites-enabled/
sudo nginx -t  # test configuration
sudo systemctl reload nginx

Install your database and run the security hardening script:

# For MySQL/MariaDB:
sudo apt install -y mariadb-server
sudo mysql_secure_installation

# For PostgreSQL:
sudo apt install -y postgresql postgresql-contrib
sudo -u postgres createuser --interactive

Create a dedicated database user for your application instead of using root:

sudo mysql -u root
CREATE DATABASE myapp;
CREATE USER 'myappuser'@'localhost' IDENTIFIED BY 'StrongPassword123!';
GRANT ALL PRIVILEGES ON myapp.* TO 'myappuser'@'localhost';
FLUSH PRIVILEGES;
EXIT;

Every website needs HTTPS. Certbot provides free SSL certificates and automates the entire process:

sudo apt install -y certbot python3-certbot-nginx
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

Certbot automatically configures Nginx, obtains the certificate, and sets up auto-renewal. Verify auto-renewal works:

sudo certbot renew --dry-run

If your VPS has limited RAM, swap space prevents crashes when memory runs out:

# Create a 2GB swap file
sudo fallocate -l 2G /swapfile
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile

# Make it permanent
echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab

# Set swappiness to 10 (only use swap when RAM is nearly full)
echo 'vm.swappiness=10' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

The default limit of 1024 open files is too low for busy servers:

# Add to /etc/security/limits.conf:
sudo bash -c 'cat >> /etc/security/limits.conf << EOF
* soft nofile 65535
* hard nofile 65535
root soft nofile 65535
root hard nofile 65535
EOF'

Tune the network stack for better performance under load:

sudo nano /etc/sysctl.conf

# Add these lines:
net.core.somaxconn = 65535
net.core.netdev_max_backlog = 65535
net.ipv4.tcp_max_syn_backlog = 65535
net.ipv4.tcp_fastopen = 3
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_fin_timeout = 15
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216

# Apply immediately:
sudo sysctl -p

Set up your own backup system that copies critical data to an external location:

#!/bin/bash
# save as /root/backup.sh
DATE=$(date +%Y%m%d)
BACKUP_DIR="/root/backups"
mkdir -p $BACKUP_DIR

# Database backup
mysqldump -u root --all-databases | gzip > $BACKUP_DIR/db-$DATE.sql.gz

# Files backup
tar czf $BACKUP_DIR/www-$DATE.tar.gz /var/www/
tar czf $BACKUP_DIR/nginx-$DATE.tar.gz /etc/nginx/

# Sync to remote storage (optional)
# rsync -avz $BACKUP_DIR/ user@backup-server:/backups/

# Delete backups older than 14 days
find $BACKUP_DIR -name "*.gz" -mtime +14 -delete

echo "Backup completed: $DATE"

chmod +x /root/backup.sh

# Run daily at 3 AM
sudo crontab -e
0 3 * * * /root/backup.sh >> /var/log/backup.log 2>&1

A server without monitoring is a server waiting to surprise you. Install basic monitoring tools:

# htop for real-time system monitoring
sudo apt install -y htop

# Check disk usage
df -h

# Check memory usage
free -h

# Check running processes by resource usage
top -o %MEM

For ongoing monitoring, install Netdata for a web dashboard with zero configuration:

curl https://get.netdata.cloud/kickstart.sh > /tmp/netdata-kickstart.sh
sh /tmp/netdata-kickstart.sh --stable-channel

Netdata runs on port 19999 and provides real-time graphs of CPU, RAM, disk, network, and hundreds of other metrics. Restrict access to your IP only:

sudo ufw allow from YOUR_IP to any port 19999

Configure unattended upgrades to automatically install security patches:

sudo apt install -y unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades

Verify the configuration:

cat /etc/apt/apt.conf.d/20auto-upgrades

# Should show:
# APT::Periodic::Update-Package-Lists "1";
# APT::Periodic::Unattended-Upgrade "1";

This ensures your server receives critical security patches automatically without manual intervention. The system only installs security updates, not feature updates, so it will not break your applications.

Protect against brute force attacks on SSH and other services:

sudo apt install -y fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

Configure the SSH jail:

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600
findtime = 600

sudo systemctl enable fail2ban
sudo systemctl start fail2ban

# Check banned IPs:
sudo fail2ban-client status sshd

Commands you will use regularly when managing your Ubuntu VPS:

# System updates
sudo apt update && sudo apt upgrade -y

# Check disk space
df -h

# Check memory
free -h

# View running services
systemctl list-units --type=service --state=running

# View logs
journalctl -u nginx --since today
sudo tail -f /var/log/syslog

# Restart a service
sudo systemctl restart nginx

# Check open ports
sudo ss -tlnp

# Check firewall rules
sudo ufw status verbose

# Find large files
sudo find / -type f -size +100M 2>/dev/null

BlastVPS offers Ubuntu VPS hosting with NVMe storage, full root access, and one-click Ubuntu deployment. Get your server running in minutes with the performance and reliability your projects need.

Ready to Deploy?

Get a high-performance VPS with instant setup, full root access, and 24/7 support.