Ubuntu VPS Setup Guide: From Zero to Production

From Fresh Install to Production-Ready Ubuntu VPS

Spinning up an Ubuntu VPS is only the first step. A production server needs a non-root admin user, a firewall, SSH hardening, automated updates, and a monitoring baseline before it runs anything public-facing. This guide walks through a reproducible setup for Ubuntu 22.04 LTS or Ubuntu 24.04 LTS, suitable for hosting web apps, APIs, and databases.

Step 1: Initial Login and System Update

After provisioning, log in as root using SSH:

ssh root@your-server-ip

Immediately update the package index and apply security patches:

apt update && apt upgrade -y
apt install -y curl wget vim htop ufw fail2ban unattended-upgrades

The unattended-upgrades package ensures future security updates apply automatically. Enable it with:

dpkg-reconfigure --priority=low unattended-upgrades

Step 2: Create a Non-Root Sudo User

Running everything as root is an invitation for disaster. Create a dedicated admin user:

adduser deploy
usermod -aG sudo deploy

Copy your SSH keys so the new user can log in:

rsync --archive --chown=deploy:deploy ~/.ssh /home/deploy

Test the new user in a separate terminal before you disconnect as root. If sudo -v works, proceed.

Step 3: Harden SSH

Edit /etc/ssh/sshd_config and set these values:

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
Port 2222

Changing the default port from 22 to something non-standard reduces automated brute-force traffic. Reload SSH and verify from a new session:

systemctl reload ssh
ssh -p 2222 deploy@your-server-ip

For deeper coverage, see our Ubuntu VPS security hardening checklist.

Step 4: Configure the UFW Firewall

UFW (Uncomplicated Firewall) wraps iptables in friendlier syntax. Set a default-deny policy and open only what you need:

ufw default deny incoming
ufw default allow outgoing
ufw allow 2222/tcp comment 'SSH'
ufw allow 80/tcp comment 'HTTP'
ufw allow 443/tcp comment 'HTTPS'
ufw enable
ufw status verbose

Step 5: Install Fail2ban

Fail2ban bans IPs that repeatedly fail SSH authentication. Create /etc/fail2ban/jail.local:

[sshd]
enabled = true
port    = 2222
maxretry = 5
bantime  = 3600
findtime = 600

Then restart the service: systemctl restart fail2ban. Check status with fail2ban-client status sshd.

Step 6: Set the Timezone and NTP

Logs and cron jobs need accurate time. Configure the timezone and ensure systemd-timesyncd is syncing:

timedatectl set-timezone UTC
timedatectl status

UTC is the safest choice for servers - application-level timezones can be handled per user.

Step 7: Enable Swap (Optional but Recommended)

If your VPS has under 4 GB of RAM, a swap file prevents out-of-memory kills:

fallocate -l 2G /swapfile
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile
echo '/swapfile none swap sw 0 0' >> /etc/fstab

Step 8: Install a Web Stack

Most Ubuntu servers will host a web app. Install Nginx as a starting point:

apt install -y nginx
systemctl enable --now nginx

For TLS certificates, follow our Let's Encrypt SSL guide. For reverse proxy patterns, see Nginx reverse proxy on Ubuntu.

Step 9: Set Up Monitoring and Backups

A production server without backups is a ticking clock. Schedule a nightly backup with cron and offload snapshots to remote storage. Our automated backups guide walks through restic, rsnapshot, and rclone.

Going Further

Once the base is solid, layer on application deployment, container runtimes, and observability tooling. Every service added should be firewall-scoped and run as a non-root user. Document your setup in a version-controlled Ansible playbook so it can be rebuilt in minutes.

Running production Ubuntu servers? MassiveGRID's Cloud VPS provides NVMe storage, 10 Gbps networking, and 4 data center regions with full root access on Ubuntu 22.04 and 24.04 LTS. Need a larger footprint or dedicated resources? Explore our Dedicated VPS and Cloud Servers, or contact our team.

Published by MassiveGRID - cloud hosting and managed infrastructure with 24/7 NOC and SOC coverage.