After successfully SSH-ing into your new server (for example 178.18.23.12), here's your step-by-step checklist to properly set it up for production use:
1. Verify Basic System Info
# Check OS version cat /etc/os-release # Check disk space df -h # Check memory free -h # Check CPU lscpu Why? Confirm you have the expected resources and OS version.
2. Change Default Passwords IMMEDIATELY
# Change root password (even if using SSH keys) passwd # If you created a sudo user: passwd yourusername Pro Tip: Use a 20+ character random password stored in a password manager.
3. Create a New Sudo User (Never Use Root Daily)
# Create user adduser yourusername # Grant sudo (Debian/Ubuntu) usermod -aG sudo yourusername # Grant sudo (CentOS/RHEL) usermod -aG wheel yourusername Now log out of root and use this user instead:
exit ssh yourusername@178.18.243.142 4. Set Up SSH Key Authentication
On your local machine (not the server):
ssh-keygen -t ed25519 -a 100 # Creates ~/.ssh/id_ed25519.pub ssh-copy-id yourusername@178.18.243.142 Then disable password logins:
sudo nano /etc/ssh/sshd_config Set:
PasswordAuthentication no PermitRootLogin no Restart SSH:
sudo systemctl restart sshd 5. Enable Automatic Security Updates
Debian/Ubuntu
sudo apt install unattended-upgrades sudo dpkg-reconfigure unattended-upgrades CentOS/RHEL
sudo yum install yum-cron sudo systemctl enable --now yum-cron 6. Configure a Firewall
UFW (Debian/Ubuntu)
sudo ufw allow 22/tcp # SSH sudo ufw allow 80/tcp # HTTP (if needed) sudo ufw enable firewalld (CentOS/RHEL)
sudo firewall-cmd --permanent --add-service=ssh sudo firewall-cmd --reload 7. Install Essential Tools
# For Debian/Ubuntu sudo apt install -y htop nano git curl fail2ban # For CentOS/RHEL sudo yum install -y htop nano git curl epel-release sudo yum install -y fail2ban 8. Set Up Basic Monitoring
Install and Configure Fail2Ban
sudo systemctl enable --now fail2ban Check Logs Regularly
# Failed SSH attempts sudo grep "Failed" /var/log/auth.log # Debian/Ubuntu sudo grep "Failed" /var/log/secure # CentOS/RHEL # Active connections ss -tulnp 9. Secure Critical Files
# Make sensitive files immutable sudo chattr +i /etc/passwd /etc/shadow /etc/group /etc/sudoers # Restrict cron access sudo rm /etc/cron.deny # Delete if exists echo "yourusername" | sudo tee /etc/cron.allow 10. What Next? Depends on Your Use Case
For Web Servers:
sudo apt install nginx # or apache2 sudo ufw allow 80/tcp sudo ufw allow 443/tcp For Database Servers:
sudo apt install mysql-server sudo mysql_secure_installation For Development:
# Install Docker curl -fsSL https://get.docker.com | sudo sh sudo usermod -aG docker yourusername Bonus: First Night Checklist
✅ All default passwords changed
✅ Root SSH login disabled
✅ SSH keys configured (password auth disabled)
✅ Firewall active with minimal ports open
✅ Automatic updates enabled
✅ Basic monitoring (Fail2Ban) running
✅ Critical files secured
After this: Proceed with your specific application setup (WordPress, Node.js, game server, etc.).
Emergency Reminder
Always keep a backup SSH session open when making critical changes! If you lock yourself out:
- Use your hosting provider's VNC console access
- For cloud servers (AWS/Azure/GCP), use their rescue mode
Top comments (0)