Why the first 10 minutes matter
The internet starts scanning your IP within seconds of provisioning. Default ports, default usernames, and password-only SSH are an open door. This guide walks the minimum set of changes that block the noisy 99% of automated attacks.
1 — Update everything
apt update && apt upgrade -y
On RHEL-family distros use `dnf upgrade -y` instead.
2 — Create a non-root user
adduser deploy usermod -aG sudo deploy
Now log out and back in as `deploy`. Don't use root for day-to-day work.
3 — Lock down SSH
Edit `/etc/ssh/sshd_config`:
PermitRootLogin no PasswordAuthentication no PubkeyAuthentication yes
Copy your public key first (`ssh-copy-id [email protected]`), test in a second terminal, then `systemctl restart sshd`. Keep the first session open until you've confirmed the new login works.
4 — Firewall
ufw default deny incoming ufw default allow outgoing ufw allow OpenSSH ufw enable
Add `ufw allow 80,443/tcp` if you're hosting web traffic.
5 — Automatic security updates
apt install unattended-upgrades dpkg-reconfigure --priority=low unattended-upgrades
6 — fail2ban (optional but cheap)
apt install fail2ban systemctl enable --now fail2ban
The defaults block IPs after 5 failed SSH attempts.
Done. You've moved from "anyone can knock on the door" to "only your key works, and brute-force attempts get banned."