A fresh Ubuntu 24.04 VPS has a very wide attack surface: password SSH is enabled, no firewall is configured, and automatic updates aren't running. This checklist covers the minimum steps to harden a new server before you put anything on it.

1. SSH Key Auth Only

Disable password authentication immediately. If you haven't already copied your public key, do that first:

ssh-copy-id -i ~/.ssh/id_ed25519.pub user@your-server-ip

Then edit /etc/ssh/sshd_config:

PasswordAuthentication no
PermitRootLogin no
PubkeyAuthentication yes

Restart: systemctl restart ssh. Test in a new terminal before closing your existing session.

2. UFW Firewall

ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
ufw allow 80/tcp
ufw allow 443/tcp
ufw enable

3. Fail2Ban

Install and configure Fail2Ban to block brute-force SSH attempts:

apt install fail2ban -y
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Edit /etc/fail2ban/jail.local and set bantime = 1h and maxretry = 5 under [sshd]. Restart: systemctl restart fail2ban.

4. Automatic Security Updates

apt install unattended-upgrades -y
dpkg-reconfigure --priority=low unattended-upgrades

This ensures security patches are applied without manual intervention.

5. Swap Space

For small VPS nodes (1–2 GB RAM), add a swap file to prevent OOM kills during traffic spikes:

fallocate -l 2G /swapfile
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile
echo '/swapfile none swap sw 0 0' >> /etc/fstab

With these five steps done your server is meaningfully hardened before you install anything else. It won't stop a targeted attack, but it eliminates the vast majority of automated exploitation attempts that hit fresh VPS nodes within minutes of provisioning.