How to Secure Ubuntu 24.04 on a KVM VPS - RackNerd

After setting up a fresh Ubuntu 24.04 VPS, the first priority is hardening it before hosting anything public. In this guide, I’ll walk through the essential steps: securing access with SSH keys, disabling password login, creating a non-root sudo user, enabling automatic updates, setting up a firewall, and adding brute-force protection with Fail2Ban.

I’ve always wanted to own a VPS as a small corner of the internet where I could run web apps, test scripts, and learn by doing. But I could never quite justify the monthly cost or find the time to manage one. Instead, I stayed busy with virtual machines on my PC and laptop, which kept my curiosity satisfied for a while.

I also spent a lot of time building EVE, my NAS — a ZimaBlade powered by Unraid OS , and that kept me busy in the best way possible. I even exposed a few web apps to the internet using Cloudflare Tunnels, which removed a lot of the reasons I thought I needed a VPS in the first place.

Still, I kept browsing VPS providers, comparing specs, checking prices, closing the tab, and coming back a week later. Classic denial.

Then RackNerd happened.

I found a deal that was too good to ignore: a 2 GB KVM VPS for just $35.99/year . At that point, it wasn’t really a financial decision anymore. I had no excuse not to try it. So I took the plunge and decided to treat it as a new playground to learn, experiment, and build in public. I’m calling it Nova Workshop.

The plan is to move some of what I’ve been building on Unraid at home into the cloud, make it public-facing, and document each step along the way. There will be a learning curve, but the core principles stay the same. If you’ve been thinking about getting your own VPS, I hope this series gives you the push you need.

Let’s start by securing the server.

Enable Multi-Factor Authentication on Your VPS Account

Before logging into the server itself, secure your hosting account and control panel with multi-factor authentication. This adds an important layer of protection even if your password is compromised.

First, secure the RackNerd login portal :

1. After logging in, click Hello, username and select Security Settings.
2. Click Enable and save the one-time recovery codes.
3. Store those codes in a safe place, such as a password manager.

Next, secure the RackNerd VPS control panel :

1. Log in and click your username.
2. Select My Account.
3. Change your system-generated password.
4. Under account settings, click Enable next to Two-Factor Authentication.
5. Save the recovery codes again in a safe place.

Don’t forget to save the one-time recovery codes if you lose access to your 2FA device, these codes will be your only way back in. Store them somewhere safe, such as your favorite password manager.

How to Enable Two-Factor Authentication on the RackNerd VPS Control Panel (SolusVM)

Watch this short demo for the 2FA setup process:

That’s it — both accounts are now protected with 2FA.

Log In to the Server and Update It

Now it’s time for the first login to Nova Workshop. I’m using PuTTY because it makes SSH session management easy on Windows. After your purchase, RackNerd should have emailed your VPS login details, and you can also find them in the portal.

After logging in as root, I saw this message:

Welcome to Ubuntu 24.04 LTS (GNU/Linux 6.8.0-31-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of Sat Jun 27 07:37:22 AM UTC 2026

  System load:  0.07              Processes:             109
  Usage of /:   9.0% of 33.38GB   Users logged in:       0
  Memory usage: 14%               IPv4 address for eth0: ###.###.###.###
  Swap usage:   0%

 * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
   just raised the bar for easy, resilient and secure K8s cluster deployment.

   https://ubuntu.com/engage/secure-kubernetes-at-the-edge

Expanded Security Maintenance for Applications is not enabled.

166 updates can be applied immediately.
1 of these updates is a standard security update.
To see these additional updates run: apt list --upgradable

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


*** System restart required ***
Pending kernel upgrade!
Running kernel version:
  6.8.0-31-generic
Diagnostics:
  The currently running kernel version is not the expected kernel version 6.8.0-124-generic.

The server is telling us two important things:

• updates are available
• a reboot is required

Run the update immediately:

apt update && apt upgrade -y && apt autoremove -y && reboot

This gives you a clean, fully patched baseline before you continue hardening.

Create a Non-Root Sudo User

Do not use the root account for daily administration. Create a separate user with sudo privileges so you can manage the server with less risk if credentials are ever exposed.

Assuming the username is deploy:

adduser deploy
usermod -aG sudo deploy

Set a strong password when prompted, then open a new PuTTY session and log in with the new user.

Generate and Install SSH Keys

Set up SSH key authentication so you can log in without passwords. Generate a key pair on your local machine, then copy the public key to the server and test the connection before disabling password login.

PuTTY does not use OpenSSH keys directly; it uses its own .ppk format. You can convert keys with PuTTYgen, which is included with PuTTY, or generate a new key pair in PuTTYgen. If you want a step-by-step walkthrough, this guide by CloudSigma is helpful.

**Important:**When copying your public key from PuTTYgen, paste the plain public key text into ~/.ssh/authorized_keys on the VPS. Do not copy from the .ppk file. The .ppk format includes header and footer lines that OpenSSH will not accept:

---- BEGIN SSH2 PUBLIC KEY ----
Comment: "rsa-key-20260627"
---- END SSH2 PUBLIC KEY ----

Set the correct permissions:

chmod 0700 ~/.ssh
chmod 0600 ~/.ssh/authorized_keys

Once configured, open a new PuTTY session and log in using your private key.

Create SSH Keys on Windows

If you are not using PuTTY’s built-in key manager, create the key pair in PowerShell or Command Prompt on Windows.

cd "%USERPROFILE%"
mkdir "%USERPROFILE%\\.ssh"
cd .ssh
ssh-keygen -t ed25519 -a 100 -f "%USERPROFILE%\\.ssh\racknerd"

This creates two files:

• C:\Users\you\.ssh\racknerd — private key (never share this)
• C:\Users\you\.ssh\racknerd.pub — public key (this goes on the server)

Copy the Public Key to Your VPS

Open the .pub file in Notepad or use PowerShell:

type $env:USERPROFILE\.ssh\racknerd.pub

Copy the output, then on the VPS run:

mkdir -p ~/.ssh
chmod 700 ~/.ssh
nano ~/.ssh/authorized_keys

Paste the public key, save the file, then to set the correct permissions run:

chmod 600 ~/.ssh/authorized_keys

Harden SSH Access

Once key-based login is working, disable password authentication and root login in the SSH configuration. Keep your current session open until you confirm that key-based login works in a new terminal.

Edit the SSH daemon configuration:

sudo nano /etc/ssh/sshd_config

Set:

PermitRootLogin no
PubkeyAuthentication yes

Save and exit the file.

Then edit the cloud-init.conf file:

sudo nano /etc/ssh/sshd_config.d/50-cloud-init.conf

Change:

PasswordAuthentication yes

to:

PasswordAuthentication no

Validate and reload the SSH:

sudo sshd -t && sudo systemctl reload ssh

Your server is now locked down and root login is disabled, password authentication is off, and only your non-root user with the correct private key can access the VPS.

Set the Correct Timezone

Set the server timezone to match your region so logs and timestamps are easier to read during troubleshooting.

Check the current timezone:

timedatectl

The output indicates the server is using UTC timezone which isn’t my timezone:

               Local time: Sat 2026-06-27 17:11:40 UTC
           Universal time: Sat 2026-06-27 17:11:40 UTC
                 RTC time: Sat 2026-06-27 17:11:40
                Time zone: Etc/UTC (UTC, +0000)
System clock synchronized: yes
              NTP service: active
          RTC in local TZ: no

List available zones:

timedatectl list-timezones | grep America
timedatectl list-timezones | grep Europe
timedatectl list-timezones | grep Asia

timedatectl list-timezones

After you find your timezone run the following command with changing Region/City to yours.

sudo timedatectl set-timezone Region/City

Confirm the changes by running timedatectl or date.

Enable Automatic Security Updates

Install unattended upgrades so the server can apply important security updates without waiting for manual intervention. This helps reduce exposure to known vulnerabilities.

sudo apt install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades

To verify that it’s working:

systemctl status unattended-upgrades
systemctl status apt-daily-upgrade.timer
cat /var/log/unattended-upgrades/unattended-upgrades.log

Configure the Firewall with UFW

UFW (Uncomplicated Firewall) is Ubuntu’s simple firewall tool. It makes it easy to allow only the traffic you actually need and manage iptables. It acts as a user-friendly layer that makes complex firewall rules easy to write and audit.

Use UFW to allow SSH, HTTP, and HTTPS. Make sure SSH is allowed before enabling the firewall so you do not lock yourself out.

sudo apt install ufw
sudo ufw allow OpenSSH
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable
sudo ufw status numbered

Install Fail2Ban

Fail2Ban helps protect SSH by temporarily blocking repeated failed login attempts. Dejan Panovski has covered the steps very well in his article How to Install and Configure Fail2ban on Ubuntu 20.04 - Dejan Panovski .

Run the following commands to install

sudo apt update
sudo apt install fail2ban
sudo systemctl status fail2ban

Create a .local configuration file from the default jail.conf file:

sudo cp /etc/fail2ban/jail.{conf,local}

Then set:

bantime = 3h

Restart the service to apply the new change.

sudo systemctl restart fail2ban

Check the status of the fail2ban active jails and your current failed count:

sudo fail2ban-client status
sudo fail2ban-client status sshd

Run a Baseline Performance Check with YABS

If you want a quick snapshot of VPS performance, run YABS after the server is configured. This is optional, but it gives you a baseline for CPU, disk, and network performance. This is a simple step as we can use yabs.sh by running the following command.

curl -sL https://yabs.sh

Or if you want to save the output to yabs_output.log.

curl -sL https://yabs.sh | bash 2>&1 | tee yabs_output.log

To skip network and disk tests:

curl -sL https://yabs.sh | bash -s -- -i -r

Both commands run Yet Another Benchmark Script (YABS), but they differ in flags and behavior:

• -s (curl): Silent mode — no progress or errors shown
• -L (curl): Follow redirects
• bash -s: Reads script from stdin
• –: Signals end of bash options (so -i -r go to the script, not bash)
• -i (YABS flag): Skip the iperf3 network test
• -r (YABS flag): Skip the fio disk test

The curl -sL https://yabs.sh | bash -s -- -i -r runs the Geekbench CPU benchmark, skipping network and disk tests. It’s faster and less I/O intensive.

Summary Table

You can submit your results VPSBenchmarks and save them for reference and as a baseline. YABS benchmark results to VPSBenchmarks .

Now, Nova has its baseline secure, ready for future deployments. Are you thinking of owning your own cloud VPS? check out the 2 GB KVM VPS for just $35.99/year .

Closing summary

In a few steps, you can turn a fresh Ubuntu 24.04 VPS into a much safer system: use SSH keys, disable password and root login, keep updates automatic, restrict traffic with UFW, and add Fail2Ban for extra protection. These are the core hardening steps I recommend before deploying anything public.