 on [Unsplash](https://unsplash.com/photos/text-4Mw7nkQDByk)](https://baderalrowaiei.com/photos/gabriel-heinzer-4Mw7nkQDByk-unsplash.jpg)
I have always wanted to own a VPS (Virtual Private Server) a little corner of the internet where I could run web applications, experiment with scripts, and learn by doing. The idea was exciting, but I could never quite justify the monthly cost or carve out the time to tinker with one. Instead, I was getting my fix by running virtual machines on my PC and laptop, which kept my curiosity satisfied for a while.
I also spent a good chunk of time building out EVE, my NAS — a ZimaBlade powered by Unraid OS — and that kept me busy in the best way possible. I even managed to expose a few web applications to the internet using Cloudflare Tunnels, which honestly removed a lot of the reasons I thought I needed a VPS in the first place. Privacy and keeping my data close to home were always my top priorities, and my local setup delivered exactly that.
Still, I kept finding myself browsing VPS providers and comparing specs, checking prices, closing the tab, and coming back a week later. Classic denial. I knew I was happy with what I had, so I kept talking myself out of it.
Then RackNerd happened.
I stumbled across a deal that was simply too good to ignore: a 2 GB KVM VPS for just $35.99/year . At that price, it wasn’t really a financial decision anymore. It was a no-brainer. I had no excuse not to try it. So I took the plunge, and I’m treating this as a new playground to learn, experiment, and build in public. I’m calling it Nova Workshop.
The plan is to migrate some of what I’ve been quietly building on Unraid at home into the cloud, make it public-facing, and document every step along the way. There will be a learning curve, sure but the core principles remain the same. If you’ve been on the fence about getting your own VPS, I hope this series gives you the nudge you need and shows you just how much you can do with a server of your own.
Let’s start building! But first, let’s focus on securing our logins.
Secure Your Logins with Multi-Factor Authentication
Your new account needs to be hardened with two-factor authentication (2FA) to prevent unauthorized access in case of a compromised password. First, we will work on securing the login to the RackNerd Login Portal :
After you log in, click on
Hello, usernameand select Security Settings. Then, click on Enable and don’t forget to save the one time recovery codes. If you ever lose access to your 2FA device and cannot receive authentication codes, these recovery codes will be used to log in. Make sure to save them in a safe place, such as your favorite password manager.Next, we will secure our RackNerd VPS Control Panel . After you log in, click on your username and select
My Account. Change your password, since it was assigned by the system and sent to you via email, then click Update. Under account settings, click Enable next to Two-Factor Authentication. Again, don’t forget to save the one-time recovery codes if you lose access to your 2FA device, these codes will be your only way back in. Store them somewhere safe, such as your favorite password manager.
How to Enable Two-Factor Authentication on the RackNerd VPS Control Panel (SolusVM)
Watch this demonstration video for the steps on how to enable 2FA in SolusVM.
That’s it, both of RackNerd accounts are secured with 2FA!
Your First VPS Login
Now, I’m excited to do my first login to Nova Workshop. I’m using PuTTY for it’s ease of SSH client management. After your purchase, you should have received your KVM VPS Login Information from RackNerd via email or you can find it in the portal. After the first login using the root username the terminal presented with the following message:
Welcome to Ubuntu 24.04 LTS (GNU/Linux 6.8.0-31-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
System information as of Sat Jun 27 07:37:22 AM UTC 2026
System load: 0.07 Processes: 109
Usage of /: 9.0% of 33.38GB Users logged in: 0
Memory usage: 14% IPv4 address for eth0: ###.###.###.###
Swap usage: 0%
* Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
just raised the bar for easy, resilient and secure K8s cluster deployment.
https://ubuntu.com/engage/secure-kubernetes-at-the-edge
Expanded Security Maintenance for Applications is not enabled.
166 updates can be applied immediately.
1 of these updates is a standard security update.
To see these additional updates run: apt list --upgradable
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
*** System restart required ***
Pending kernel upgrade!
Running kernel version:
6.8.0-31-generic
Diagnostics:
The currently running kernel version is not the expected kernel version 6.8.0-124-generic.
Starting by the easies one first let’s reboot the server by typing reboot. After we login again let’s do the regular update maintance:
apt update && apt -y upgrade && apt -y autoremove && reboot
This will update, upgrade and autoremove no longer needed dependencies then do a reboot. Give that sometime to process and restart the session.
Create a Non-Root User
Running everything as root is risky. So, we will create a user and add it to the sudo group. Assuming the user name is deploy
adduser deploy
usermod -aG sudo deploy
Set a strong password when prompted. Then, open a new PuTTY session and log in with the newly created username.
Configure PuTTY for Public and Private Key Authentication
PuTTY cannot read OpenSSH format keys directly, as it uses its own .ppk format. You will need to convert your keys using PuTTYgen, which is bundled with PuTTY, or generate a new key pair directly in PuTTYgen. This guide by CloudSigma
has clear step-by-step instructions on how to set it up.
Note: When copying your public key from PuTTY Key Generator, always paste the key directly from the generator’s text box into the ~/.ssh/authorized_keys file on your VPS — do not open the .ppk file and copy from there. The .ppk format includes header and footer lines that OpenSSH will not accept:
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "rsa-key-20260627"
---- END SSH2 PUBLIC KEY ----
I did the permission as follow:
chmod 0700 ~/.ssh
chmod 0600 ~/.ssh/authorized_keys
Once configured, open a new PuTTY connection and log in using your private key.
Create SSH Keys
Follow these steps if you aren’t going to use PuTTY’s built in key management. On your Windows computer, open Command Prompt or PowerShell as administrator — not in PuTTY — and type cd "%USERPROFILE%" to navigate to your user profile directory. Type dir to check if a .ssh folder exists. If it does, move into it with cd .ssh. If it doesn’t, create it first with mkdir "%USERPROFILE%\.ssh", then move into it with cd .ssh. Next, run the following command to generate an SSH key pair, replacing YOUR-KEY-NAME with something meaningful like racknerd:
ssh-keygen -t ed25519 -a 100 -f "%USERPROFILE%\.ssh\YOUR-KEY-NAME"
This will create two files:
C:\Users\you\.ssh\racknerd— private key (never share this)C:\Users\you\.ssh\racknerd.pub— public key (this goes on the server)
Copy the Public Key to Your VPS
You can navigate to the file using File Explorer and open it with Notepad, or run the following command in PowerShell:
type $env:USERPROFILE\.ssh\racknerd.pub
Copy that output, then in your PuTTY session logged in as your new user, run:
mkdir -p ~/.ssh
chmod 700 ~/.ssh
nano ~/.ssh/authorized_keys
Paste the public key in, save with Ctrl+X, then Y, then Enter. Finally, set the correct permissions:
chmod 600 ~/.ssh/authorized_keys
Harden Login via SSH
In your terminal, edit the SSH daemon configuration file:
sudo nano /etc/ssh/sshd_config
Find the line that reads PermitRootLogin yes and change it to PermitRootLogin no. Just below it, find #PubkeyAuthentication yes and remove the # to activate it. Save and exit the file. Then open the cloud-init config:
sudo nano /etc/ssh/sshd_config.d/50-cloud-init.conf
Change PasswordAuthentication yes to PasswordAuthentication no. Finally, validate and reload the SSH service:
sudo sshd -t && sudo systemctl reload ssh
Your server is now locked down and root login is disabled, password authentication is off, and only your non-root user with the correct private key can access the VPS.
Change The Timezone
To prevent future headacs and time converstion calculations from UTC to my local timezones. To do that we will type timedatectl.
Local time: Sat 2026-06-27 17:11:40 UTC
Universal time: Sat 2026-06-27 17:11:40 UTC
RTC time: Sat 2026-06-27 17:11:40
Time zone: Etc/UTC (UTC, +0000)
System clock synchronized: yes
NTP service: active
RTC in local TZ: no
The output indicates the server is using UTC timezone which isn’t my timezone.
To see the list of zones run the comment based on your region:
timedatectl list-timezones | grep America
timedatectl list-timezones | grep Europe
timedatectl list-timezones | grep Asia
After you find your timezone run the following command with changing Region/City to yours.
sudo timedatectl set-timezone Region/City
Confirm the changes by running timedatectl or date.
Configure Unattended Upgrades
Since I’m planning to host applications, I don’t want to manually handle security patches for every vulnerability.
sudo apt install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades
To check the status of the unattended-upgrades run sudo systemctl status unattended-upgrades and to verify the “Daily” auto update is active run systemctl status apt-daily-upgrade.timer. We don’t need to guess if the automation is working. We can look at the logs to see the history of what has been patched automatically cat /var/log/unattended-upgrades/unattended-upgrades.log.
Set Up a Firewall (UFW)
UFW (Uncomplicated Firewall) is the standard tool on Ubuntu for managing iptables. It acts as a user-friendly layer that makes complex firewall rules easy to write and audit.
sudo apt install ufw
sudo ufw allow OpenSSH
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable
After you type y for yes, run sudo ufw status numbered to check the status.