Subscribe - Thapa Technical

VPS Security Settings: SSH, Firewall & Passwordless Login Setup Before Hosting

VPS Setup Guide

Complete VPS Setup Guide

Learn how to securely set up and configure your VPS for hosting web applications

Introduction to SSH

SSH (Secure Shell) is a protocol used to securely connect to remote computers or servers over a network. You can interact with it via ssh program which comes by default on Linux, macOS, and on Windows.

Connecting to VPS using SSH

SSH can be used to connect to your VPS.

ssh root@62.72.59.218
// Here, root is username. That's what was given by hostinger to us.
// It might be different based on your VPS provider.
// Content after `@` is IP Address of VPS server.

When you first connect, it will ask you if you want to continue connecting. If you say yes, it will store the fingerprint of this server on your computer. When you connect to it next time, it will validate whether fingerprint is correct, if not then it won't let you connect. If you can't login at that time, then your server might have been compromised.

It will ask for your password, enter your password that you want.

Updating Package Repositories, and Upgrading Packages

This is one of the first things that you should do when you buy a VPS is to update package repositories, and upgrade all packages.

Updating Package Lists

apt update

Our VPS uses Ubuntu, hence we are using APT package manager. For any debian based distributions, you are going to use APT. If your VPS uses any other Linux distribution, you can search online for equivalent command. Like, Redhat based distributions like CentOS, Fedora, etc. uses dnf. So, you can just replace apt with dnf

apt update doesn't upgrade your packages, but it updates the package list on a Debian-based Linux system (like Ubuntu). It fetches the latest metadata about available software packages from the repositories configured in your system.

Upgrading Packages

apt upgrade

This will upgrade all the upgrade-able packages in your system.

Check whether reboot is required, if yes then reboot.

cat /var/run/reboot-required

If /var/run/reboot-required file exists then it means that reboot is required.

You can go to your VPS dashboard, and reboot your VPS from there.

If you aren't using hostinger, then you can search where this feature is in your dashboard. If you can't find then, you can also use this command via SSH

reboot

Creating Non-Root User

We are using root user right now. It can be extremely risky to always be logged in as root user, and it's generally recommended to use non-root user. And use superuser permission only when we know it's right, and needed. We will now create a new user which can't use superuser commands by default, but can use it if needed. This step is not needed if your VPS already gives non root user.

adduser thapa

This will create a new user with the name thapa

This will

This will ask for new password, make sure to give password separate from root user for security purposes.

We added a new user, but the new user can't do super user commands even when needed. We will add the new user in sudo group which will allow them to use superuser commands.

usermod -aG sudo thapa

You can use groups username to check whether the new user is added in sudo group or not.

Let's exit our SSH connection, and try logging in as new user.

ssh thapa@62.72.59.218

Now, if you try to run any superuser commands like apt install, apt update, apt upgrade, you will get error.

You have to prefix the superuser commands with sudo

We are installing a popular text editor which can be used from terminal named neovim just for testing.

Setting up SSH Keys for connecting to VPS

We have been using passwords for authentication right now, but we are now going to switch to SSH keys, and will turn off connecting using password. This is because, anyone can bruteforce the password and connect to our VPS if we have weak password.

Creating a SSH Key

ssh-keygen -t ed25519 -C "your_email@example.com"

//  If you are using a legacy system that doesn't support the Ed25519 algorithm, use:
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

Same command will work for macOS, and Linux too. Remember that, when it is asking for the name, you have to either write absolute path or relative path from your current directory to .ssh folder.

Typically, it stores in .ssh folder in your home directory of user for Windows, macOS, and Linux. (C:\Users\Username\.ssh for windows, ~/.ssh for macOS, and Linux)

On Windows, Turn on SSH Agent Service

Get-Service -Name ssh-agent | Set-Service -StartupType Automatic
Start-Service ssh-agent

Open PowerShell as administrator, and paste those two commands. This will make sure to start ssh-agent service when you restart your PC everytime.

Alternatively, you can also turn it on through GUI

Search for Services on Windows Search, and search for "OpenSSH". Then right click, and click Properties

Change it to Automatic if it's already isn't. And, also start it from there.

Adding newly created SSH key in ssh-agent

ssh-add .\\.ssh\\id_ed25519
# Note that I am already on my C:\\Users\\Username folder.
# If you had different name for your SSH key, then use that.

This step might not be needed most of the times if you chose default name, but if you chose different name for your SSH Key, you will have to do this.

Adding our SSH Public Key in VPS

  1. First, copy the content of your public key file of SSH Key. You have to copy content of .pub file, and not of file without extension as you shouldn't share that.

    ~\\.ssh
    ❯ cat .\\id_ed25519.pub

    You can also open the file from notepad, and copy

  2. Now, connect to your VPS using the non root user. Hostinger also has option to add SSH keys but that only does for root, but we want to use non root user.

  3. After connecting, create a .ssh folder inside home directory if it doesn't exist.

    mkdir .ssh
    cd .ssh # Cd into the .ssh folder that we created.
  4. Create a file named authorized_keys inside .ssh folder, and paste the content of your public key

    nano authorized_keys

    You can use Ctrl + O, to save the file in Nano, and Ctrl + X to exit.

  5. Now, just exit out of VPS, and try to login. You will see that it will automatically login to the VPS without asking for password. If you had setup password in your SSH Key then it will ask for that every time. If you don't like that then you can use ssh-add command like we discussed previously.

Disable Password Login

We are going to disable it so that hackers can't bruteforce our server. Remember to setup SSH Key before disabling it, else you won't be able to connect to your VPS. Also, if you have to connect on a new computer, you first have to generate ssh key in that computer, and paste the public key in VPS from your previous device where you connected using SSH Key.

  1. Edit the SSH config

    sudo nano /etc/ssh/sshd_config
  2. Scroll down the file and change PasswordAuthentication value to no from yes.

    Now, save it using Ctrl + O, and exit using Ctrl + X

  3. On Hostinger VPS, I have a file named 50-cloud-init.conf inside /etc/ssh/sshd_config.d which has PasswordAuthentication set to turned on, so we will turn it off from that file as well.

    Remember that it's inside sshd_config.d folder not inside ssh_config.d

    Use Nano to update it too.

  4. After that, restart ssh service.

    sudo systemctl restart ssh
    # Service name might be sshd for CentOS
  5. Now, if you try to login to root user then you can see that it doesn't allow because we haven't really setup SSH keys on root user. You can set it through hostinger dashboard too, but we are going to disable root user entirely.

Disable Root User login

We want to disable root user entirely so that you are forced to use non root user.

  1. Edit sshd_config

    sudo nano /etc/ssh/sshd_config
  2. Search for PermitRootLogin, and set it's value to no

    Alternatively, you can change its value to without-password which will allow using SSH Keys but not through password. But, we have already turned off password authentication, it's not needed.

Setting up Firewall

A firewall is a network security system that monitors and controls incoming and outgoing network traffic. It acts as a barrier between your server and potential threats from the internet.

Many VPS providers, like AWS, DigitalOcean, and Linode, offer firewall options that can be set up through their dashboard. But, we are going to use UFW, or Uncomplicated Firewall through CLI, as it's easy to use.

Install if you don't have

Hostinger already comes with UFW by default, so we don't have to do it.

sudo apt install ufw

Checking Status

sudo ufw status

It is currently inactive, so let's enable it.

Disable all incoming request by default

sudo ufw default deny incoming

Enable all outgoing request by default

sudo ufw default allow outgoing

MOST IMPORTANT: Enable OpenSSH Connection

We know that OpenSSH uses port 22 by default. So, we have to enable this before exiting VPS. If we don't follow this step, and enable the firewall, then we can no longer connect to our VPS using SSH connection.

sudo ufw allow OpenSSH

If you had changed your port number for SSH, then you have to do this:

sudo ufw allow 

See list of added configuration

sudo ufw show added

Enable Firewall

Make sure to enable OpenSSH connection before enabling the firewall, otherwise you won't be able to SSH into the VPS.

sudo ufw enable

Enabling HTTP, and HTTPS connections

We are going to deploy a website/web app in future, so we are going to enable HTTP, and HTTPS connections.

sudo ufw allow http
# Alternatively: sudo ufw allow 80/tcp
sudo ufw allow https
# Alternative: sudo ufw allow 443/tcp

© 2025 VPS Setup Guide. All rights reserved.