๐Ÿš€ From Zero to LiveVPS + Claude ยท free course

Home โ€บ Module 4

Module 4 ยท Locking It Down

Lock the doors before you move in

Your server is out on the open internet right now, and it's already being noticed. Before we install anything fun, let's put four simple locks on the front door โ€” it only takes a few minutes.

๐ŸŽฏ Goal of this module

Make the server safe before putting anything real on it.

Why security comes before anything else

Here's a fact that surprises most beginners: the moment a new server gets an internet address, automated programs called "bots" start knocking on it โ€” often within minutes. They're not targeting you personally. They're scanning the whole internet, all day, every day, looking for easy, unlocked doors.

Think of your new server like an apartment you just moved into. You wouldn't leave the front door wide open on night one, even if you don't own anything valuable yet. You'd lock up first, then unpack. That's exactly what this module does โ€” we lock up before we put anything real inside.

๐Ÿ’ก

The good news

All four locks in this module are simple, well-known steps that every real server uses. You're not building anything fancy โ€” you're just doing the same basic locking-up that every professional does on day one.

Lock 1 โ€” Update everything

Software gets small safety fixes all the time. An out-of-date server is like a door with an old, weak lock โ€” someone's already figured out how to pick it. So the very first thing we do is bring everything up to date.

terminal
sudo apt update && sudo apt upgrade -y

apt is the "app store" for your server โ€” the tool that installs and updates software. Running update refreshes its list of what's available (like refreshing a store's shelves), and upgrade -y installs the newest, safest versions of everything you already have. sudo just means "do this as admin" โ€” some jobs need that extra permission.

Lock 2 โ€” Stop living as root

Right now you're logged in as root, the server's super-admin account. Root can do anything โ€” including anything a mistake, or an attacker, tells it to do. If root gets compromised, everything is compromised. So we're going to create a normal, everyday user, and save root for rare emergencies only.

terminal
# pick your own name; it will ask you to set a password
adduser mike

# gives 'mike' permission to use sudo
usermod -aG sudo mike

Swap mike for whatever username you'd like โ€” just use that same name everywhere below. adduser creates the new account and walks you through setting a password. usermod -aG sudo mike adds that user to the special "sudo" group, so they can still ask for admin power when they truly need it, one command at a time โ€” instead of having it always switched on, like root does.

Your new user also needs a way to log in. Back in Module 3 you set up an SSH key โ€” copy it over to the new account:

terminal
rsync --archive --chown=mike:mike ~/.ssh /home/mike

This copies your .ssh folder (which holds the "key" that proves it's you) from root's home into your new user's home, and hands ownership of those files to that user. Again, replace mike with your chosen username in both places.

Lock 3 โ€” Turn on a firewall

A firewall is like a guard standing at every "door" on your server. A port is simply one of those doors, numbered โ€” door 80 is for regular web traffic, door 443 is for secure web traffic, and door 22 is for SSH, the connection you're using right now. By default we want the guard to block every door except the handful we actually use.

Ubuntu ships with a friendly firewall tool called ufw โ€” Uncomplicated Firewall. Here's how to turn it on safely:

terminal
# keep your SSH door open (VERY important, do this first)
sudo ufw allow OpenSSH

# web traffic (http)
sudo ufw allow 80/tcp

# secure web traffic (https)
sudo ufw allow 443/tcp

# turn the firewall on
sudo ufw enable

# check what's allowed
sudo ufw status
โš ๏ธ

Always allow OpenSSH before you enable

If you turn the firewall on before allowing SSH, you'll lock yourself out of your own server โ€” with no easy way back in. The order above matters: allow SSH first, then the web ports, then enable.

Lock 4 โ€” Harden SSH itself

SSH is the front door you use to reach your server. Two settings make that door much sturdier: banning root from logging in directly, and turning off password guessing entirely. Open the SSH settings file:

terminal
sudo nano /etc/ssh/sshd_config

Inside, find these two lines (use your arrow keys to scroll โ€” no mouse needed). If a line starts with a #, remove it, and make sure each line reads exactly:

/etc/ssh/sshd_config
PermitRootLogin no
PasswordAuthentication no

Save the file with Ctrl+O then Enter, and exit with Ctrl+X. Then restart SSH so the new settings take effect:

terminal
sudo systemctl restart ssh

PermitRootLogin no means nobody โ€” not even someone who somehow guesses the root password โ€” can log straight in as root anymore. PasswordAuthentication no turns off password logins completely, so only your SSH key (the one only you have) can get you in. No amount of password guessing will work.

โš ๏ธ

Test before you close this window

This is the single most important tip in this module: before you close your current terminal window, open a brand-new one and try logging in as your new user: ssh mike@YOUR_SERVER_IP. If it works, you're safe โ€” close the old window freely. If it doesn't work, don't panic and don't close your original window โ€” it's still open, still logged in, and you can use it to fix the problem. Never close your only working session right after changing SSH settings.

โœ๏ธ Hands-on: your security checklist

Work through this list in order, right now, on your own server. Each step builds on the one before it.

  1. Update the server

    Run sudo apt update && sudo apt upgrade -y and let it finish.

  2. Create your everyday user

    Run adduser yourname and set a strong password when it asks.

  3. Add that user to sudo

    Run usermod -aG sudo yourname so they can still do admin tasks when needed.

  4. Copy your SSH key over

    Run the rsync command so your new user can log in with the same key.

  5. Turn on the firewall โ€” OpenSSH first!

    Allow OpenSSH, then port 80, then port 443 โ€” then run sudo ufw enable.

  6. Turn off root login and password login

    Edit /etc/ssh/sshd_config, set both lines to no, and restart SSH.

  7. Test in a second window

    Open a new terminal and confirm ssh yourname@YOUR_SERVER_IP works before closing anything.

โœ…

You did it

Your server now updates itself safely, has a proper everyday user instead of an all-powerful root login, blocks every door except the ones you use, and only lets you in with your key. That's genuinely professional-grade security โ€” and you set it up yourself.

โœ… Recap
  • Update everything โ€” fresh software closes known holes.
  • Stop using root โ€” a normal user with sudo powers limits the damage of any mistake.
  • Turn on a firewall โ€” block every port except SSH, web, and secure web.
  • Harden SSH โ€” no root login, no password guessing, key-only access.