Your server is out on the open internet right now, and it's already being noticed. Before we install anything fun, let's put four simple locks on the front door โ it only takes a few minutes.
Make the server safe before putting anything real on it.
Why security comes before anything else
Here's a fact that surprises most beginners: the moment a new server gets an internet address, automated programs called "bots" start knocking on it โ often within minutes. They're not targeting you personally. They're scanning the whole internet, all day, every day, looking for easy, unlocked doors.
Think of your new server like an apartment you just moved into. You wouldn't leave the front door wide open on night one, even if you don't own anything valuable yet. You'd lock up first, then unpack. That's exactly what this module does โ we lock up before we put anything real inside.
The good news
All four locks in this module are simple, well-known steps that every real server uses. You're not building anything fancy โ you're just doing the same basic locking-up that every professional does on day one.
Lock 1 โ Update everything
Software gets small safety fixes all the time. An out-of-date server is like a door with an old, weak lock โ someone's already figured out how to pick it. So the very first thing we do is bring everything up to date.
sudo apt update && sudo apt upgrade -yapt is the "app store" for your server โ the tool that installs and updates software. Running update refreshes its list of what's available (like refreshing a store's shelves), and upgrade -y installs the newest, safest versions of everything you already have. sudo just means "do this as admin" โ some jobs need that extra permission.
Lock 2 โ Stop living as root
Right now you're logged in as root, the server's super-admin account. Root can do anything โ including anything a mistake, or an attacker, tells it to do. If root gets compromised, everything is compromised. So we're going to create a normal, everyday user, and save root for rare emergencies only.
# pick your own name; it will ask you to set a password
adduser mike
# gives 'mike' permission to use sudo
usermod -aG sudo mikeSwap mike for whatever username you'd like โ just use that same name everywhere below. adduser creates the new account and walks you through setting a password. usermod -aG sudo mike adds that user to the special "sudo" group, so they can still ask for admin power when they truly need it, one command at a time โ instead of having it always switched on, like root does.
Your new user also needs a way to log in. Back in Module 3 you set up an SSH key โ copy it over to the new account:
rsync --archive --chown=mike:mike ~/.ssh /home/mikeThis copies your .ssh folder (which holds the "key" that proves it's you) from root's home into your new user's home, and hands ownership of those files to that user. Again, replace mike with your chosen username in both places.
Lock 3 โ Turn on a firewall
A firewall is like a guard standing at every "door" on your server. A port is simply one of those doors, numbered โ door 80 is for regular web traffic, door 443 is for secure web traffic, and door 22 is for SSH, the connection you're using right now. By default we want the guard to block every door except the handful we actually use.
Ubuntu ships with a friendly firewall tool called ufw โ Uncomplicated Firewall. Here's how to turn it on safely:
# keep your SSH door open (VERY important, do this first)
sudo ufw allow OpenSSH
# web traffic (http)
sudo ufw allow 80/tcp
# secure web traffic (https)
sudo ufw allow 443/tcp
# turn the firewall on
sudo ufw enable
# check what's allowed
sudo ufw statusAlways allow OpenSSH before you enable
If you turn the firewall on before allowing SSH, you'll lock yourself out of your own server โ with no easy way back in. The order above matters: allow SSH first, then the web ports, then enable.
Lock 4 โ Harden SSH itself
SSH is the front door you use to reach your server. Two settings make that door much sturdier: banning root from logging in directly, and turning off password guessing entirely. Open the SSH settings file:
sudo nano /etc/ssh/sshd_configInside, find these two lines (use your arrow keys to scroll โ no mouse needed). If a line starts with a #, remove it, and make sure each line reads exactly:
PermitRootLogin no
PasswordAuthentication noSave the file with Ctrl+O then Enter, and exit with Ctrl+X. Then restart SSH so the new settings take effect:
sudo systemctl restart sshPermitRootLogin no means nobody โ not even someone who somehow guesses the root password โ can log straight in as root anymore. PasswordAuthentication no turns off password logins completely, so only your SSH key (the one only you have) can get you in. No amount of password guessing will work.
Test before you close this window
This is the single most important tip in this module: before you close your current terminal window, open a brand-new one and try logging in as your new user: ssh mike@YOUR_SERVER_IP. If it works, you're safe โ close the old window freely. If it doesn't work, don't panic and don't close your original window โ it's still open, still logged in, and you can use it to fix the problem. Never close your only working session right after changing SSH settings.
โ๏ธ Hands-on: your security checklist
Work through this list in order, right now, on your own server. Each step builds on the one before it.
-
Update the server
Run
sudo apt update && sudo apt upgrade -yand let it finish. -
Create your everyday user
Run
adduser yournameand set a strong password when it asks. -
Add that user to sudo
Run
usermod -aG sudo yournameso they can still do admin tasks when needed. -
Copy your SSH key over
Run the
rsynccommand so your new user can log in with the same key. -
Turn on the firewall โ OpenSSH first!
Allow OpenSSH, then port 80, then port 443 โ then run
sudo ufw enable. -
Turn off root login and password login
Edit
/etc/ssh/sshd_config, set both lines tono, and restart SSH. -
Test in a second window
Open a new terminal and confirm
ssh yourname@YOUR_SERVER_IPworks before closing anything.
You did it
Your server now updates itself safely, has a proper everyday user instead of an all-powerful root login, blocks every door except the ones you use, and only lets you in with your key. That's genuinely professional-grade security โ and you set it up yourself.
- Update everything โ fresh software closes known holes.
- Stop using root โ a normal user with sudo powers limits the damage of any mistake.
- Turn on a firewall โ block every port except SSH, web, and secure web.
- Harden SSH โ no root login, no password guessing, key-only access.