The moment you open a new ubuntu server, attack attempts begin. Automated bots scan your IP within minutes and try weak passwords. A few steps taken in the first hours stop most of that noise.The good news: basic hardening is not complex. For an ubuntu server, the biggest security wins come from just a handful of commands. This guide lists the first 10 steps to apply right after setup, each with the exact command.Apply the steps in order. When you change SSH settings, test access from a second terminal before closing your current session. A wrong setting can lock you out of the server.
Ubuntu Server Security First Step: Update
Before anything else, update the system. The packages shipped with the distribution are often outdated and carry known flaws. A single command refreshes the package list and installs upgrades.
sudo apt update && sudo apt upgrade -y
If a kernel upgrade arrives, reboot the server once the update finishes. This cleanup gives the remaining steps a solid foundation to build on.
SSH Hardening: Keys and Port
SSH is the most frequently targeted door on internet-facing servers. The first job is moving from passwords to key-based authentication. Generate an ed25519 key on your local machine and copy it to the server.
ssh-keygen -t ed25519 ssh-copy-id user@server_ip
After confirming that key login works, disable password login. Make the edit in /etc/ssh/sshd_config and restart the service.
PasswordAuthentication no PermitRootLogin no
Run sudo systemctl restart ssh after the change. Moving the default port 22 to a different value also hides you from most automated scans.
Disable the Root Account
Direct root login opens the whole server if a single password leaks. Use a normal user with sudo rights instead. The PermitRootLogin no line above already blocks root sessions.Do daily administration with the sudo user. To reduce the risk of unauthorized access, defining a separate user per service and removing unused accounts is a good habit.
Close Traffic with the UFW Firewall
An ubuntu server can listen on more ports than it needs by default. UFW lets you manage the firewall with simple rules. Deny incoming traffic first, allow outgoing, then open only the ports you actually need.
sudo ufw default deny incoming sudo ufw default allow outgoing sudo ufw allow OpenSSH sudo ufw enable
If you run a web server, add ports 80 and 443 as well. For command details and advanced rules, the official Ubuntu Server firewall documentation is the most reliable reference.
Brute-Force Blocking with Fail2ban
Fail2ban watches authentication logs and temporarily blocks IP addresses with many failed attempts. It is a simple but effective defense against SSH brute-force attacks. Installation is a one-command job.
sudo apt install fail2ban -y sudo systemctl enable --now fail2ban
The default settings are enough for most servers. To change thresholds, create and edit /etc/fail2ban/jail.local. You can view blocked addresses with sudo fail2ban-client status sshd.
Automatic Security Updates
Tracking security patches by hand is hard. Ubuntu ships a package that installs critical updates in the background. Once enabled, known flaws close before you even notice them.
sudo apt install unattended-upgrades -y sudo dpkg-reconfigure --priority=low unattended-upgrades
Enable automatic updates on the screen that appears after installation. This step is one of the most practical protections that keeps your server clear of risks that pile up over time.
Checklist for the First 10 Steps
The table below summarizes the steps to apply and the purpose of each. Once you complete this list for an ubuntu server, the basic security layer is in place.
StepPurpose
System update | Close known flaws
SSH key login | Block password guessing
Disable password login | Narrow the brute-force surface
Disable root login | Remove single-point risk
Sudo user | Limit privileged access
UFW firewall | Close unneeded ports
Fail2ban | Block attacking IPs
Automatic updates | Apply patches continuously
SSH port change | Reduce automated scans
Access test | Prevent lockout
Summary
These ten steps stop the bulk of the noise aimed at an internet-facing server. When updates, SSH hardening, a firewall and fail2ban come together, the basic attack surface shrinks noticeably. The half hour you spend at first setup prevents many problems down the road.On KRITM Cloud Solutions infrastructure, NVMe-disk servers hosted in Turkey are set up within minutes, and you can apply security hardening from the first minute. Review our cloud solutions page for server options, or contact us if you want help with setup and hardening.