You just spun up a VPS. Before you put anything real on it, spend fifteen minutes locking it down. Here is the order that catches the most risk for the least effort.
1. Create a non-root user
Working as root all day means one fat-fingered command can wipe the box. Make a user and give it sudo:
adduser deploy
usermod -aG sudo deploy
2. Switch to SSH keys, then turn off password login
Passwords get brute-forced around the clock. Copy your key up, confirm you can log in with it, then in /etc/ssh/sshd_config set PasswordAuthentication no and PermitRootLogin prohibit-password, and reload sshd. Keep a second terminal open until you have confirmed the new login works, so you never lock yourself out.
3. Turn on a firewall with a default-deny stance
Only open what you actually serve:
ufw default deny incoming
ufw default allow outgoing
ufw allow OpenSSH
ufw enable
Add ufw allow 80,443/tcp when you put a web server on it. The principle is the same one we run at the host level: deny by default, allow on purpose.
4. Add fail2ban
It watches your auth log and bans IPs that hammer SSH. apt install fail2ban and the default jail is already sensible.
5. Patch, then enable unattended security updates
apt update && apt upgrade -y
apt install unattended-upgrades
dpkg-reconfigure -plow unattended-upgrades
6. Know where your backups are
A server you cannot restore is a server you do not really have. Snapshot before big changes, and keep at least one copy off the box.
That is the 15-minute baseline. None of it is exotic, and skipping it is how most small servers get owned.
We run overnight.host on rented bare metal across EU and US regions, with a default-deny firewall and key-based access as the standard, not an upsell. If you want a VPS that ships locked down, that is the idea.
