When you build a cool web app or a site like Zudisa, you can't just leave it running on your laptop forever. If you turn off your laptop or close the lid, your site goes down and nobody can visit it. That is why people buy a Virtual Private Server (VPS). A VPS is just a remote computer inside a huge data center that stays turned on 24 hours a day, 7 days a week. It runs a clean operating system—usually Ubuntu Linux—and it gives you a public IP address so anyone on the internet can type it in and see your projects.
But renting a server online is also a bit scary. The second your new server goes live, automated internet bots will start trying to guess your login details to hack you. If they get inside, they can steal your data or use your server for bad stuff. Don't panic, because locking down an Ubuntu server is actually pretty simple if you follow a few basic rules. We are going to go over exactly how to connect to a new cloud server, turn off the dangerous entry points, and set up an ironclad security wall.
Getting Inside Your New Server
When you buy a VPS from companies like DigitalOcean, Linode, or Hetzner, they will send you an email with an IP address (a bunch of numbers like 192.168.1.1) and a master password for an account named "root".
To connect to it, you don't download a fancy graphical app. You just open your computer's terminal or command prompt and use a tool called SSH (Secure Shell). You type a command like this to start the connection:
ssh root@your_server_ip_address
The terminal will ask if you trust this new machine. You type "yes", paste the master password they emailed you, and boom—you are looking at the inside of your remote Linux machine.
Creating a Normal Account (Stop Using Root)
The "root" user is like the supreme leader of the server. It can delete anything, modify critical system files, and change every single setting instantly. If a hacker guesses your root password, your server is toast. Also, if you make a tiny typo while logged in as root, you can accidentally wipe out your entire codebase by mistake.
That is why the very first thing we must do is create a normal, everyday user account for ourselves. Let us name our new user "dev". Run this command in your terminal:
adduser dev
The system will ask you to set a password for "dev". Choose a strong one! After that, we need to give this new user permission to do administrative tasks when necessary. We do this by adding "dev" to a special group called the "sudoers" list. Run this:
usermod -aG sudo dev
Now, your new "dev" user can do anything on the server by just typing the word "sudo" before any command.
Setting Up SSH Keys (Throw Away Passwords)
Passwords are bad because bots can try to guess them millions of times a second. A much smarter way to log in is using SSH Keys. This creates a special math puzzle. You keep a "private key" hidden safely on your personal laptop, and you upload a "public key" to your server. Your laptop can log in automatically because the keys match, but a hacker can't get in even if they know your password because they don't have your physical laptop key file.
Open a brand new terminal window on your personal computer (not the server) and run this to create a key pair:
ssh-keygen -t ed25519
Press enter to save it in the default hidden folder. Next, we need to copy that new key up to our Ubuntu server. There is a super handy shortcut tool that does this for you automatically:
ssh-copy-id dev@your_server_ip_address
Type your "dev" user's password one last time. From now on, you can log into your server by just typing ssh dev@your_server_ip_address and it will unlock instantly without ever asking for a text password.
Locking the Front Door (UFW Firewall)
Ubuntu has a built-in firewall system called UFW (Uncomplicated Firewall). Think of it like a security guard at the door of a club who checks names on a guest list. By default, a new server leaves all its doors wide open. We want to close all entry ports except the ones we absolutely need for our web apps to function.
We need three primary ports open:
- Port 22: This is for SSH so we don't accidentally lock ourselves out of our own server.
- Port 80: This is standard HTTP traffic for regular web surfing.
- Port 443: This is secure HTTPS traffic, which encrypts your website data.
Run these setup commands one after the other to tell the firewall what to do:
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
Double check that you allowed port 22! If you didn't, you will lock yourself out forever the second you turn the firewall on. If everything looks good, activate the security guard by running this:
sudo ufw enable
Type "y" and hit enter. Your ports are now locked down tight against malicious internet sweeps.
Turning Off Password Logins Globally
Now that our SSH keys work and our firewall is active, we can deliver the final blow to malicious brute-force bots. We are going to completely disable password logins across the entire operating system. This means if anyone tries to log in using a text password, the server will instantly reject them before they can even try to guess a single word.
We need to edit a core configuration file using a terminal text editor called Nano. Run this command:
sudo nano /etc/ssh/sshd_config
This opens up a long configuration text document. Use your arrow keys to scroll down slowly until you find a line that says PasswordAuthentication. It might have a # symbol in front of it—delete that symbol to activate the rule, and change the value at the end from yes to no. It should look exactly like this:
PasswordAuthentication no
Once you make that change, press Ctrl + O to save the file, hit Enter, and then press Ctrl + X to exit the editor. To make the server apply our new rules, restart the background SSH process:
sudo systemctl restart ssh
Open a completely separate terminal window on your laptop and try to log in to verify your setup. If you can still get inside using your SSH key, you have successfully built a highly secure, private environment ready to host your databases and apps.