Ultimate Ubuntu 24.04 VPS Security Setup Guide: How to Not Get Hacked in 2025

Introduction: Why Your Server Security is More Pathetic Than a Rescue boat with a leakage

Right, let's get something straight. If you're running a server with default settings in 2025, you're basically leaving your front door open with a neon sign saying "HACKERS WELCOME - FREE COFFEE INSIDE!" I've seen more security in a chocolate teapot.

Here's the brutal truth that'll make you cry into your energy drink:

• Every 11 seconds, some poor bastard's server gets compromised
• $4.88 million - that's the average cost of a data breach (more than a small island nation's GDP)
• 90% of IT professionals don't even know where all their SSH keys are (probably in the same place as their car keys)

But fear not! This isn't your typical "Hello World" tutorial written by someone who learned Linux last Tuesday. This is a battle-tested, real-world guide that'll transform your vulnerable Ubuntu box into Fort Knox.

Connect to Your Server Without Looking Like a Complete Amateur

First things first - we need to get into this digital disaster zone you call a server. For Linux users, fire up your terminal (that scary black window that makes you feel like a hacker). Windows users, PowerShell will have to do (yes, Microsoft finally caught up to the 1970s).

ssh user@server-ip

After password, you are in. And first of all need to install latest updates.

apt update && apt upgrade

This is like giving your server a shower after it's been rolling in digital mud for months. Essential, but hardly revolutionary.

How to Change SSH Port: Because Port 22 is Like Mooring a Luxury Yacht in Libya

Here's a shocking revelation: leaving SSH on port 22 is like having "123456" as your password. Actually, it's worse - at least with a bad password, hackers have to guess. With port 22, they KNOW where to knock.

Let me paint you a picture of what's happening right now:

grep -E "Failed" /var/log/auth.log

grep: /var/log/auth.log: No such file or directory

If you see this message, it means you need to install rsyslog.

apt install rsyslog

After installation your log possible look like this...

See those thousands of failed login attempts? That's not a glitch in the Matrix - those are actual bots trying to break into your server RIGHT NOW. It's like watching zombies scratch at your door, except these zombies have scripts and patience.

Let's move to a new neighborhood:

apt install nano
nano /etc/ssh/sshd_config

Find the line that says Port 22 and change it to something else. Pick a number between 1024 and 65535. I suggest 55555 - it's easy to remember and sounds like a snake laughing at your security practices.

Port 55555

Save with Ctrl+O, confirm with Y, exit with Ctrl+X.

Now, we can't connect via port 22 anymore. For connection we will use next command with flag -p. In our case port 55555.

ssh user@server-ip -p 55555

Try, if everything works, restart SSH:

service ssh restart

Creating Users: Because Running Everything as Root is Financial Suicide

Root give you full access to the system. But in the same time root is like leaving the keys to a nuclear bunker under the doormat with a sign that says "WELCOME, HACKERS!"

The statistics are sobering:

• 81% of breaches involve credential abuse
• 68% of breaches involve human error (that's you, by the way)
• 100% of security experts think you're an idiot for using root

Ponemon Institute: Cost of Data Breach Hits Record High

Time to create a proper user:

adduser tom
usermod -aG sudo tom
su tom

After successful adding user in system, double check password and connection via ssh non standard port.

Forget passwords! SSH Keys: The Digital Equivalent of Not Being a Complete Moron

Picture this: passwords are like that friend who always forgets your birthday. SSH keys are like having a personal bodyguard who recognizes you by your DNA. Which would you prefer protecting your $4.88 million server?

SSH key authentication provides mathematically superior security compared to password authentication, with quantitative evidence showing multiple orders of magnitude improvement in cryptographic strength, attack resistance, and real-world security outcomes. The data reveals that SSH keys eliminate 81-88% of security breaches that originate from password-related vulnerabilities.

If you're still using passwords for SSH in 2025, you're not just living dangerously - you're playing Russian roulette with a fully loaded gun while standing in a pool of gasoline next to an active volcano. SSH keys aren't just better; they're the difference between actual security and a "Please Hack Me" sign written in neon lights.

So let's create ssh keys. In Linux it's very easy. On my home system I use Void Linux, so just proceed to .ssh folder and run ssh-keygen on local computer, not on server with Ubuntu...

cd .ssh
ssh-keygen

Give some name, and passphrase I skip.

Then come to our server and create folder .ssh

mkdir .ssh
cd .ssh

Now need to create file with name authorized_keys

nano authorized_keys

Copy the contents of your mysupersecretkey.pub file here. The whole thing. Yes, including all those random characters that look like your cat walked on the keyboard.

After saving file authorized_keys reconnect to server. It should be enter without password requirement. You don't need to remember supersecretlong passwords anymore...

The Nuclear Option: Disabling Root and Password Access

Disabling root SSH login and password authentication on Ubuntu servers isn't just a best practice—it's a critical security requirement supported by overwhelming statistical evidence, documented breaches, universal industry consensus, and fundamental cryptographic advantages.

Analysis of 427 million attack attempts, numerous high-profile breaches, and authoritative security guidance reveals that organizations maintaining these legacy configurations face exponentially higher security risks and potential compliance violations.

35 cybersecurity statistics to lose sleep over in 2025

OK. Now we gonna disable root access and authentication by password. Because using root access with passwords on a server is like guarding a bank with a cardboard door and a "Please don't steal" sign!

sudo nano /etc/ssh/sshd_config

Inside this file we need next parameters.

PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no

sudo service ssh restart

Now just keep save file mysecretsuperkey.pub (in my case), because if you loose it, you will not enter by password...

UFW Firewall: Because Leaving All Ports Open is Like Sunbathing in Chernobyl

Without proper firewall protection, Ubuntu servers expose multiple attack surfaces including default service exposure from installed packages, SSH access points vulnerable to credential stuffing attacks, and container interfaces that bypass traditional security controls.

sudo apt update && sudo apt install ufw
sudo ufw allow 55555/tcp

For the moment we will not enable Firewall now. Next step about disabling icmp ping.

Disabling ping (ICMP ping) on Ubuntu server

Here are the main reasons:

Security and stealth

• Hide the presence of the server - when ping is disabled, attackers cannot easily determine that the server is active and accessible
• Complex reconnaissance - attackers often start by pinging the network to find active hosts
• Protect against DoS attacks - blocking ICMP can protect against some types of ping flood attacks

Practical considerations

• Save resources - the server does not waste time processing ping requests
• Reduce load - especially important during mass network scans
• Compliance with security policies - many corporate standards require disabling unnecessary services

Let's find find file before.rules and disable ping

sudo nano /etc/ufw/before.rules

Here need to find section #ok imcp codes for input and add next enters.

-A ufw-before-input -p icmp --icmp-type source-quench -j DROP

The rest ACCEPT options change to DROP. After that should something like this...

# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP
-A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP
-A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP
-A ufw-before-input -p icmp --icmp-type source-quench -j DROP

# ok icmp code for FORWARD
-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j DROP
-A ufw-before-forward -p icmp --icmp-type time-exceeded -j DROP
-A ufw-before-forward -p icmp --icmp-type parameter-problem -j DROP
-A ufw-before-forward -p icmp --icmp-type echo-request -j DROP

Double check is all correct, now enable Firewall.

sudo ufw enable

By default all ports will be closed. When you need to open particular port need to use next command:

sudo ufw allow 80/tcp

Port Conflicts: When Your Applications Fight Like Drunk Sailors

Sometimes you'll get a message saying a port is already in use. It's like arriving at a anchorage to find someone's already there.

sudo lsof -i :10000

If there are conflicts, we can kill process by PID

sudo kill -9 820

Clean IP Verification: Because Some IPs are Dirtier Than a Mechanic's Overalls

Recently, I have often had to use the services of different providers and some of them provide not entirely clean IP addresses. For this purpose I found script with name IPRegion. Short description below.

The script queries multiple sources to retrieve the country code associated with your IP, providing a comprehensive overview of how different services interpret your location.

GitHub - vernette/ipregion

sudo wget -qO - "http://raw.githubusercontent.com/vernette/ipregion/refs/heads/master/ipregion.sh" | bash

One of my Ubuntu server should be in Netherlands. Let's check.

If you see something similar, it's very bad sign. For some purposes servers with ip like this will be useless.

Try another server, location should be United States.

Good IPs show consistent location across all services. Bad IPs look like they're having an identity crisis. For some services, email servers, or anything requiring reputation, a dirty IP is about as useful as a chocolate fireguard.

The Shocking Conclusion: You're Still Probably Going to Get Hacked

Let's be brutally honest here. Even with all these security measures, determined hackers are like water - they'll find a way in eventually. But here's the thing: we're not trying to build an impenetrable fortress. We're just trying to be more secure than the other guy.

Think of it this way: when running from a bear, you don't need to be faster than the bear. You just need to be faster than your friend. Same principle applies here - make your server annoying enough to hack that they'll move on to easier targets.

Key Takeaways for the Attention-Deficit Generation:

• Change your bloody SSH port
• Stop using root like it's going out of style
• SSH keys aren't optional in 2025 - they're survival equipment
• Firewalls are like condoms - better to have one and not need it
• Your server security is only as strong as your weakest decision

Remember: in the grand scheme of things, perfect security is a myth - like honest politicians or reliable British weather. But imperfect security beats no security like a Ferrari beats a horse and cart.

Now go forth and secure your servers. Or don't.

P.S. If you found this guide helpful, you're welcome. If you found it offensive, you probably needed to hear it more than anyone. And if you're still using password authentication in 2025... well, there's no hope for you. May the odds be ever in your favor.

Want more brutally honest tech content? Check out my blog at alfabuster.com