Guides

How to make your VPS secure

This is a perfect guide to secure your brand new VPS on any provider!

5 months ago   •   2 min read

By Aquasp
Table of contents

Introduction

If you just bought a VPS and are starting to self-host, this is one of the most important security improvements you can make.

By switching to SSH key authentication and disabling password login, your server becomes nearly immune to brute-force attacks — even if someone discovers your password or you're still using the default port 22.

Step 1: Generate an SSH Key Pair on Your Local Machine

Linux & macOS

Open a terminal and run:

ssh-keygen -t rsa -b 4096

or (newer recommended format):

Bash

ssh-keygen -t ed25519

Press Enter to accept the default file location and leave the passphrase empty (just hit Enter twice).

Your keys will be saved as:

  • Private key: ~/.ssh/id_rsa or ~/.ssh/id_ed25519
  • Public key: ~/.ssh/id_rsa.pub or ~/.ssh/id_ed25519.pub

Never share the private key!

Windows (PowerShell)

Open PowerShell and run:

ssh-keygen.exe -t ed25519

(or -t rsa -b 4096 if ed25519 is not supported)

Press Enter through the prompts (no passphrase). Keys will be created in C:\Users\YourUser\.ssh\

Step 2: Copy Your Public Key to the VPS

Linux & macOS (Easiest Method)

ssh-copy-id user@your-vps-ip

Replace user and your-vps-ip with your actual username and server IP.

Windows

  1. Paste your public key (it’s one long line starting with ssh-ed25519 or ssh-rsa) → Save with Ctrl+O → Enter → Ctrl+X
  2. Test it: Open a new terminal/PowerShell and try logging in. It should work without asking for a password.

Edit the file:Bash

nano ~/.ssh/authorized_keys

Create the .ssh folder and authorized_keys file (if they don't exist):Bash

mkdir -p ~/.ssh
chmod 700 ~/.ssh
touch ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

Log into your VPS normally (with password):PowerShell

ssh user@your-vps-ip

Copy your public key to clipboard:PowerShell

Get-Content $HOME\.ssh\id_ed25519.pub | Set-Clipboard

(or id_rsa.pub if you used RSA)

Step 3: Disable Password Authentication

Now that key login works, disable password login entirely.

Log into your VPS (using your key) and edit the SSH config:

sudo nano /etc/ssh/sshd_config

Find and change (or add) these lines:

PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
PubkeyAuthentication yes

Save and exit.

Restart the SSH service:

sudo systemctl restart sshd

(or sudo service ssh restart on older systems)

Final test: Try logging in from a new terminal. It should only work with your private key — password attempts will be rejected instantly.

Done!

Your VPS is now protected against:

  • Brute-force attacks
  • Credential stuffing
  • Weak or leaked passwords

Even if an attacker knows your username and password, they cannot log in without your private key file.

Pro tip: Back up your private key securely and consider adding a passphrase later using ssh-keygen -p.

If you enjoyed this guide, feel free to share it or subscribe to The Self Hosting Art. Thank you for reading! 😊

Spread the word

Keep reading