Why Security Matters the Moment Your VPS Is Live
A fresh VPS connected to the internet is scanned by automated bots within minutes of being provisioned — attackers look for default credentials, open ports, and unpatched software. Following these hardening steps immediately after deploying your Momo Cloud VPS dramatically reduces your attack surface and protects your data, applications, and reputation.
Before You Begin
Log in to cloud.momo.tz to find your VPS IP address and root password, then open a terminal on your local computer. All steps below assume a fresh Ubuntu or Debian VPS. Run commands as root unless stated otherwise.
Warning: Before you close your current SSH session at any point, open a second terminal window and verify you can log in with your new settings. One small mistake — a typo in sshd_config or a wrong firewall rule — can lock you out completely. If that happens, use the web console at cloud.momo.tz to regain access without needing SSH.
Step 1: Update All Packages
Always start by applying every available security patch so you are not hardening a system that is already vulnerable.
apt update && apt upgrade -yReboot if the kernel was updated:
rebootStep 2: Create a Non-Root Sudo User
Running everything as root is dangerous — one mistake can destroy the whole system. Create a regular user and grant it sudo privileges instead.
- Create the new user (replace
yournamewith your chosen username):adduser yourname - Add the user to the
sudogroup:usermod -aG sudo yourname - Switch to the new user to confirm it works:
You should seesu - yourname sudo whoamirootprinted back, confirming sudo access.
Step 3: Set Up SSH Key Authentication and Disable Password Login
SSH keys are far stronger than passwords. Once keys are in place, you will disable password-based logins entirely.
- On your local computer, generate an SSH key pair if you do not already have one:
Accept the default path (ssh-keygen -t ed25519 -C "yourname@example.com"~/.ssh/id_ed25519) and set a passphrase. - Copy your public key to the VPS (replace
YOUR_VPS_IP):
Ifssh-copy-id yourname@YOUR_VPS_IPssh-copy-idis unavailable, manually append the contents of~/.ssh/id_ed25519.pubto/home/yourname/.ssh/authorized_keyson the VPS. - Test the key login now — open a new terminal and confirm you can log in with your key before continuing:
ssh yourname@YOUR_VPS_IP - Once confirmed, edit the SSH daemon configuration:
sudo nano /etc/ssh/sshd_config - Find and set (or add) these lines:
PasswordAuthentication no PermitRootLogin no PubkeyAuthentication yes - Save the file (
Ctrl+O, thenCtrl+X) and reload SSH:sudo systemctl reload sshd
Warning: Do not close your existing SSH session until you have verified that a brand-new session can log in successfully with the key. If you are locked out, open the VPS console from cloud.momo.tz to fix the configuration.
Step 4: Change the Default SSH Port
Changing the SSH port from 22 to a non-standard port stops the majority of automated scanners.
- Open
/etc/ssh/sshd_configagain:sudo nano /etc/ssh/sshd_config - Find the line
#Port 22, uncomment it, and change the number (choose something between1024and65535, for example2222):Port 2222 - Reload the SSH service:
sudo systemctl reload sshd - Open a new terminal and verify you can connect on the new port before closing your current session:
ssh -p 2222 yourname@YOUR_VPS_IP
Tip: Remember the new port number — you will need it for all future SSH connections and for the firewall rule in the next step.
Step 5: Configure UFW Firewall
UFW (Uncomplicated Firewall) is included with Ubuntu and available on Debian. It blocks all inbound traffic except what you explicitly allow.
- Allow your new SSH port first — doing this before enabling UFW prevents an immediate lockout:
sudo ufw allow 2222/tcp - Allow HTTP and HTTPS for web traffic:
sudo ufw allow 80/tcp sudo ufw allow 443/tcp - Enable the firewall:
sudo ufw enable - Verify the active rules:
sudo ufw status verbose
Warning: Always add the rule for your SSH port before running ufw enable. Enabling UFW without allowing SSH will lock you out immediately. Use the cloud.momo.tz console to recover if this happens.
Step 6: Install and Configure Fail2ban
Fail2ban monitors log files and automatically bans IP addresses that show repeated failed login attempts, providing real-time brute-force protection.
- Install Fail2ban:
sudo apt install fail2ban -y - Create a local configuration file (always edit the local copy, not the default):
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local sudo nano /etc/fail2ban/jail.local - Find the
[sshd]section and update it to match your SSH port:
This bans any IP that fails 5 logins within 10 minutes for 1 hour.[sshd] enabled = true port = 2222 maxretry = 5 bantime = 3600 findtime = 600 - Start and enable Fail2ban:
sudo systemctl enable fail2ban sudo systemctl start fail2ban - Check active bans and status:
sudo fail2ban-client status sshd
Step 7: Enable Automatic Security Updates
Critical patches should be applied without delay. The unattended-upgrades package handles this automatically.
sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure --priority=low unattended-upgradesSelect Yes when prompted to automatically download and install stable updates.
Hardening Summary Table
| Task | Command / File | Purpose |
|---|---|---|
| Update packages | apt update && apt upgrade |
Patch known vulnerabilities before anything else |
| Non-root sudo user | adduser, usermod -aG sudo |
Limits blast radius of mistakes or compromises |
| SSH key auth | ~/.ssh/authorized_keys |
Cryptographically stronger than any password |
| Disable password & root login | /etc/ssh/sshd_config |
Eliminates the most common attack vectors |
| Change SSH port | Port 2222 in sshd_config |
Removes server from automated scanners targeting port 22 |
| UFW firewall | ufw allow, ufw enable |
Blocks all traffic except allowed ports |
| Fail2ban | apt install fail2ban |
Bans IPs after repeated failed login attempts |
| Auto security updates | unattended-upgrades |
Keeps system patched without manual intervention |
Troubleshooting
Locked Out of Your VPS
If you can no longer SSH in, log in to cloud.momo.tz, navigate to your VPS, and open the Console. From the web console you have full root access regardless of SSH or firewall settings. From there you can fix your sshd_config, adjust UFW rules with ufw allow, or remove an accidental Fail2ban ban with fail2ban-client unban YOUR_IP.
Firewall Blocked a Required Port
Check active rules with sudo ufw status numbered. Remove a wrong rule by its number with sudo ufw delete NUMBER, then add the correct rule. Always test connectivity from a second terminal before closing the current session.
Fail2ban Banned Your Own IP
Unban yourself from the VPS console or an alternative IP: sudo fail2ban-client unban YOUR_IP. Consider adding a trusted IP to the ignoreip line in /etc/fail2ban/jail.local to prevent accidental self-bans.
Consider Managed VPS
If you prefer not to handle server hardening yourself, Momo Cloud offers a Managed VPS option where our team applies security configurations, monitors your server, and handles patching on your behalf. Contact support via cloud.momo.tz for details.
You Are Now Significantly More Secure
With package updates applied, a non-root user in place, SSH keys enforced, password and root login disabled, a non-standard SSH port set, UFW restricting inbound traffic, Fail2ban blocking brute-force attempts, and automatic security updates running in the background, your Momo Cloud VPS is well-hardened against the most common internet threats. Revisit these settings periodically, audit your open ports, and keep your local SSH private key safe — it is now the key to your server.
Was this article helpful?