Set up and secure a Debian vServer: a beginner's step-by-step guide (Part 1 of 3)
Series „Your own server – from zero to secure" · 3 parts:
- Set up & secure a Debian vServer ← You are here
- Install & configure Froxlor
- Set up email correctly: SPF, DKIM & DMARC
This is Part 1. It brings your freshly rented server to a secure baseline. On this server we install the management panel Froxlor in Part 2 and set up email in Part 3.

Contents
- Prerequisites
- Step 1: Connect to the server via SSH
- Step 2: Update the system
- Step 3: Set hostname, time zone and language
- Step 4: Create a user with sudo rights
- Step 5: Secure SSH (disable root login, key login)
- Step 6: Set up the firewall (ufw)
- Step 7: Brute-force protection with Fail2ban
- Step 8: Automatic security updates
- Checklist: is your server secure?
- Frequently asked questions (FAQ)
- What's next?
- Sources
You just rented a vServer (VPS) and wondered: „Now what?" That's exactly where we start. This guide is written for absolute beginners. We explain in plain words what we do and why – and you can simply copy and paste every command. In the end you'll have an up-to-date server protected against the most common attacks.
We use Debian 12 (Bookworm), one of the most popular and stable server operating systems. If you use Ubuntu, almost all commands are identical.
Important: In all commands, replace the placeholders with your real values –
SERVER-IPwith your server's IP address (it's in your provider's confirmation email) andusernamewith a name of your choice.
Prerequisites
- A rented vServer/VPS with Debian 12. If you don't have one yet, providers include IONOS, Hetzner or webtropia.
- The IP address and the root password of your server (received from the provider by email).
- A terminal on your own computer: on macOS and Linux it's preinstalled („Terminal"), on Windows use PowerShell (preinstalled) or PuTTY.
That's all you need. Let's go.
Step 1: Connect to the server via SSH
„SSH" is an encrypted remote connection to your server – you type commands on your computer, they run on the server. Open your terminal and connect as the user root:
ssh root@SERVER-IP
The first time, you'll be asked whether you trust the server – type yes and press Enter. Then enter the root password (the input is invisible, that's normal). Once connected, the line looks something like:
root@your-server:~#
Congratulations – you're in. (A detailed introduction to SSH is in the Debian Wiki.)
Step 2: Update the system
A freshly installed server often contains outdated packages with known security holes. The very first step is therefore always: update everything. This command downloads the list of available updates, installs them, removes packages no longer needed and cleans up:
apt update && apt full-upgrade -y && apt autoremove -y && apt clean
This can take a few minutes. If a notice appears that a reboot is needed, restart the server:
reboot
After the reboot you'll be briefly disconnected. Wait ~30 seconds and reconnect with ssh root@SERVER-IP.
Step 3: Set hostname, time zone and language
So that logs have correct timestamps and the server has a clean name, we configure three small things.
Hostname (a name for your server, e.g. web01):
hostnamectl set-hostname web01
Set the time zone (here: Germany; adjust to yours):
timedatectl set-timezone Europe/Berlin
Install the language packs (locales) and generate UTF-8:
apt install -y locales
sed -i 's/# en_US.UTF-8/en_US.UTF-8/' /etc/locale.gen
locale-gen
Check the result with:
timedatectl
It should show „Time zone: Europe/Berlin".
Step 4: Create a user with sudo rights
Working permanently as root is dangerous – a single typo can damage the whole system. Better: a normal user who only gets administrator rights when needed, by prefixing the word sudo.
Create the user (replace username) and set a strong password when asked:
adduser username
You can skip the further questions (name, phone …) with Enter. Now give the user sudo rights:
usermod -aG sudo username
Test it before you continue. Open a second terminal window and log in with the new user:
ssh username@SERVER-IP
Check whether sudo works:
sudo whoami
If root appears after entering the password, all is correct. Leave this second window open – we need it as a safety net in the next step.
Step 5: Secure SSH (disable root login, key login)
Now we make remote access much safer. Two measures: login via SSH key instead of password and no direct root login anymore.
Caution – risk of lockout: In this step we change SSH access. Be sure to leave the working window from Step 4 open. That's how you get back in if something goes wrong.
Windows note – do I need PuTTY and Pageant? Not necessarily. Windows 10/11 already includes OpenSSH, so the following commands (
ssh-keygen,ssh) work directly in PowerShell – just like on macOS/Linux. If you prefer the PuTTY tools (or have an older Windows), do this:
>
1. Generate the key with PuTTYgen: set „Type of key" to EdDSA → Ed25519, click Generate, move the mouse. Save the private key as
.ppk; copy the displayed public key (field „Public key for pasting…") to the clipboard. 2. Add the public key on the server to your user's~/.ssh/authorized_keysfile (one line). 3. Load the private key with Pageant (the PuTTY key agent) – so you don't have to select it on every connection. 4. Connect with PuTTY (host:username@SERVER-IP).
>
PuTTYgen and Pageant are part of the PuTTY package: putty.org. Both are functionally equivalent – below we stick with the built-in OpenSSH because it needs fewer steps.
5.1 Generate a key on your own computer. Run this command in a terminal on your PC (not on the server) and confirm the questions with Enter:
ssh-keygen -t ed25519 -C "my-server"
5.2 Copy the public key to the server (also from your PC):
ssh-copy-id username@SERVER-IP
On Windows without ssh-copy-id, use instead:
type $env:USERPROFILE\.ssh\id_ed25519.pub | ssh username@SERVER-IP "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
5.3 Test: Log in again – now no password should be requested:
ssh username@SERVER-IP
5.4 Disable password login and root login. On the server, edit the SSH configuration with the nano editor:
sudo nano /etc/ssh/sshd_config
Find the following lines (or add them) and set them exactly like this:
PermitRootLogin no
PasswordAuthentication no
Save with Ctrl+O, Enter, close with Ctrl+X. Then reload the SSH service:
sudo systemctl restart ssh
Important: Do not close your current window yet. Open a new one and test that login as username still works – and that ssh root@SERVER-IP is now rejected. Only then is the step done. Background in the Debian Wiki on SSH.
Step 6: Set up the firewall (ufw)
A firewall blocks all network ports except the few you really need. We use ufw („Uncomplicated Firewall") – simple and beginner-friendly.
Install and set the basic rules (block all incoming, allow outgoing):
sudo apt install -y ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing
Allow SSH access before enabling – otherwise you lock yourself out:
sudo ufw allow OpenSSH
For the later web server (Froxlor in Part 2) we also open web ports:
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
Now enable the firewall and check the status:
sudo ufw enable
sudo ufw status verbose
Confirm the prompt with y. In the status list only SSH (22), 80 and 443 should appear as allowed. Details on ufw are in the Ubuntu Server Guide.
Step 7: Brute-force protection with Fail2ban
Attackers automatically try thousands of passwords. Fail2ban detects too many failed attempts and temporarily blocks the attacking IP address. Install and enable:
sudo apt install -y fail2ban
sudo systemctl enable --now fail2ban
We create our own configuration so updates don't overwrite it:
sudo nano /etc/fail2ban/jail.local
Paste the following content (blocks an IP after 5 failed attempts for 1 hour):
[sshd]
enabled = true
maxretry = 5
bantime = 1h
findtime = 10m
Save (Ctrl+O, Enter, Ctrl+X) and restart the service:
sudo systemctl restart fail2ban
You can check the status anytime with:
sudo fail2ban-client status sshd
Step 8: Automatic security updates
Security holes are discovered constantly. So your server installs important patches automatically, we set up unattended-upgrades:
sudo apt install -y unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades
Choose „Yes" in the prompt. That's it – from now on the server installs security updates on its own. More on this in the Debian Wiki on UnattendedUpgrades.
Checklist: is your server secure?
Before continuing, briefly go through:
- [ ] System is up to date (
apt update && apt full-upgrade) - [ ] Hostname, time zone and locale set
- [ ] Own user with
sudorights works - [ ] Login via SSH key works, password login is off
- [ ]
ssh root@SERVER-IPis rejected - [ ] Firewall (ufw) active, only 22/80/443 open
- [ ] Fail2ban is running
- [ ] Automatic security updates active
Frequently asked questions (FAQ)
I locked myself out – what now? Almost every provider offers a „VNC" or „console" function in the customer area, which lets you log in directly even without SSH and undo settings.
Do I have to use SSH keys or is a password enough? Keys are much safer and strongly recommended. If you absolutely want to stick with a password, leave PasswordAuthentication on yes – but then use a very long password and definitely Fail2ban.
Does this also work on Ubuntu? Yes, almost identically. Only on very old versions can individual package names differ.
Do I need prior Linux knowledge? No. If you copy the commands and replace the placeholders, you'll get through. A bit of patience the first time helps.
What's next?
Your server is now secure. In the next part we install Froxlor, a free management panel with which you conveniently manage domains, websites, SSL certificates and databases through a web interface – without the console:
👉 Part 2: Install & configure Froxlor
And in Part 3: Set up email correctly: SPF, DKIM & DMARC we make sure your emails are delivered safely.
By the way: if you'd rather have software developed or need custom server/web solutions, PepperTools is happy to help.
Sources
- Debian 12 (Bookworm) – official page
- Debian Wiki: SSH
- Debian Wiki: UnattendedUpgrades
- Ubuntu Server Guide: Firewalls (ufw)
- Fail2ban (official project)
As of June 2026. Commands and package names can change with new versions – the respective official documentation is authoritative.
Handle invoices more easily
Easy Invoice combines quotes, invoices and customer management in the cloud.
Try Easy Invoice