How to Deploy a Linux VPS & Configure a Secure Web Server: A Step-by-Step Guide

Setting up your own cloud server is a rite of passage for software engineers and systems administrators. While platforms like Netlify, Vercel, and Heroku offer simple one-click deployments, configuring your own Virtual Private Server (VPS) grants you complete control over your operating system, software dependencies, firewall settings, and server resources. In this comprehensive, step-by-step tutorial, we will guide you through spinning up a Linux VPS, securing it against cyber threats, installing an Nginx web server, and configuring a custom domain with a free Let's Encrypt SSL certificate.


What You'll Need

Before starting, make sure you have the following prerequisites ready:

  • A VPS Provider Account: DigitalOcean, Linode (Akamai), Vultr, Hetzner, or AWS Lightsail all work great for beginners.
  • A Domain Name: A custom domain name (e.g., yourdomain.com) that you can point to your server's IP address.
  • Basic CLI Comfort: Basic familiarity with the command line (don't worry, we'll explain each command).
  • An SSH Client: Built into macOS/Linux terminals. Windows users can use the modern Windows Terminal or PuTTY.

Step 1: Spin Up Your VPS

A Virtual Private Server (VPS) is a virtual machine running on physical hardware located in a data center. It provides dedicated resources (CPU, RAM, SSD storage) and absolute root control over the operating system environment.

  1. Sign up with a VPS provider of your choice.
  2. Create a new instance/droplet and choose Ubuntu 22.04 LTS (or the latest LTS version, like Ubuntu 24.04 LTS). LTS versions are beginner-friendly and widely supported.
  3. Pick a plan. For a personal blog or small website, the cheapest tier (1 vCPU, 1GB RAM) is usually enough to start.
  4. Choose a datacenter region close to your target audience for lower latency.
  5. Add your public SSH key during setup if the provider allows it — this is significantly more secure than setting a root password.
  6. Launch the server and note down its public IP address.

Step 2: Connect via SSH

Once your VPS is online, open your terminal (macOS/Linux) or command line (Windows) and connect to it using the Secure Shell (SSH) protocol. Replace your_server_ip with your server's actual public IP address:

ssh root@your_server_ip

If you set a password instead of using an SSH key during setup, you'll be prompted to enter it now. If connecting for the first time, accept the authenticity warning (type yes).


Step 3: Create a Non-Root User

Running all administrative commands as the absolute root user is highly risky. A single mistyped command can accidentally wipe critical operating system directories. Let's create a dedicated administrator user with privileges to run security commands using sudo:

# Add a new user (replace yourusername with your chosen login name)
adduser yourusername

# Add the user to the sudo group to grant admin privileges
usermod -aG sudo yourusername

Test the new user account and verify its sudo privileges immediately:

# Switch to the new user environment
su - yourusername

# Test admin execution permission
sudo whoami

If the terminal returns root after asking for your user password, the privileges are configured correctly.


Step 4: Set Up SSH Key Authentication (and Disable Password Login)

Using passwords for server logins is a major security hazard because automated botnets scan the internet 24/7 attempting to brute-force admin password logins. Let's configure key-based authentication.

1. Generate an SSH Keypair on Your Local Computer

On your local machine, open a terminal window and run:

ssh-keygen -t ed25519 -C "your_email@example.com"

Press Enter to save to the default path (~/.ssh/id_ed25519) and enter an optional passphrase to encrypt the local file.

2. Copy the Public Key to Your Server

Push your public key credentials to your new user account on the server:

ssh-copy-id yourusername@your_server_ip

3. Edit the SSH Server Configurations

Log in to your VPS as your user and open the SSH daemon configuration file:

sudo nano /etc/ssh/sshd_config

Locate the following configuration keys and update them as follows:

PasswordAuthentication no
PermitRootLogin no

Save and exit (Ctrl+O, then Ctrl+X) and restart the SSH service to apply changes:

sudo systemctl restart ssh

Warning: Do not close your current active terminal session. Open a new window or tab and test logging in with ssh yourusername@your_server_ip to verify your SSH key works before closing the main window.


Step 5: Configure the Firewall

Ubuntu uses `ufw` (Uncomplicated Firewall). By default, all incoming ports are open. Let's restrict incoming connections so that the server only accepts traffic for SSH (Port 22) and Nginx Web Server ports (HTTP Port 80, HTTPS Port 443):

# Allow incoming SSH connections
sudo ufw allow OpenSSH

# Allow HTTP and HTTPS traffic
sudo ufw allow 'Nginx Full'

# Enable the firewall rules
sudo ufw enable

Type y to confirm. UFW will now block all ports except those explicitly allowed.


Step 6: Install a Web Server (Nginx)

Nginx is a fast, highly-scalable web server. Install Nginx using Ubuntu's package manager:

sudo apt update
sudo apt install nginx -y

Once installed, enter your server's IP address (http://your_server_ip) in any web browser. You should see Nginx's default welcome page, verifying that the web server is live!



Step 7: Point Your Domain to the Server

To point your custom domain name to the VPS, log in to your domain registrar dashboard (Namecheap, GoDaddy, Cloudflare, etc.) and add the following records to your domain's DNS settings:

Record Type Host/Name Value/Points To TTL
A @ your_server_ip Automatic / 3600
A www your_server_ip Automatic / 3600

Note: DNS updates can take a few minutes to hours to propagate globally.


Step 8: Configure Your Server Block (Virtual Host)

Nginx uses "Server Blocks" (similar to Apache Virtual Hosts) to serve multiple websites from the same VPS. Let's create a server block configuration for your domain:

sudo nano /etc/nginx/sites-available/yourdomain.com

Add the following basic server block configuration (replace yourdomain.com with your actual domain):

server {
    listen 80;
    server_name yourdomain.com www.yourdomain.com;
    root /var/www/yourdomain.com/html;
    index index.html index.htm;

    location / {
        try_files $uri $uri/ =404;
    }
}

Next, create the document root directory and add a test index file:

# Create directory structure
sudo mkdir -p /var/www/yourdomain.com/html

# Grant ownership permissions to your user
sudo chown -R $USER:$USER /var/www/yourdomain.com/html

# Write a basic testing HTML webpage
echo "

It works!

" | sudo tee /var/www/yourdomain.com/html/index.html

Enable the site configuration by linking it to Nginx's active configurations, test it, and restart the server:

# Symlink to sites-enabled
sudo ln -s /etc/nginx/sites-available/yourdomain.com /etc/nginx/sites-enabled/

# Test Nginx syntax configuration
sudo nginx -t

# Reload Nginx service rules
sudo systemctl restart nginx

Open http://yourdomain.com in a web browser. Your test page should load successfully.


Step 9: Secure It with a Free SSL Certificate (HTTPS)

Running websites over plaintext HTTP is insecure. We will use Let's Encrypt via Certbot to configure a free, trusted SSL certificate that enables secure HTTPS communication:

# Install Certbot and its Nginx routing module
sudo apt install certbot python3-certbot-nginx -y

# Request and configure the SSL certificate
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

Follow the prompts (enter your email for renewals, agree to terms, and select the option to automatically redirect HTTP traffic to HTTPS). Once complete, your site will load securely over https://yourdomain.com!

To verify the automatic certificate renewal scheduler works, run a test renewal:

sudo certbot renew --dry-run

Step 10: Harden the Server Further

A few additional steps go a long way in ensuring your VPS stays secure and performs reliably:

  • Install Fail2ban: Protects SSH ports against dictionary and brute-force attacks by monitoring authorization logs and temporarily blocking offending IPs:
    sudo apt install fail2ban -y
  • Enable Automatic Security Updates: Use the unattended-upgrades package to download and apply security patches automatically:
    sudo apt install unattended-upgrades -y
    sudo dpkg-reconfigure --priority=low unattended-upgrades
    Select "Yes" in the interactive terminal screen to enable auto-patching.
  • Disable Unused Services: Reduce your server's attack surface by stopping services you do not need (e.g. print services, mail services).
  • Set Up Regular Backups: Enable automated backups or schedule snapshots through your hosting provider's backup panel.
  • Monitor Server Logs: Review authentication logs and server errors periodically to identify potential issues:
    • SSH Authentication logs: /var/log/auth.log
    • Nginx Error logs: /var/log/nginx/error.log

VPS Hardening & Nginx Command Matrix

Here is a quick-reference cheat sheet for managing your secure VPS and Nginx environments:

Area Terminal Command Usage Explanation
SSH / Access ssh-keygen -t ed25519 Generates a secure cryptography keypair locally.
ssh-copy-id -i [key] [user]@[ip] Pushes public key authorization details to the remote host.
Firewall / Hardening sudo ufw enable Activates default UFW network filtering rules.
sudo ufw allow 'Nginx Full' Allows incoming traffic on Port 80 (HTTP) and Port 443 (HTTPS).
sudo fail2ban-client status Checks fail2ban active jails and list of currently banned IPs.
Nginx Management sudo nginx -t Tests configuration files for syntactical correctness before reload.
sudo systemctl reload nginx Applies configuration changes without dropping active server connections.
tail -f /var/log/nginx/error.log Streams Nginx error logs in real time (vital for debugging routing errors).
SSL Setup sudo certbot --nginx Starts the Let's Encrypt SSL certificate provisioning workflow.
sudo certbot renew --dry-run Simulates certificate auto-renewal cron jobs to verify updates work.

Need Help Deploying or Hardening Your Servers?

Setting up secure firewall policies, resolving SSH key conflicts, configuring Nginx server blocks, or troubleshooting Let's Encrypt validation timeouts can be a complex process. Our expert technical team is here to assist! Reach out directly via our Contact Us page or drop us an email at support@alerts24x7.com for enterprise-level setup consulting.


Conclusion

By completing this guide, you have successfully transformed a raw Linux instance into a hardened, secure web server hosting environment. You have disabled insecure logins, configured a network-level firewall, installed Nginx, and secured it all with a professional-grade SSL certificate. The deployment foundation you have constructed can comfortably handle staging, development, or high-performance production workloads.

What applications are you currently planning to deploy on your new VPS? Are you using Nginx as a static file server or a reverse proxy? Let us know in the comments section below!

Previous Post Next Post