Setting up your own cloud server is a rite of passage for software engineers and systems administrators. While platforms like Netlify, Vercel, and Heroku offer simple one-click deployments, configuring your own Virtual Private Server (VPS) grants you complete control over your operating system, software dependencies, firewall settings, and server resources. In this comprehensive, step-by-step tutorial, we will guide you through spinning up a Linux VPS, securing it against cyber threats, installing an Nginx web server, and configuring a custom domain with a free Let's Encrypt SSL certificate.
Table of Contents
- What You'll Need
- Step 1: Spin Up Your VPS
- Step 2: Connect via SSH
- Step 3: Create a Non-Root User
- Step 4: Set Up SSH Key Authentication (and Disable Password Login)
- Step 5: Configure the Firewall
- Step 6: Install a Web Server (Nginx)
- Step 7: Point Your Domain to the Server
- Step 8: Configure Your Server Block (Virtual Host)
- Step 9: Secure It with a Free SSL Certificate (HTTPS)
- Step 10: Harden the Server Further
- VPS Hardening & Nginx Command Matrix
What You'll Need
Before starting, make sure you have the following prerequisites ready:
- A VPS Provider Account: DigitalOcean, Linode (Akamai), Vultr, Hetzner, or AWS Lightsail all work great for beginners.
- A Domain Name: A custom domain name (e.g.,
yourdomain.com) that you can point to your server's IP address. - Basic CLI Comfort: Basic familiarity with the command line (don't worry, we'll explain each command).
- An SSH Client: Built into macOS/Linux terminals. Windows users can use the modern Windows Terminal or PuTTY.
Step 1: Spin Up Your VPS
A Virtual Private Server (VPS) is a virtual machine running on physical hardware located in a data center. It provides dedicated resources (CPU, RAM, SSD storage) and absolute root control over the operating system environment.
- Sign up with a VPS provider of your choice.
- Create a new instance/droplet and choose Ubuntu 22.04 LTS (or the latest LTS version, like Ubuntu 24.04 LTS). LTS versions are beginner-friendly and widely supported.
- Pick a plan. For a personal blog or small website, the cheapest tier (1 vCPU, 1GB RAM) is usually enough to start.
- Choose a datacenter region close to your target audience for lower latency.
- Add your public SSH key during setup if the provider allows it — this is significantly more secure than setting a root password.
- Launch the server and note down its public IP address.
Step 2: Connect via SSH
Once your VPS is online, open your terminal (macOS/Linux) or command line (Windows) and connect to it using the Secure Shell (SSH) protocol. Replace your_server_ip with your server's actual public IP address:
ssh root@your_server_ip
If you set a password instead of using an SSH key during setup, you'll be prompted to enter it now. If connecting for the first time, accept the authenticity warning (type yes).
Step 3: Create a Non-Root User
Running all administrative commands as the absolute root user is highly risky. A single mistyped command can accidentally wipe critical operating system directories. Let's create a dedicated administrator user with privileges to run security commands using sudo:
# Add a new user (replace yourusername with your chosen login name)
adduser yourusername
# Add the user to the sudo group to grant admin privileges
usermod -aG sudo yourusername
Test the new user account and verify its sudo privileges immediately:
# Switch to the new user environment
su - yourusername
# Test admin execution permission
sudo whoami
If the terminal returns root after asking for your user password, the privileges are configured correctly.
Step 4: Set Up SSH Key Authentication (and Disable Password Login)
Using passwords for server logins is a major security hazard because automated botnets scan the internet 24/7 attempting to brute-force admin password logins. Let's configure key-based authentication.
1. Generate an SSH Keypair on Your Local Computer
On your local machine, open a terminal window and run:
ssh-keygen -t ed25519 -C "your_email@example.com"
Press Enter to save to the default path (~/.ssh/id_ed25519) and enter an optional passphrase to encrypt the local file.
2. Copy the Public Key to Your Server
Push your public key credentials to your new user account on the server:
ssh-copy-id yourusername@your_server_ip
3. Edit the SSH Server Configurations
Log in to your VPS as your user and open the SSH daemon configuration file:
sudo nano /etc/ssh/sshd_config
Locate the following configuration keys and update them as follows:
PasswordAuthentication no
PermitRootLogin no
Save and exit (Ctrl+O, then Ctrl+X) and restart the SSH service to apply changes:
sudo systemctl restart ssh
Warning: Do not close your current active terminal session. Open a new window or tab and test logging in with ssh yourusername@your_server_ip to verify your SSH key works before closing the main window.
Step 5: Configure the Firewall
Ubuntu uses `ufw` (Uncomplicated Firewall). By default, all incoming ports are open. Let's restrict incoming connections so that the server only accepts traffic for SSH (Port 22) and Nginx Web Server ports (HTTP Port 80, HTTPS Port 443):
# Allow incoming SSH connections
sudo ufw allow OpenSSH
# Allow HTTP and HTTPS traffic
sudo ufw allow 'Nginx Full'
# Enable the firewall rules
sudo ufw enable
Type y to confirm. UFW will now block all ports except those explicitly allowed.
Step 6: Install a Web Server (Nginx)
Nginx is a fast, highly-scalable web server. Install Nginx using Ubuntu's package manager:
sudo apt update
sudo apt install nginx -y
Once installed, enter your server's IP address (http://your_server_ip) in any web browser. You should see Nginx's default welcome page, verifying that the web server is live!
Step 7: Point Your Domain to the Server
To point your custom domain name to the VPS, log in to your domain registrar dashboard (Namecheap, GoDaddy, Cloudflare, etc.) and add the following records to your domain's DNS settings:
| Record Type | Host/Name | Value/Points To | TTL |
|---|---|---|---|
| A | @ | your_server_ip |
Automatic / 3600 |
| A | www | your_server_ip |
Automatic / 3600 |
Note: DNS updates can take a few minutes to hours to propagate globally.
Step 8: Configure Your Server Block (Virtual Host)
Nginx uses "Server Blocks" (similar to Apache Virtual Hosts) to serve multiple websites from the same VPS. Let's create a server block configuration for your domain:
sudo nano /etc/nginx/sites-available/yourdomain.com
Add the following basic server block configuration (replace yourdomain.com with your actual domain):
server {
listen 80;
server_name yourdomain.com www.yourdomain.com;
root /var/www/yourdomain.com/html;
index index.html index.htm;
location / {
try_files $uri $uri/ =404;
}
}
Next, create the document root directory and add a test index file:
# Create directory structure
sudo mkdir -p /var/www/yourdomain.com/html
# Grant ownership permissions to your user
sudo chown -R $USER:$USER /var/www/yourdomain.com/html
# Write a basic testing HTML webpage
echo "It works!
" | sudo tee /var/www/yourdomain.com/html/index.html
Enable the site configuration by linking it to Nginx's active configurations, test it, and restart the server:
# Symlink to sites-enabled
sudo ln -s /etc/nginx/sites-available/yourdomain.com /etc/nginx/sites-enabled/
# Test Nginx syntax configuration
sudo nginx -t
# Reload Nginx service rules
sudo systemctl restart nginx
Open http://yourdomain.com in a web browser. Your test page should load successfully.
Step 9: Secure It with a Free SSL Certificate (HTTPS)
Running websites over plaintext HTTP is insecure. We will use Let's Encrypt via Certbot to configure a free, trusted SSL certificate that enables secure HTTPS communication:
# Install Certbot and its Nginx routing module
sudo apt install certbot python3-certbot-nginx -y
# Request and configure the SSL certificate
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com
Follow the prompts (enter your email for renewals, agree to terms, and select the option to automatically redirect HTTP traffic to HTTPS).
Once complete, your site will load securely over https://yourdomain.com!
To verify the automatic certificate renewal scheduler works, run a test renewal:
sudo certbot renew --dry-run
Step 10: Harden the Server Further
A few additional steps go a long way in ensuring your VPS stays secure and performs reliably:
-
Install Fail2ban: Protects SSH ports against dictionary and brute-force attacks by monitoring authorization logs and temporarily blocking offending IPs:
sudo apt install fail2ban -y -
Enable Automatic Security Updates: Use the
unattended-upgradespackage to download and apply security patches automatically:
Select "Yes" in the interactive terminal screen to enable auto-patching.sudo apt install unattended-upgrades -y sudo dpkg-reconfigure --priority=low unattended-upgrades - Disable Unused Services: Reduce your server's attack surface by stopping services you do not need (e.g. print services, mail services).
- Set Up Regular Backups: Enable automated backups or schedule snapshots through your hosting provider's backup panel.
-
Monitor Server Logs: Review authentication logs and server errors periodically to identify potential issues:
- SSH Authentication logs:
/var/log/auth.log - Nginx Error logs:
/var/log/nginx/error.log
- SSH Authentication logs:
VPS Hardening & Nginx Command Matrix
Here is a quick-reference cheat sheet for managing your secure VPS and Nginx environments:
| Area | Terminal Command | Usage Explanation |
|---|---|---|
| SSH / Access | ssh-keygen -t ed25519 | Generates a secure cryptography keypair locally. |
| ssh-copy-id -i [key] [user]@[ip] | Pushes public key authorization details to the remote host. | |
| Firewall / Hardening | sudo ufw enable | Activates default UFW network filtering rules. |
| sudo ufw allow 'Nginx Full' | Allows incoming traffic on Port 80 (HTTP) and Port 443 (HTTPS). | |
| sudo fail2ban-client status | Checks fail2ban active jails and list of currently banned IPs. | |
| Nginx Management | sudo nginx -t | Tests configuration files for syntactical correctness before reload. |
| sudo systemctl reload nginx | Applies configuration changes without dropping active server connections. | |
| tail -f /var/log/nginx/error.log | Streams Nginx error logs in real time (vital for debugging routing errors). | |
| SSL Setup | sudo certbot --nginx | Starts the Let's Encrypt SSL certificate provisioning workflow. |
| sudo certbot renew --dry-run | Simulates certificate auto-renewal cron jobs to verify updates work. |
Need Help Deploying or Hardening Your Servers?
Setting up secure firewall policies, resolving SSH key conflicts, configuring Nginx server blocks, or troubleshooting Let's Encrypt validation timeouts can be a complex process. Our expert technical team is here to assist! Reach out directly via our Contact Us page or drop us an email at support@alerts24x7.com for enterprise-level setup consulting.
Conclusion
By completing this guide, you have successfully transformed a raw Linux instance into a hardened, secure web server hosting environment. You have disabled insecure logins, configured a network-level firewall, installed Nginx, and secured it all with a professional-grade SSL certificate. The deployment foundation you have constructed can comfortably handle staging, development, or high-performance production workloads.
What applications are you currently planning to deploy on your new VPS? Are you using Nginx as a static file server or a reverse proxy? Let us know in the comments section below!

