Bluehost Self-Managed VPS: How to Secure Your Server After Setup
The newly created Self-Managed VPS will be accessible online and will often be scanned by bots looking for an easy entry point. It is therefore imperative that, once the deployment process is complete, basic security hardening measures be put in place.
This article discusses the following:
Change the Root Password
Even if you received a password from your provider, set your own strong password immediately:
passwd
Example output:
Changing password for user root.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
Create a New Admin User
It’s best practice to log in as a regular user with sudo privileges:
adduser myadmin
usermod -aG wheel myadmin # (RHEL-based: AlmaLinux, Rocky, CentOS Stream)
usermod -aG sudo myadmin # (Debian/Ubuntu)
Example output (adduser):
Adding user `myadmin' ...
Adding new group `myadmin' (1001) ...
Adding new user `myadmin' (1001) with group `myadmin' ...
Creating home directory `/home/myadmin' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for myadmin
Enter the new value, or press ENTER for the default
Full Name []: Admin User
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] Y
Example output (usermod):
[no output if successful]
Set Up Your Firewall
Enable and configure your firewall to allow only essential traffic (SSH, HTTP/HTTPS).
Using firewalld (AlmaLinux, Rocky, CentOS Stream, Fedora):
sudo systemctl enable --now firewalld
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload
Example output:
success
success
success
success
success
Using ufw (Ubuntu, Debian):
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
sudo ufw enable
Example output:
Rule added
Rule added (v6)
Rule added
Rule added (v6)
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
Update Your Operating System
Before you do anything else, install all available updates:
AlmaLinux, Rocky, CentOS Stream, Fedora:
sudo dnf update -y
Example output (truncated):
Dependencies resolved.
======================================================================
Package Arch Version Repository Size
======================================================================
Upgrading:
kernel x86_64 5.14.0-411... baseos 35 M
...
Complete!
Ubuntu, Debian:
sudo apt update && sudo apt upgrade -y
Example output (truncated):
Get:1 http://archive.ubuntu.com/ubuntu focal-updates InRelease [114 kB]
Get:2 http://security.ubuntu.com/ubuntu focal-security InRelease [114 kB]
...
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be upgraded:
openssl
...
Disable Root SSH Login
Edit /etc/ssh/sshd_config, change/comment this line:
PermitRootLogin no
Then restart SSH:
sudo systemctl restart sshd
Example output:
[no output if successful, prompt returns]
Note: Set up an admin user and test SSH access with it before disabling root login.
Set Up SSH Keys
Copy your public key to your VPS for key-based login (replace myadmin and your.server.ip):
ssh-copy-id [email protected]
Example output:
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/user/.ssh/id_rsa.pub"
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.
Or manually paste your key into ~/.ssh/authorized_keys.
Install Fail2Ban
Fail2Ban helps block brute-force attacks on SSH and some services.
AlmaLinux, Rocky, CentOS Stream, Fedora:
sudo dnf install fail2ban -y
sudo systemctl enable --now fail2ban
Example output (install):
...
Installed:
fail2ban-0.11.2-3.el9.noarch
Complete!
Example output (start):
Created symlink /etc/systemd/system/multi-user.target.wants/fail2ban.service → /usr/lib/systemd/system/fail2ban.service.
Ubuntu, Debian:
sudo apt install fail2ban -y
sudo systemctl enable --now fail2ban
Example output (install):
...
Setting up fail2ban (0.11.2-2) ...
Created symlink /etc/systemd/system/multi-user.target.wants/fail2ban.service → /lib/systemd/system/fail2ban.service.
Common Security Commands Table
| What | Command | Description |
|---|---|---|
| Change root password | passwd |
Set a secure password for root user |
| Add admin user | adduser myadmin |
Create a new user for admin tasks |
| Allow SSH on firewall (ufw) | sudo ufw allow ssh |
Allow SSH through the firewall (Debian/Ubuntu) |
| Allow SSH on firewall (firewalld) | sudo firewall-cmd --permanent --add-service=ssh |
Allow SSH through the firewall (AlmaLinux/Rocky/Fedora) |
| System update (dnf) | sudo dnf update -y |
Install all package updates |
| System update (apt) | sudo apt update && sudo apt upgrade -y |
Update all packages |
| Disable root SSH login | Edit /etc/ssh/sshd_configSet PermitRootLogin no |
Prevents root login via SSH |
| Install Fail2Ban | sudo dnf/apt install fail2ban -y |
Protects SSH/login from brute-force attempts |
Summary
Taking these basic security steps immediately after deploying your Self-Managed VPS will block most automated attacks, reduce the risk of compromise, and help you build a secure foundation for your web apps, email, or any other service.
Related Articles
- Bluehost Self-Managed VPS: OS Comparison
- Using CentOS with Bluehost Self-Managed VPS
- Using ALMALinux with Bluehost Self-Managed VPS
- Using Rocky Linux with Bluehost Self-Managed VPS
- Using Ubuntu with Bluehost Self-Managed VPS
- Using Fedora with Bluehost Self-Managed VPS
- Using Debian with Bluehost Self-Managed VPS
- Guide to Purchasing Self-Managed VPS Hosting with Bluehost