How to Set Up a Fresh Ubuntu 24.04 VPS

Ubuntu 24.04 LTS is the standard starting point for a self-managed VPS. This guide takes you from your first SSH login on a fresh install to a server that is up to date, secured with a non-root user, and ready to build on. Completing these steps takes around 15 minutes and puts you in a solid position before installing anything else on top.

It assumes you have root access to a freshly provisioned VPS and a terminal on your local machine. If you have an Arcadia VPS, your IP address and root credentials will be in your welcome email.

Step 1 - Logging in as Root

When your VPS is provisioned, you will receive an IP address and either a root password or an SSH key, depending on how the server was configured during ordering. Open a terminal and connect:

ssh [email protected]

Replace your.server.ip with your actual VPS IP address. Once connected, you are ready to begin.

Step 2 - Updating the System

Before doing anything else, apply all available updates. A freshly provisioned VPS often ships with packages that are weeks or months out of date, and patching now avoids building on top of known vulnerabilities.

apt update && apt upgrade -y

If a kernel update was included, reboot before continuing:

reboot

Wait around a minute, then reconnect via SSH. Your server is now running the latest available packages.

Step 3 - Creating a Non-Root User

In this step, you will create a regular user account and grant it sudo privileges. Running everything as root means a typo or a compromised session has unlimited access to the system; a non-root account with sudo limits that blast radius considerably.

adduser deploy
usermod -aG sudo deploy

Replace deploy with whatever username you prefer. Confirm the account can use sudo before moving on:

su - deploy
sudo whoami

Output:

root

You now have a dedicated admin user. Use this account instead of root from this point forward. In the next step, you will set the server hostname.

Step 4 - Setting the Hostname

A descriptive hostname makes it easier to identify this server in logs and when managing multiple machines. Set it to something that reflects the server's role:

hostnamectl set-hostname your-server-name

Replace your-server-name with a name such as web-01 or arcadia-vps. The name takes effect immediately.

Step 5 - Setting the Timezone

Setting the correct timezone ensures log timestamps are accurate and that any scheduled tasks run at the expected times. If your users are primarily in the UK, Europe/London is a sensible default:

timedatectl set-timezone Europe/London

Confirm the change applied:

timedatectl

Step 6 - Enabling Automatic Security Updates

The unattended-upgrades package applies OS security patches automatically in the background, so the server stays patched between your maintenance sessions without requiring manual intervention each time:

apt install unattended-upgrades -y
dpkg-reconfigure --priority=low unattended-upgrades

When prompted, select yes to enable automatic updates. Security patches will now be applied without requiring your input.

Step 7 - Setting Up SSH Keys and Locking Down SSH

Password-based SSH logins leave the server exposed to brute-force attacks. Switching to SSH key authentication and disabling password login entirely removes that attack surface. Follow the SSH key authentication guide to generate a key pair and copy it to the server, then return here to finish locking down SSH.

Once your key is in place and you have confirmed you can log in using it from a new terminal session, edit /etc/ssh/sshd_config on the server and set the following. Do not make this change until key-based login is confirmed working; if you disable password auth before your key is set up correctly, you will be locked out and will need your provider's web console to recover access.

PasswordAuthentication no
PermitRootLogin no

Restart the SSH service to apply the changes:

systemctl restart sshd

Step 8 - Configuring the Firewall

A firewall ensures only the ports your server needs are reachable from the internet. Follow the UFW and Fail2Ban guide for the full setup. At minimum, run the following to allow your SSH connection and deny all other incoming traffic by default:

ufw allow OpenSSH
ufw enable

Once UFW is enabled, only the ports you explicitly allow will be reachable from the internet.

Your Server Is Ready

You now have a clean, updated Ubuntu server with a non-root user, automatic security updates, SSH key authentication, and a firewall in place. From here you can install a web server, deploy an application, or follow the WordPress on Nginx guide if that is your next step.