EasySelectVPS

When provisioning a fresh VPS, two critical configurations yield the highest return on investment: securing the access point and unthrottling the network. Changing the default SSH port significantly reduces automated brute-force attempts, while enabling the BBR congestion control algorithm drastically improves throughput on high-latency links.

Here is the standardized workflow for these initial setups.

## Part 1: Hardening SSH Access

The default port 22 is the primary target for botnets. Moving SSH to a non-standard port is the most effective "low-hanging fruit" for server security.

1. Firewall Configuration (Prerequisite)

Before touching any config files, ensure your Cloud Provider's firewall (Security Group) allows traffic on your new target port.

• Action: Select a port between 1024 and 65535 (e.g., 19220).
• Cloud Console: Add an Inbound Rule (TCP) for port 19220.

2. Handle Systemd Socket Activation (Ubuntu 22.04+)

On modern Ubuntu systems, SSH is often socket-activated, meaning editing sshd_config alone will not work. You must revert to the standard service mode.

# Stop and disable the socket activator
sudo systemctl stop ssh.socket
sudo systemctl disable ssh.socket

# Enable and start the standard service
sudo systemctl enable ssh.service
sudo systemctl start ssh.service

3. Edit sshd_config

Safely modify the daemon configuration.

# Backup existing config
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

# Edit the file
sudo nano /etc/ssh/sshd_config

The Safety Strategy: Do not delete Port 22 yet. Add the new port below it. This allows you to connect via either port during the transition.

# /etc/ssh/sshd_config
Port 22
Port 19220  # Add your new port here

Save (Ctrl+O) and Exit (Ctrl+X).

4. Restart and Verify

Apply the changes and check if the daemon is listening on both ports.

sudo systemctl restart ssh
ss -ntl | grep 19220

5. The Connectivity Test

CRITICAL: Do not close your current terminal session. Open a new terminal window on your local machine and test the connection.

# Replace with your actual key and IP
ssh -i your_key.pem -p 19220 root@your_remote_ip

6. Finalize

Once the new connection is verified:

1. Edit /etc/ssh/sshd_config again and comment out #Port 22.
2. Restart SSH: sudo systemctl restart ssh.
3. Remove the rule for Port 22 from your Cloud Provider's firewall.

Part 2: Network Optimization (BBR)

(Tip: You can also generate a custom execution script automatically via EasyVPSSelect.)

For network optimization, we will utilize vps_optimize, an open-source shell script that automates kernel parameter tuning. It enables Google's BBR algorithm, optimizes TCP buffers, and adjusts Fair Queue (FQ) management.

Repository: github.com/androwbrown/vps_optimize

Usage

Note: This script modifies /etc/sysctl.conf. A backup is created automatically.

1. Download Script

   wget https://raw.githubusercontent.com/androwbrown/vps_optimize/main/optimize.sh
   # Or via curl:
   # curl -O https://raw.githubusercontent.com/androwbrown/vps_optimize/main/optimize.sh
   

2. Execute

   chmod +x optimize.sh
   sudo ./optimize.sh
   

3. Apply Changes

   sudo sysctl -p
   

4. Verification To confirm BBR is active, run the following command. The output should contain bbr.

   sysctl net.ipv4.tcp_congestion_control
   # Output: net.ipv4.tcp_congestion_control = bbr
   

Rollback

If you experience network instability, restore the original configuration using the backup created by the script:

sudo cp /etc/sysctl.conf.bak /etc/sysctl.conf
sudo sysctl -p