Setting up a new VPS properly is crucial for security, stability, and performance. This guide covers 5 Phase of our VPS setup, including SSH access, firewall configuration, and security enhancements.
Summary of All Phases
Our VPS setup is divided into multiple phases for a structured and efficient deployment:
- Phase 1: Initial VPS setup – SSH access, security hardening, and firewall configuration.
- Phase 2: Install and configure HestiaCP for website, database, and email management.
- Phase 3: Set up Docker and Portainer for containerized applications.
- Phase 4: Deploy applications step by step, including FOSSBilling, ERPNext, Nextcloud, FileRun, Bitwarden, Vikunja, Joplin Server, OpenProject, Mailcow, and more.
- Phase 5: Backup and monitoring – Implement Restic with Google Drive and install server monitoring tools.
Each phase ensures a smooth and secure deployment for self-hosted applications and services.
Step 1: install Ubuntu 24.04 LTS
Before starting, ensure your VPS provider allows you to install the OS. Choose Ubuntu 24.04 LTS as your operating system.

After installation, you’ll need to access your VPS via SSH.
Step 2: Accessing SSH with PuTTY
To access your VPS, follow these steps:
- Download and Install PuTTY:
- Download PuTTY
- Install and open PuTTY.
- Connect to Your VPS:
- Enter your VPS IP address.
- Default SSH port: 22 (we will change it later for security).
- Click Open and log in with your credentials.
- Change Your SSH Port (Optional but Recommended):
- Open SSH config file:
sudo nano /etc/ssh/sshd_config - Find
#Port 22, remove the#, and change it to a new port, e.g.,222:Port 222 - Save and exit (
Ctrl + X, thenY, thenEnter). - Restart SSH:
sudo systemctl restart ssh - Update your firewall to allow the new port:
sudo ufw allow 222/tcp - Now, reconnect using PuTTY with the new port (222).
- Open SSH config file:
Step 3: Create a New User (Non-Root)
For security, avoid using root for daily tasks.
- Create a new user:
sudo adduser yourusernameFollow the prompts to set a password.
- Grant sudo access:
sudo usermod -aG sudo yourusername - Switch to the new user:
su - yourusername
Step 4: Set Up SSH Key-Based Authentication
Using SSH keys instead of passwords enhances security.
- Generate an SSH key on your local machine:
ssh-keygen -t rsa -b 4096Press Enter to save in the default location.
- Copy the public key to your VPS:
ssh-copy-id -p 222 yourusername@your-vps-ip - Disable Password Authentication (Extra Security Step):
- Edit SSH config:
sudo nano /etc/ssh/sshd_config - Set the following:
PasswordAuthentication no PermitRootLogin no - Restart SSH:
sudo systemctl restart ssh
- Edit SSH config:
Now, you can only log in with your SSH key, making your VPS much more secure.
Step 5: Configure UFW Firewall
To prevent unauthorized access, configure UFW (Uncomplicated Firewall).
- Enable UFW and allow essential ports:
sudo ufw allow 222/tcp # (Your SSH port) sudo ufw allow 80/tcp # (HTTP for websites) sudo ufw allow 443/tcp # (HTTPS for websites) sudo ufw enable - Check firewall status:
sudo ufw status
This ensures that only necessary services are accessible.
Step 6: Verify System Security and Running Services
Check if SSH is running on the correct port:
sudo ss -tulnp | grep sshExpected output should show SSH listening on your custom port (222).
Check firewall status:
sudo ufw statusEnsure only the allowed ports are open.
Conclusion
At this stage, your VPS is: ✅ Running Ubuntu 24.04 LTS ✅ Secured with SSH key authentication ✅ Configured with a non-root user ✅ Protected by a firewall (UFW) ✅ Ready for further installations
Next, we move to Phase 2: Installing HestiaCP to manage websites, databases, and services efficiently.
Step 1: Download the Installation Script
Log in as root via SSH and run:
Ensure the file has downloaded properly:
Step 2: Run the Installation Script
Run the script as root:
This will launch an interactive installation where you can configure different services.
Step 3: Customize Installation (Optional)
If you want to customize the installation (selecting services manually), use:
You’ll be prompted to select:
- Hostname (e.g.,
panel.yourwebsite.com) - Admin username (Default:
admin) - Email address
- Password (or auto-generate one)
- Web server options (Apache, Nginx, PHP-FPM)
- Database options (MariaDB, PostgreSQL, or MySQL 8)
- Mail services (Exim, Dovecot, SpamAssassin, ClamAV)
- Firewall options (iptables, Fail2Ban)
- Other settings (File manager, API, web terminal, quotas, etc.)
Recommended HestiaCP Installation Choices
| Component | Recommended | Notes |
|---|---|---|
| NGINX (Proxy Server) | ✅ Yes | Best for performance; handles static content efficiently. |
| Apache (Backend Server) | ✅ Yes | Required for PHP websites; works well with Nginx. |
| PHP-FPM (Application Server) | ✅ Yes | Faster than traditional PHP processing. |
| Bind DNS Server | ❌ No | if using Cloudflare for DNS, so this is unnecessary. |
| Exim Mail Server | ❌ No | Recomended install Mailcow for email later. or yes if simple |
| ClamAV (Antivirus for Mail) | ❌ No | Only needed if using Exim/Dovecot. if above choose yes then yes |
| SpamAssassin (Spam Filtering) | ❌ No | Not needed since you’re skipping Exim. if above choose yes then yes |
| Dovecot (IMAP/POP3 Server) | ❌ No | You don’t need this because of Mailcow.if above choose yes then yes |
| MariaDB (Database Server) | ✅ Yes | Better performance than MySQL 8 for your setup. |
| MySQL 8 | ❌ No | MariaDB is a better choice unless you specifically need MySQL 8. |
| PostgreSQL | ❌ No | Only needed if you’re using PostgreSQL-based apps (ERPNext, etc.). |
| Vsftpd (FTP Server) | ❌ No | Use SFTP instead (more secure). |
| Firewall (iptables + Fail2Ban) | ✅ Yes | Essential for security. |
Installation Command
To install HestiaCP with these options, use:
Summary of Choices
✅ Best setup for performance and security
✅ Compatible with your Cloudflare DNS and Mailcow plans
✅ Uses MariaDB (better than MySQL 8 for most cases)
✅ No unnecessary mail services since you’ll install Mailcow separately
Here’s the updated installation command with a note for troubleshooting:
Installation Command
Run the following command to install HestiaCP with optimized settings:
Important Note
If you encounter any errors during installation, refer to the official HestiaCP Installation Guide for troubleshooting steps and alternative installation methods.
Step 4: Reboot VPS
Once installation is complete, reboot your VPS:
Step 5: Access HestiaCP Panel
After rebooting, access the HestiaCP web interface:
or, if you set a custom hostname:
Log in with:
- Username:
admin - Password: (Generated or set during installation)
Step 6: Allow Port 8083 in UFW (If Needed)
If you can’t access the panel, ensure port 8083 is allowed in your firewall:
Step 7: Secure HestiaCP
- Change the admin password immediately.
- Set up automatic backups for your settings and websites.
- Install an SSL certificate (Let’s Encrypt) for
panel.gethostx.com.
Next Step: Configuring HestiaCP for Websites and Services
Once HestiaCP is installed, you can create websites, databases, and email accounts.
Great! Now that HestiaCP is installed, we can proceed with the next steps. Since MariaDB is already installed with HestiaCP, we’ll move forward with FOSSBilling setup.
Next Steps:
✅ Verify MariaDB Installation & Secure It
✅ Install & Configure FOSSBilling (billing.gethostpro.com)
✅ Set Up SSL & Reverse Proxy (if needed)
