Cheap VPS for Beginners: Pick and Set Up Your First Server
By the end of this guide you will have a secured, SSH-hardened Ubuntu 24.04 VPS running for $4–6/month, with a non-root user, a firewall, and automatic security updates enabled. You will know exactly which providers are worth your money, which specs to pick for a first server, and how to go from a fresh root login to a production-ready baseline — command by command.
Prerequisites
- A credit card or PayPal account to register with a VPS provider
- A local machine running Linux, macOS, or Windows with WSL2
sshandssh-keygenavailable in your terminal- 30 minutes
Choosing a Cheap VPS: Provider Comparison
Not every $5 VPS is equal. The three providers below consistently deliver reliable I/O and low latency for the price. All prices are USD/month as of mid-2025.
| Provider | Plan | vCPU | RAM | SSD | Price |
|---|---|---|---|---|---|
| Hetzner Cloud | CX22 | 2 | 4 GB | 40 GB | $4.15 |
| Vultr | Cloud Compute | 1 | 1 GB | 25 GB | $6.00 |
| DigitalOcean | Basic Droplet | 1 | 1 GB | 25 GB | $6.00 |
Recommendation for beginners: Hetzner CX22. You get 4 GB of RAM for the price others charge for 1 GB. The control panel is clean, the API is solid, and their Falkenstein and Ashburn datacenters have excellent uptime. I run three production apps on Hetzner for a combined $40/month — it is the most cost-efficient infrastructure I have found after nine years.
Vultr and DigitalOcean are valid choices if you need a US or Asia-Pacific datacenter with lower latency, or if you want more hand-holding through their dashboards.
Specs to pick for a first server:
- 1–2 vCPU is enough for learning, a personal project, or a low-traffic app.
- 1 GB RAM is workable for a static site or a single Node.js process; 2–4 GB gives you room for a database alongside your app.
- 20–40 GB SSD covers most workloads; you can resize later.
- Choose the datacenter closest to your users.
Step 1: Generate an SSH Key Pair
Run this on your local machine. Replace the comment with your email.
ssh-keygen -t ed25519 -C "you@example.com" -f ~/.ssh/id_ed25519
Expected output:
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase):
Set a passphrase. This creates ~/.ssh/id_ed25519 (private) and ~/.ssh/id_ed25519.pub (public). You will paste the public key into your VPS provider's dashboard.
Print the public key:
cat ~/.ssh/id_ed25519.pub
Copy the entire output line — it starts with ssh-ed25519.
Step 2: Provision the VPS
The steps below use Hetzner Cloud. The process is equivalent on Vultr and DigitalOcean.
- Log in to console.hetzner.cloud.
- Click New Project, name it anything, then click Add Server.
- Select Location — Falkenstein (EU) or Ashburn (US).
- Select Image — Ubuntu 24.04.
- Select Type — Shared CPU → CX22.
- Under SSH Keys, click Add SSH Key, paste your
id_ed25519.pubcontent, and save. - Leave everything else at defaults and click Create & Buy Now.
Within 30 seconds the dashboard shows a public IPv4 address — for example 65.21.10.44. Use that IP in every command below.
Step 3: Log In as Root and Update the System
SSH into the server as root:
ssh -i ~/.ssh/id_ed25519 root@65.21.10.44
Update all packages:
apt update && apt upgrade -y
This ensures you start from a fully patched baseline. On a fresh Hetzner Ubuntu 24.04 image this takes under two minutes.
Step 4: Create a Non-Root User with Sudo
Running everything as root is a security liability. Create a dedicated user — replace deploy with your preferred username.
adduser deploy
Follow the prompts; set a strong password. Then add the user to the sudo group:
usermod -aG sudo deploy
Copy your SSH key to the new user so you can log in without a password:
rsync --archive --chown=deploy:deploy ~/.ssh /home/deploy
Step 5: Harden SSH
Edit the SSH daemon configuration:
nano /etc/ssh/sshd_config
Locate and set these three directives (add them if missing):
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
Restart the SSH service:
systemctl restart ssh.service
Do not close your current root session yet. Open a second terminal and verify the new user can log in:
ssh -i ~/.ssh/id_ed25519 deploy@65.21.10.44
Once confirmed, you can close the root session. Root login over SSH is now disabled.
Step 6: Configure the Firewall with UFW
Ubuntu 24.04 ships with UFW. Enable it with rules that allow SSH and block everything else by default.
From your deploy session:
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp comment 'SSH'
sudo ufw enable
Expected output after ufw enable:
Firewall is active and enabled on system startup
If you plan to serve HTTP/HTTPS, add those ports now:
sudo ufw allow 80/tcp comment 'HTTP'
sudo ufw allow 443/tcp comment 'HTTPS'
Check the active rules:
sudo ufw status verbose
Step 7: Enable Automatic Security Updates
Manually patching every week is a habit that slips. unattended-upgrades applies security patches automatically on Ubuntu 24.04.
Install and configure it:
sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure --priority=low unattended-upgrades
At the dialog prompt, select Yes. This writes /etc/apt/apt.conf.d/20auto-upgrades with the correct settings.
Verify the configuration file:
cat /etc/apt/apt.conf.d/20auto-upgrades
Expected output:
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
Verify It Works
Run each check from your local machine or from the deploy session.
1. SSH as non-root user succeeds:
ssh -i ~/.ssh/id_ed25519 deploy@65.21.10.44 echo "login ok"
Expected output: login ok
2. Root SSH is blocked:
ssh -i ~/.ssh/id_ed25519 root@65.21.10.44
Expected output: Permission denied (publickey).
3. Firewall is active:
sudo ufw status
Expected output:
Status: active
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
4. Automatic updates service is running:
systemctl is-active unattended-upgrades
Expected output: active
Troubleshooting
SSH connection times out on first login. Your provider may take 60–90 seconds to assign a public IP and start the server. Wait, then retry. Also confirm you are using the correct IP from the dashboard.
Permission denied (publickey) when logging in as deploy.
The rsync command in Step 4 must be run as root while still in the root session. Verify permissions: ls -la /home/deploy/.ssh should show drwx------ deploy deploy for the .ssh directory and -rw------- deploy deploy for authorized_keys.
sudo: command not found after switching to deploy.
Confirm the user is in the sudo group: groups deploy should list sudo. If not, run usermod -aG sudo deploy and log out and back in.
UFW blocks a port you need.
Add the rule before enabling UFW, or add it afterward: sudo ufw allow <port>/tcp. Run sudo ufw status verbose to confirm.
unattended-upgrades dialog does not appear.
Run sudo dpkg-reconfigure unattended-upgrades without the --priority=low flag. Alternatively, write the config manually: echo 'APT::Periodic::Unattended-Upgrade "1";' | sudo tee -a /etc/apt/apt.conf.d/20auto-upgrades.
High memory usage on a 1 GB RAM VPS.
Run free -h to check. Disable unused services with sudo systemctl disable --now <service>. Common culprits on Ubuntu 24.04 are snapd and ModemManager — safe to disable on a headless VPS.
Next Steps
Your cheap VPS for beginners is now secured and ready for workloads. From here:
- Install a web server: Follow the Nginx setup guide to serve your first site over HTTPS with Let's Encrypt.
- Deploy an app: Use systemd service unit file tutorial to manage Node.js, Python, or Go processes — no Docker overhead required on a 1 GB server.
- Set up monitoring: Install
netdatafor free real-time metrics, or point your server at a free tier of Better Uptime for external ping checks. - Add a swap file: On 1 GB RAM instances, a 1 GB swap file prevents out-of-memory kills during package installs. Run
fallocate -l 1G /swapfile && chmod 600 /swapfile && mkswap /swapfile && swapon /swapfile. - Snapshot the server: Take a provider snapshot now, before you install anything else. It costs cents per month and gives you a clean restore point.
A $4–6/month VPS with this baseline configuration handles personal projects, staging environments, small SaaS apps, and self-hosted tools without issue. Start small, measure actual resource usage after a week, and only upgrade when your metrics justify it.