Bringing a fresh Debian 13 server online is one of those jobs that looks simple until you miss one small step and create a problem for yourself later. A production VPS needs more than a login and a package update. It needs a repeatable baseline that makes the server easier to secure, easier to manage and less likely to fail at an awkward moment.
This guide walks through a sensible Debian 13 initial server setup checklist for production use. It is aimed at small business sites, personal infrastructure, web applications and general Linux hosting. The goal is not to create a military bunker. The goal is to create a clean, reliable starting point that is realistic to maintain.
1. Update the system before you do anything else
Fresh templates are often already out of date. Begin with:
apt update
apt full-upgrade -y
rebootRebooting early makes sense because kernel and security updates are common on first boot. Once the server returns, check the release details and confirm the hostname and IP settings match what you expect.
2. Set a proper hostname and hosts file
A predictable hostname makes mail, logging, monitoring and troubleshooting cleaner. Choose something descriptive such as web-01 or db-01. Update the hostname and make sure it resolves locally:
hostnamectl set-hostname web-01
nano /etc/hostsYour hosts file should include the server’s main IP and hostname. Avoid lazy defaults because they confuse monitoring, shell prompts and some mail-related software.
3. Create a non-root administrative user
Running everything directly as root is bad practice. Create a normal user and grant sudo access:
adduser adminuser
usermod -aG sudo adminuserThen test the account in a second SSH session before you log out of root. This is the point where many people lock themselves out by changing SSH too quickly.
4. Add SSH keys and disable password logins where possible
SSH keys are one of the simplest security wins you can make. Generate a key pair locally if you do not already have one, then copy the public key to the server:
ssh-copy-id adminuser@your-server-ipOnce key authentication works, tighten the SSH daemon configuration:
nano /etc/ssh/sshd_configReview these common settings:
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
ChallengeResponseAuthentication no
UsePAM yesThen reload SSH:
systemctl reload ssh5. Enable a firewall with only the ports you need
On Debian 13, UFW remains a good, simple choice for many servers:
apt install ufw -y
ufw allow OpenSSH
ufw allow 80/tcp
ufw allow 443/tcp
ufw enable
ufw status verboseDo not open ports just because you might need them later. Keep the rule set narrow. If the server is a database node, management box or mail host, build the rules around that role.
6. Confirm time, time zone and NTP
Wrong time breaks logs, TLS validation, scheduled tasks and alerting. Check time sync using timedatectl and enable NTP if needed. For UK-focused services, set the zone to Europe/London if that reflects how you operate, but keep in mind many teams prefer UTC on servers for consistency.
7. Install the core tools you always end up needing
Keep your baseline practical. On many production Debian servers, a useful starter set looks like this:
apt install -y curl wget vim nano htop unzip git rsync ca-certificates apt-transport-https gnupg lsb-release fail2banNot every machine needs every package, but having a sensible standard cuts faff later.
8. Configure automatic security updates carefully
Unattended upgrades reduce the chance of a server sitting exposed for weeks because nobody got round to patching it. Install and enable them:
apt install unattended-upgrades apt-listchanges -y
dpkg-reconfigure -plow unattended-upgradesFor critical systems, pair this with maintenance windows and monitoring. Automatic updates are helpful, but they are not a substitute for patch management discipline.
9. Add swap if the VPS is small
Low-memory VPS plans can become unstable under load spikes. A modest swap file can improve survivability:
fallocate -l 2G /swapfile
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile
echo '/swapfile none swap sw 0 0' >> /etc/fstabSwap is not magic, and it is slower than RAM, but it is often preferable to the kernel killing random processes.
10. Review listening services before exposing the box
Check what is actually listening:
ss -tulpnYou should know what every open service is and why it exists. This catches accidental services, package defaults and left-over daemons from templates.
11. Set up basic intrusion and abuse controls
Fail2Ban is still worth using for internet-facing services such as SSH, web authentication and mail. Install it, enable the jails you need and avoid blindly copying huge configs from random places. Make sure bans are compatible with your firewall setup and reverse-proxy arrangement.
12. Prepare logging and monitoring from day one
Production servers should not be flying blind. At minimum, make sure you can see CPU, memory, disk use, login attempts and service failures. Even a simple stack using systemd logs, logrotate and external uptime checks is better than nothing.
13. Backups are part of setup, not a later job
If the server matters, define backups before the data becomes important. Decide what needs backing up, where it goes, how long it is retained and how restoration will be tested. A backup that has never been restored is only a theory.
14. Document the baseline
Record the hostname, IP addresses, firewall policy, admin users, SSH policy, installed roles and backup location. You will thank yourself later when troubleshooting at 2 in the morning or handing the server to somebody else.
Final thoughts
A Debian 13 initial server setup should be boring, consistent and documented. That is a good thing. Production stability rarely comes from clever tricks. It comes from doing the basics properly every single time. If you use this checklist as your baseline, you will start future deployments from a much stronger position.