Secure your Ubuntu VMs on Massed Compute with SSH key authentication, firewall hardening, and protection registry for persistent instances.
This guide exists as a tested, machine-readable recipe in the Massed Compute MCP. Skip the manual steps and let an AI agent handle the full hardening workflow for you.
Running production workloads on cloud VMs requires proper security hardening. This guide walks you through securing Ubuntu VMs on Massed Compute with SSH key authentication, firewall configuration, and automatic security updates.
You’ll disable password authentication, configure UFW firewall, enable unattended security updates, and register the VM in a protection registry to prevent accidental termination during long-running projects.
| Component | Purpose | Configuration |
|---|---|---|
| Ubuntu 24.04 LTS | Base OS | Latest security patches |
| SSH with Ed25519 keys | Secure remote access | Password auth disabled |
| UFW Firewall | Network security | SSH only by default |
| Unattended Upgrades | Automatic security patches | Non-interactive updates |
| Protection Registry | Prevent accidental termination | Local registry file |
| Resource | Minimum | Recommended |
|---|---|---|
| vCPU | 2 cores | 2+ cores |
| RAM | 4 GB | 8 GB |
| Storage | 20 GB | 40 GB |
| OS | Ubuntu 24.04 | Ubuntu 24.04 LTS |
Pricing fetched from the Massed Compute inventory API on June 23, 2026.
Deploy and Harden Your VM
Launch VM Instance
Create a new Ubuntu 24.04 VM via the Massed Compute dashboard or reuse an existing instance. Note the instance UUID, public IP, and SSH credentials.
# Wait for instance to reach running state
# Note: YOUR_VM_IP, ubuntu, and port 22Secure Local Secrets
On your local machine, protect private keys and API credentials with proper file permissions.
chmod 600 .env 2>/dev/null || true
chmod 600 ~/.ssh/vm-hardening-key 2>/dev/null || true
# Scan for accidentally committed secrets
rg -n 'sk-[A-Za-z0-9]{10,}|Bearer [A-Za-z0-9._-]{20,}|password\s*=\s*[^<]' \
--glob '!.env' --glob '!instances/*' --glob '!.venv' . || trueGenerate SSH Key Pair
Create a dedicated Ed25519 SSH key pair for secure authentication.
# Generate new SSH key
ssh-keygen -t ed25519 -f ~/.ssh/vm-hardening-key -N "" -C "vm-hardening@massedcompute"
# Copy public key to VM
ssh-copy-id -i ~/.ssh/vm-hardening-key -p 22 ubuntu@YOUR_VM_IPTest Key Authentication
Open a second terminal and verify SSH key login works before disabling password authentication.
# Test key-based login in second terminal
ssh -i ~/.ssh/vm-hardening-key -o BatchMode=yes -p 22 ubuntu@YOUR_VM_IP 'echo SSH_KEY_OK'Disable Password Authentication
Harden SSH configuration by disabling password login and root access.
sudo sed -i 's/^#*PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo sed -i 's/^#*PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
echo 'PubkeyAuthentication yes' | sudo tee -a /etc/ssh/sshd_config.d/99-hardening.conf
sudo systemctl reload sshApply Security Updates
Update packages and configure automatic security updates.
# Update package lists and upgrade system
sudo apt-get update
sudo DEBIAN_FRONTEND=noninteractive apt-get upgrade -y
# Enable unattended security updates
echo 'unattended-upgrades unattended-upgrades/enable_auto_updates boolean true' | sudo debconf-set-selections
sudo apt-get install -y unattended-upgrades
sudo DEBIAN_FRONTEND=noninteractive dpkg-reconfigure -f noninteractive unattended-upgradesConfigure UFW Firewall
Enable UFW firewall with SSH access only. Add project-specific ports as needed.
# Allow SSH and enable firewall
sudo ufw allow OpenSSH
sudo ufw --force enable
sudo ufw status
# Verify status shows "Status: active"
sudo ufw status | grep -q 'Status: active' && echo "Firewall active" || echo "Firewall setup failed"Register VM Protection
Add the VM to your local protection registry to prevent accidental termination during long-running projects.
# Create protection registry entry (local file)
echo '{"uuid": "YOUR_INSTANCE_UUID", "name": "vm-hardening-lab", "note": "persistent storage vault", "protectedSince": "2026-06-23"}' >> ~/vm-protection-registry.jsonTroubleshooting
SSH Connection Issues
- Host key changes: Run
ssh-keygen -R YOUR_VM_IPand confirm the instance is running - Locked out after disabling passwords: Use the Massed Compute console to re-enable password auth temporarily and fix
authorized_keys - Key permissions: Ensure private key is
chmod 600and owned by your user
Firewall Problems
- UFW shows inactive: Run
sudo ufw --force enableand verify status again - Service ports blocked: Use
sudo ufw allow PORT/tcpfor project-specific ports - SSH locked out: Use the VM console to disable UFW:
sudo ufw disable
Update Issues
- Package conflicts: Run
sudo apt-get -f installto fix broken dependencies - Unattended upgrades not working: Check
/var/log/unattended-upgrades/for errors - Kernel updates require reboot: Schedule maintenance windows for kernel updates
Skip All of This: Deploy with an AI Agent
This guide exists as a tested, machine-readable recipe in the Massed Compute MCP. Instead of following the manual steps above, you can have an AI agent handle the entire VM hardening workflow for you.
Add this MCP server to your AI agent configuration:
{
"mcpServers": {
"massed-compute": {
"type": "http",
"url": "https://vm.massedcompute.com/api/mcp",
"headers": { "Authorization": "Bearer MC_TOKEN" }
}
}
}
The agent will match your request against the recipe catalog, provision the right VM shape, run all the setup and verification steps above, and report back with the result. If any step fails, the process stops and you get the exact error output.
Recipe tested on June 10, 2026.
Quick Setup Guide
- Launch VM: Deploy Ubuntu 24.04 on Massed Compute with 2+ vCPUs and 4+ GB RAM
- Generate keys: Create Ed25519 SSH key pair locally
- Test access: Verify key authentication in second terminal session
- Harden SSH: Disable password auth and root login
- Update system: Apply patches and enable automatic security updates
- Configure firewall: Enable UFW with SSH-only access
- Register protection: Add VM to local protection registry
Frequently Asked Questions
01Can I use existing SSH keys instead of generating new ones?
Yes, you can use existing Ed25519 or RSA keys. Just ensure they're properly secured with chmod 600 and copy the public key to the VM's authorized_keys file before disabling password authentication.
02What happens if I get locked out after disabling passwords?
Use the Massed Compute console to access your VM directly. Temporarily re-enable password authentication in /etc/ssh/sshd_config, fix your SSH keys, test access, then disable password auth again.
03How do I open additional ports for my applications?
Use UFW to allow specific ports: sudo ufw allow 8080/tcp for HTTP services or sudo ufw allow 443/tcp for HTTPS. Always be specific about ports and protocols to maintain security.
04Will automatic updates break my applications?
Unattended upgrades only install security updates by default, not major version changes. However, kernel updates may require reboots. Monitor /var/log/unattended-upgrades/ and schedule maintenance windows for critical systems.
05What's the protection registry and why do I need it?
The protection registry is a local file that prevents AI agents or scripts from accidentally terminating long-running VMs. It's especially useful for persistent storage, databases, or multi-week training jobs that should survive across projects.
