A secure VPS protects your data, applications, and reputation. This guide covers essential security measures every VPS owner should implement.
Security Checklist Overview
Priority security tasks:
- [ ] Update system packages
- [ ] Create non-root user
- [ ] Configure SSH security
- [ ] Set up firewall
- [ ] Install fail2ban
- [ ] Enable automatic updates
- [ ] Configure logging
- [ ] Set up backups
1. Keep System Updated
Updates patch security vulnerabilities.
Update Immediately
sudo apt update && sudo apt upgrade -y
Enable Automatic Security Updates
sudo apt install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades
Configure in /etc/apt/apt.conf.d/50unattended-upgrades:
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}-security";
};
Unattended-Upgrade::Automatic-Reboot "false";
2. User Account Security
Create Non-Root User
Never run services as root:
# Create user
sudo adduser deploy
# Add to sudo group
sudo usermod -aG sudo deploy
# Switch to new user
su - deploy
Disable Root Login
After setting up your user:
sudo passwd -l root
Use Strong Passwords
If using passwords, ensure they are strong:
- Minimum 16 characters
- Mix of letters, numbers, symbols
- No dictionary words
3. SSH Hardening
SSH is the primary attack vector for VPS.
Use SSH Keys
Generate key pair locally:
ssh-keygen -t ed25519 -C "your_email@example.com"
Copy to server:
ssh-copy-id user@your_server_ip
Secure SSH Configuration
Edit /etc/ssh/sshd_config:
# Change default port
Port 2222
# Disable root login
PermitRootLogin no
# Disable password authentication
PasswordAuthentication no
# Allow only specific users
AllowUsers deploy
# Disable empty passwords
PermitEmptyPasswords no
# Limit authentication attempts
MaxAuthTries 3
# Set login grace time
LoginGraceTime 30
# Disable X11 forwarding
X11Forwarding no
# Disable TCP forwarding (if not needed)
AllowTcpForwarding no
Restart SSH:
sudo systemctl restart sshd
Important: Test new connection before closing current session!
4. Firewall Configuration
UFW (Uncomplicated Firewall)
# Install UFW
sudo apt install ufw
# Default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow SSH (use your port)
sudo ufw allow 2222/tcp
# Allow web traffic
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
# Enable firewall
sudo ufw enable
# Check status
sudo ufw status verbose
Rate Limiting
Limit connection attempts:
sudo ufw limit 2222/tcp
Application-Specific Rules
Only open ports you need:
# Example: Allow specific IP
sudo ufw allow from 192.168.1.100 to any port 3306
# Example: Allow subnet
sudo ufw allow from 10.0.0.0/8 to any port 22
5. Fail2ban Setup
Fail2ban blocks IPs after failed login attempts.
Installation
sudo apt install fail2ban
Configuration
Create /etc/fail2ban/jail.local:
[DEFAULT]
bantime = 1h
findtime = 10m
maxretry = 5
banaction = ufw
[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 24h
Start Fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
# Check status
sudo fail2ban-client status sshd
6. Secure Services
Disable Unnecessary Services
List running services:
sudo systemctl list-units --type=service --state=running
Disable unneeded services:
sudo systemctl disable service_name
sudo systemctl stop service_name
Secure Database Access
For MySQL/MariaDB:
sudo mysql_secure_installation
Bind to localhost only in /etc/mysql/mysql.conf.d/mysqld.cnf:
bind-address = 127.0.0.1
Secure Web Server
For Nginx, add security headers:
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
7. File Permissions
Secure Home Directories
chmod 700 /home/*
Secure SSH Directory
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
Find World-Writable Files
sudo find / -type f -perm -002 -exec ls -l {} \;
8. Monitoring and Logging
Enable Logging
Ensure rsyslog is running:
sudo systemctl enable rsyslog
sudo systemctl start rsyslog
Monitor Auth Logs
sudo tail -f /var/log/auth.log
Set Up Log Rotation
Ensure logrotate is configured:
cat /etc/logrotate.d/rsyslog
Install Monitoring Tools
# Resource monitoring
sudo apt install htop iotop
# Network monitoring
sudo apt install nethogs iftop
9. Backup Strategy
Automated Backups
Create backup script:
#!/bin/bash
DATE=$(date +%Y%m%d)
BACKUP_DIR="/backup"
# Backup important directories
tar -czf $BACKUP_DIR/home_$DATE.tar.gz /home
tar -czf $BACKUP_DIR/etc_$DATE.tar.gz /etc
# Keep only last 7 days
find $BACKUP_DIR -mtime +7 -delete
Off-Site Backups
Use rsync to remote server:
rsync -avz /backup/ user@backup-server:/backups/
10. Additional Security Measures
Two-Factor Authentication
Install Google Authenticator:
sudo apt install libpam-google-authenticator
google-authenticator
Add to /etc/pam.d/sshd:
auth required pam_google_authenticator.so
Intrusion Detection
Install AIDE:
sudo apt install aide
sudo aideinit
Security Auditing
Use Lynis for security audits:
sudo apt install lynis
sudo lynis audit system
Security Incident Response
If Compromised
- Disconnect - Take server offline if possible
- Assess - Determine extent of breach
- Preserve - Save logs for analysis
- Clean - Remove malware, close vulnerabilities
- Restore - Rebuild from clean backup if needed
- Report - Notify affected parties
Signs of Compromise
- Unknown processes running
- Unusual network traffic
- Modified system files
- Unknown user accounts
- Unexpected cron jobs
Regular Security Tasks
Weekly
- Review auth logs
- Check fail2ban status
- Verify backups work
Monthly
- Update all packages
- Review user accounts
- Check disk usage
- Review firewall rules
Quarterly
- Run security audit
- Review and update passwords
- Test backup restoration
- Update security policies
Conclusion
VPS security requires ongoing attention. Implement these measures immediately after provisioning, and maintain regular security reviews. A compromised server can damage your reputation and data.
HeavenCloud VPS includes DDoS protection and secure infrastructure, giving you a strong security foundation to build upon.