VexaNode
VPS

VPS Security Guide - Secure Your Server

VexaNode Team
05 Jun
VPS Security Guide - Secure Your Server
Tutorials

VPS Security Guide - Secure Your Server

February 19, 202616 min readBy Manas

A secure VPS protects your data, applications, and reputation. This guide covers essential security measures every VPS owner should implement.

Security Checklist Overview

Priority security tasks:

  1. Update system packages
  2. Create non-root user
  3. Configure SSH security
  4. Set up firewall
  5. Install fail2ban
  6. Enable automatic updates
  7. Configure logging
  8. Set up backups

1. Keep System Updated

Updates patch security vulnerabilities.

Update Immediately

sudo apt update && sudo apt upgrade -y

Enable Automatic Security Updates

sudo apt install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades

Configure in /etc/apt/apt.conf.d/50unattended-upgrades:

Unattended-Upgrade::Allowed-Origins {
    "\${distro_id}:\${distro_codename}-security";
};
Unattended-Upgrade::Automatic-Reboot "false";

2. User Account Security

Create Non-Root User

Never run services as root:

# Create user
sudo adduser deploy

# Add to sudo group
sudo usermod -aG sudo deploy

# Switch to new user
su - deploy

Disable Root Login

After setting up your user:

sudo passwd -l root

Use Strong Passwords

If using passwords, ensure they are strong:

  • Minimum 16 characters
  • Mix of letters, numbers, symbols
  • No dictionary words

3. SSH Hardening

SSH is the primary attack vector for VPS.

Use SSH Keys

Generate key pair locally:

ssh-keygen -t ed25519 -C "your_email@example.com"

Copy to server:

ssh-copy-id user@your_server_ip

Secure SSH Configuration

Edit /etc/ssh/sshd_config:

# Change default port
Port 2222

# Disable root login
PermitRootLogin no

# Disable password authentication
PasswordAuthentication no

# Allow only specific users
AllowUsers deploy

# Disable empty passwords
PermitEmptyPasswords no

# Limit authentication attempts
MaxAuthTries 3

# Set login grace time
LoginGraceTime 30

# Disable X11 forwarding
X11Forwarding no

# Disable TCP forwarding (if not needed)
AllowTcpForwarding no

Restart SSH:

sudo systemctl restart sshd

Important: Test new connection before closing current session!

4. Firewall Configuration

UFW (Uncomplicated Firewall)

# Install UFW
sudo apt install ufw

# Default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH (use your port)
sudo ufw allow 2222/tcp

# Allow web traffic
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

# Enable firewall
sudo ufw enable

# Check status
sudo ufw status verbose

Rate Limiting

Limit connection attempts:

sudo ufw limit 2222/tcp

Application-Specific Rules

Only open ports you need:

# Example: Allow specific IP
sudo ufw allow from 192.168.1.100 to any port 3306

# Example: Allow subnet
sudo ufw allow from 10.0.0.0/8 to any port 22

5. Fail2ban Setup

Fail2ban blocks IPs after failed login attempts.

Installation

sudo apt install fail2ban

Configuration

Create /etc/fail2ban/jail.local:

[DEFAULT]
bantime = 1h
findtime = 10m
maxretry = 5
banaction = ufw

[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 24h

Start Fail2ban

sudo systemctl enable fail2ban
sudo systemctl start fail2ban

# Check status
sudo fail2ban-client status sshd

6. Secure Services

Disable Unnecessary Services

List running services:

sudo systemctl list-units --type=service --state=running

Disable unneeded services:

sudo systemctl disable service_name
sudo systemctl stop service_name

Secure Database Access

For MySQL/MariaDB:

sudo mysql_secure_installation

Bind to localhost only in /etc/mysql/mysql.conf.d/mysqld.cnf:

bind-address = 127.0.0.1

Secure Web Server

For Nginx, add security headers:

add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;

7. File Permissions

Secure Home Directories

chmod 700 /home/*

Secure SSH Directory

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

Find World-Writable Files

sudo find / -type f -perm -002 -exec ls -l {} \;

8. Monitoring and Logging

Enable Logging

Ensure rsyslog is running:

sudo systemctl enable rsyslog
sudo systemctl start rsyslog

Monitor Auth Logs

sudo tail -f /var/log/auth.log

Set Up Log Rotation

Ensure logrotate is configured:

cat /etc/logrotate.d/rsyslog

Install Monitoring Tools

# Resource monitoring
sudo apt install htop iotop

# Network monitoring
sudo apt install nethogs iftop

9. Backup Strategy

Automated Backups

Create backup script:

#!/bin/bash
DATE=\$(date +%Y%m%d)
BACKUP_DIR="/backup"

# Backup important directories
tar -czf \$BACKUP_DIR/home_\$DATE.tar.gz /home
tar -czf \$BACKUP_DIR/etc_\$DATE.tar.gz /etc

# Keep only last 7 days
find \$BACKUP_DIR -mtime +7 -delete

Off-Site Backups

Use rsync to remote server:

rsync -avz /backup/ user@backup-server:/backups/

10. Additional Security Measures

Two-Factor Authentication

Install Google Authenticator:

sudo apt install libpam-google-authenticator
google-authenticator

Add to /etc/pam.d/sshd:

auth required pam_google_authenticator.so

Intrusion Detection

Install AIDE:

sudo apt install aide
sudo aideinit

Security Auditing

Use Lynis for security audits:

sudo apt install lynis
sudo lynis audit system

Security Incident Response

If Compromised

  1. Disconnect - Take server offline if possible
  2. Assess - Determine extent of breach
  3. Preserve - Save logs for analysis
  4. Clean - Remove malware, close vulnerabilities
  5. Restore - Rebuild from clean backup if needed
  6. Report - Notify affected parties

Signs of Compromise

  • Unknown processes running
  • Unusual network traffic
  • Modified system files
  • Unknown user accounts
  • Unexpected cron jobs

Regular Security Tasks

Weekly

  • Review auth logs
  • Check fail2ban status
  • Verify backups work

Monthly

  • Update all packages
  • Review user accounts
  • Check disk usage
  • Review firewall rules

Quarterly

  • Run security audit
  • Review and update passwords
  • Test backup restoration
  • Update security policies

Conclusion

VPS security requires ongoing attention. Implement these measures immediately after provisioning, and maintain regular security reviews. A compromised server can damage your reputation and data.

VexaNode VPS includes DDoS protection and secure infrastructure, giving you a strong security foundation to build upon.

Ready to deploy?

Join thousands of satisfied users and experience the VexaNode difference today.

View Plans