A secure VPS protects your data, applications, and reputation. This guide covers essential security measures every VPS owner should implement.
Priority security tasks:
Updates patch security vulnerabilities.
sudo apt update && sudo apt upgrade -y
sudo apt install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades
Configure in /etc/apt/apt.conf.d/50unattended-upgrades:
Unattended-Upgrade::Allowed-Origins {
"\${distro_id}:\${distro_codename}-security";
};
Unattended-Upgrade::Automatic-Reboot "false";
Never run services as root:
# Create user
sudo adduser deploy
# Add to sudo group
sudo usermod -aG sudo deploy
# Switch to new user
su - deploy
After setting up your user:
sudo passwd -l root
If using passwords, ensure they are strong:
SSH is the primary attack vector for VPS.
Generate key pair locally:
ssh-keygen -t ed25519 -C "your_email@example.com"
Copy to server:
ssh-copy-id user@your_server_ip
Edit /etc/ssh/sshd_config:
# Change default port
Port 2222
# Disable root login
PermitRootLogin no
# Disable password authentication
PasswordAuthentication no
# Allow only specific users
AllowUsers deploy
# Disable empty passwords
PermitEmptyPasswords no
# Limit authentication attempts
MaxAuthTries 3
# Set login grace time
LoginGraceTime 30
# Disable X11 forwarding
X11Forwarding no
# Disable TCP forwarding (if not needed)
AllowTcpForwarding no
Restart SSH:
sudo systemctl restart sshd
Important: Test new connection before closing current session!
# Install UFW
sudo apt install ufw
# Default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow SSH (use your port)
sudo ufw allow 2222/tcp
# Allow web traffic
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
# Enable firewall
sudo ufw enable
# Check status
sudo ufw status verbose
Limit connection attempts:
sudo ufw limit 2222/tcp
Only open ports you need:
# Example: Allow specific IP
sudo ufw allow from 192.168.1.100 to any port 3306
# Example: Allow subnet
sudo ufw allow from 10.0.0.0/8 to any port 22
Fail2ban blocks IPs after failed login attempts.
sudo apt install fail2ban
Create /etc/fail2ban/jail.local:
[DEFAULT]
bantime = 1h
findtime = 10m
maxretry = 5
banaction = ufw
[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 24h
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
# Check status
sudo fail2ban-client status sshd
List running services:
sudo systemctl list-units --type=service --state=running
Disable unneeded services:
sudo systemctl disable service_name
sudo systemctl stop service_name
For MySQL/MariaDB:
sudo mysql_secure_installation
Bind to localhost only in /etc/mysql/mysql.conf.d/mysqld.cnf:
bind-address = 127.0.0.1
For Nginx, add security headers:
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
chmod 700 /home/*
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
sudo find / -type f -perm -002 -exec ls -l {} \;
Ensure rsyslog is running:
sudo systemctl enable rsyslog
sudo systemctl start rsyslog
sudo tail -f /var/log/auth.log
Ensure logrotate is configured:
cat /etc/logrotate.d/rsyslog
# Resource monitoring
sudo apt install htop iotop
# Network monitoring
sudo apt install nethogs iftop
Create backup script:
#!/bin/bash
DATE=\$(date +%Y%m%d)
BACKUP_DIR="/backup"
# Backup important directories
tar -czf \$BACKUP_DIR/home_\$DATE.tar.gz /home
tar -czf \$BACKUP_DIR/etc_\$DATE.tar.gz /etc
# Keep only last 7 days
find \$BACKUP_DIR -mtime +7 -delete
Use rsync to remote server:
rsync -avz /backup/ user@backup-server:/backups/
Install Google Authenticator:
sudo apt install libpam-google-authenticator
google-authenticator
Add to /etc/pam.d/sshd:
auth required pam_google_authenticator.so
Install AIDE:
sudo apt install aide
sudo aideinit
Use Lynis for security audits:
sudo apt install lynis
sudo lynis audit system
VPS security requires ongoing attention. Implement these measures immediately after provisioning, and maintain regular security reviews. A compromised server can damage your reputation and data.
VexaNode VPS includes DDoS protection and secure infrastructure, giving you a strong security foundation to build upon.
Join thousands of satisfied users and experience the VexaNode difference today.
View Plans