VPS Security Hardening Checklist
Securing your VPS is essential to protect your data and applications. This comprehensive checklist covers all critical security measures you should implement on your {{COMPANY_NAME}} VPS immediately after provisioning.
1. System Updates
Keep your operating system and all packages up to date.
Ubuntu/Debian
sudo apt update && sudo apt upgrade -yCentOS/RHEL
sudo yum update -y
# or on newer versions
sudo dnf update -yTip: Enable automatic security updates to stay protected:
```bash
sudo apt install unattended-upgrades
sudo dpkg-reconfigure unattended-upgrades
```
2. Create a Non-Root User
Avoid using the root account for daily operations.
# Create a new user
adduser myuser
# Grant sudo privileges
usermod -aG sudo myuser
# Switch to new user
su - myuserTest that the new user can run sudo commands before proceeding.
3. Secure SSH Access
3a. Use SSH Key Authentication
# On your local machine, generate a key
ssh-keygen -t ed25519
# Copy to server
ssh-copy-id myuser@YOUR_VPS_IP3b. Disable Root Login and Password Authentication
Edit SSH configuration:
sudo nano /etc/ssh/sshd_configSet the following values:
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
UsePAM no
X11Forwarding no
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2Restart SSH:
sudo systemctl restart sshdTip: Keep your current SSH session open while testing the new configuration in a separate terminal. This prevents lockouts.
3c. Change the Default SSH Port
Edit /etc/ssh/sshd_config:
Port 2222Update your firewall rules before restarting SSH:
sudo ufw allow 2222/tcp
sudo ufw delete allow 22/tcp
sudo systemctl restart sshd4. Configure a Firewall
# Set defaults
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow your SSH port
sudo ufw allow 2222/tcp
# Allow web traffic (if running a web server)
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
# Enable firewall
sudo ufw enable5. Install and Configure Fail2ban
Fail2ban automatically blocks IPs that show malicious signs.
sudo apt install fail2ban -yCreate a local configuration:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.localKey settings:
[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600
findtime = 600Restart fail2ban:
sudo systemctl restart fail2ban
sudo systemctl enable fail2ban
# Check status
sudo fail2ban-client status sshd6. Disable Unused Services
List running services and disable what you do not need:
# List all running services
systemctl list-units --type=service --state=running
# Disable unnecessary services
sudo systemctl stop SERVICE_NAME
sudo systemctl disable SERVICE_NAMECommon services to review: cups, avahi-daemon, bluetooth, rpcbind.
7. Set Up Intrusion Detection
Install and configure rkhunter to check for rootkits:
sudo apt install rkhunter -y
sudo rkhunter --update
sudo rkhunter --checkSet up a daily scan via cron:
sudo crontab -e
# Add:
0 3 * * * /usr/bin/rkhunter --check --skip-keypress --report-warnings-only | mail -s "rkhunter report" [email protected]8. Secure Shared Memory
Prevent shared memory exploits:
sudo nano /etc/fstabAdd:
tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 09. Configure Log Monitoring
Important log files to monitor:
/var/log/auth.log-- authentication attempts/var/log/syslog-- system events/var/log/fail2ban.log-- blocked IPs/var/log/ufw.log-- firewall activity
Install logwatch for daily summaries:
sudo apt install logwatch -y
sudo logwatch --detail High --mailto [email protected] --range today10. Set Up Automatic Backups
Schedule regular backups of critical data:
# Simple backup script
sudo nano /usr/local/bin/backup.sh#!/bin/bash
DATE=$(date +%Y%m%d)
tar -czf /backup/server-backup-$DATE.tar.gz /etc /var/www /home
find /backup -mtime +30 -deletesudo chmod +x /usr/local/bin/backup.sh
sudo crontab -e
# Add:
0 2 * * * /usr/local/bin/backup.shQuick Reference Checklist
- System fully updated
- Non-root user created with sudo access
- SSH key authentication enabled
- Root login disabled
- Password authentication disabled
- SSH port changed from default
- Firewall configured and enabled
- Fail2ban installed and configured
- Unused services disabled
- Intrusion detection installed
- Shared memory secured
- Log monitoring configured
- Automated backups scheduled
Related Articles
- Setting Up a Firewall on Your VPS (UFW/iptables)
- How to Connect to Your VPS via SSH
- Monitoring VPS Resources (CPU, RAM, Disk)
Need help hardening your VPS? Contact our support team at {{SUPPORT_EMAIL}} or open a ticket at {{SUPPORT_URL}}.