← Back to documentation

Secure Your VPS

Essential security configurations and best practices to protect your VPS server

securityvpssshfirewallhardening

Introduction

Securing your VPS is crucial to protect your data and services from unauthorized access and attacks. This guide covers essential security measures you should implement on your server.

Prerequisites

Step 1: Disable Root Login

Running services as root is a security risk. Let’s disable direct root login via SSH.

Edit SSH Configuration

sudo nano /etc/ssh/sshd_config

Find and modify these lines:

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes

Restart SSH Service

sudo systemctl restart sshd

Warning: Make sure you have SSH key authentication set up for your regular user before disabling root login. Otherwise, you might lock yourself out!

Step 2: Configure Advanced Firewall Rules

Beyond basic UFW setup, let’s add rate limiting to prevent brute-force attacks.

Enable Rate Limiting for SSH

sudo ufw limit ssh

This limits connection attempts to 6 per 30 seconds from a single IP.

Configure Application-Specific Rules

For a web server:

sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

View All Rules

sudo ufw status numbered

Delete a Rule

sudo ufw delete [number]

Step 3: Install and Configure Fail2Ban

Fail2Ban monitors log files and bans IPs that show malicious behavior.

Install Fail2Ban

sudo apt install fail2ban -y

Create Local Configuration

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

Configure SSH Protection

Find the [sshd] section and modify:

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600
findtime = 600

This configuration:

  • Bans IPs after 3 failed login attempts
  • Ban lasts 1 hour (3600 seconds)
  • Monitors attempts within 10 minutes (600 seconds)

Start Fail2Ban

sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Check Fail2Ban Status

sudo fail2ban-client status
sudo fail2ban-client status sshd

Unban an IP

If you accidentally ban yourself:

sudo fail2ban-client set sshd unbanip YOUR_IP_ADDRESS

Step 4: Enable Automatic Security Updates

Keep your system patched automatically for security updates.

Install Unattended Upgrades

sudo apt install unattended-upgrades -y

Configure Automatic Updates

sudo dpkg-reconfigure -plow unattended-upgrades

Select “Yes” when prompted.

Customize Update Settings

Edit the configuration:

sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

Ensure these lines are uncommented:

Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}-security";
};

Unattended-Upgrade::Automatic-Reboot "false";
Unattended-Upgrade::AutoFixInterruptedDpkg "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";

Need Help?

Security questions or concerns?

Remember: Security is a continuous process, not a one-time setup. Stay vigilant and keep your systems updated!

Related Documentation

Getting Started with Your VPS

A comprehensive guide to setting up and configuring your new VPS server

Installing and Configuring NGINX

Step-by-step guide to install and configure NGINX web server on your VPS