The exact method to update and deploy security patches will depend on your distribution. Ubuntu users, for example, should get in the habit of running sudo apt update and sudo apt upgrade whenever they SSH into their VPS, followed by sudo reboot to apply any kernel updates. Generally, you should make sure updates don't have any serious reported issues before applying them.

If you don't log in to your system regularly, automatic security updates can be a good idea. In Ubuntu 20.04, you can enable automatic updates via unattended upgrades:

You can then run through the interactive installer to configure your options. For CentOS, you should be using yum-cron.

However, it's worth noting that whatever your distribution, automatic updates can have disadvantages. As the system does not automatically restart, users may assume they're safe when in reality kernel updates have not been applied. They can also lead to downtime of services, which can cause problems if you rely on them 24/7. Finally, some packages can have bugs and you won't be able to vet them before they're installed. As a result, it's often best to limit automatic updates to security ones.

It is good practice to create a limited account that has to ask for permission via sudo to execute administrative tasks. You should then use that account to log in each time you use your VPS, disabling remote root login (see next section).

In Ubuntu, type:

Enter a secure, unique password, then type adduser limited_user sudo to add it to the administrator group.

In CentOS, you can perform the same functions with the commands:

Type exit on either distribution to log out after creating the user, then replace root with the new user in your SSH client.

After creating a limited account and testing your SSH key, it's a good idea to make some changes to the SSH daemon for further protection. Now that you have SSH key authentication set up, you can disable SSH password logins and root login by editing the /etc/ssh/sshd_config file with your favorite text editor:

Add the following line under # Authentication to turn off root login via SSH:

You can instead use sudo to run commands or su - root followed by the password from your limited user.

A properly configured firewall will only allow the traffic necessary for your VPS' operation, denying everything else. In most Linux distributions, this can be achieved via the use of Iptables.

FirewallID is used for iptables configuration on CentOS/Fedora

UFW - Uncomplicated Firewall, is available as a frontend, is used for Debian and Ubuntu for easier management.

In Windows 10, there's the built-in Firewall application, which does a lot of the heavy lifting for you automatically.

Set up Fail2Ban to ban IP addresses from logging into your VPS after too many failed attempts.

The basic steps to get Fail2ban up and running are as follows: