Skip to main content
All CollectionsVPS Management, Logs and Montitoring
Basic VPS Security: Best Practices
Basic VPS Security: Best Practices

General best practices for securing your VPS

Written by BL
Updated over a week ago

Keep it Updated

The exact method to update and deploy security patches will depend on your distribution. Ubuntu users, for example, should get in the habit of running sudo apt update and sudo apt upgrade whenever they SSH into their VPS, followed by sudo reboot to apply any kernel updates. Generally, you should make sure updates don't have any serious reported issues before applying them.

If you don't log in to your system regularly, automatic security updates can be a good idea. In Ubuntu 20.04, you can enable automatic updates via unattended upgrades:

sudo apt-get install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades

You can then run through the interactive installer to configure your options. For CentOS, you should be using yum-cron.

However, it's worth noting that whatever your distribution, automatic updates can have disadvantages. As the system does not automatically restart, users may assume they're safe when in reality kernel updates have not been applied. They can also lead to downtime of services, which can cause problems if you rely on them 24/7. Finally, some packages can have bugs and you won't be able to vet them before they're installed. As a result, it's often best to limit automatic updates to security ones.

Don't Log In as root

It is good practice to create a limited account that has to ask for permission via sudo to execute administrative tasks. You should then use that account to log in each time you use your VPS, disabling remote root login (see next section).

In Ubuntu, type:

adduser limited_user

Enter a secure, unique password, then type adduser limited_user sudo to add it to the administrator group.

In CentOS, you can perform the same functions with the commands:

useradd limited_user && passwd limited_user 
usermod -aG wheel example_user

Type exit on either distribution to log out after creating the user, then replace root with the new user in your SSH client.

Optimize your SSH daemon for security

After creating a limited account and testing your SSH key, it's a good idea to make some changes to the SSH daemon for further protection. Now that you have SSH key authentication set up, you can disable SSH password logins and root login by editing the /etc/ssh/sshd_config file with your favorite text editor:

cd /etc/ssh nano sshd_config

Add the following line under # Authentication to turn off root login via SSH:

PermitRootLogin no

You can instead use sudo to run commands or su - root followed by the password from your limited user.

Configure Your Firewall

A properly configured firewall will only allow the traffic necessary for your VPS' operation, denying everything else. In most Linux distributions, this can be achieved via the use of Iptables.

FirewallID is used for iptables configuration on CentOS/Fedora

UFW - Uncomplicated Firewall, is available as a frontend, is used for Debian and Ubuntu for easier management.

In Windows 10, there's the built-in Firewall application, which does a lot of the heavy lifting for you automatically.

Install and configure Fail2ban

Set up Fail2Ban to ban IP addresses from logging into your VPS after too many failed attempts.

The basic steps to get Fail2ban up and running are as follows:

  • Update your VPS

  • Install Fail2ban:sudo apt install -y fail2ban

  • Enable boot persistence: systemctl enable fail2ban

  • Start the fail2ban service: systemctl start fail2ban

Did this answer your question?