Keep it Updated
The exact method to update and deploy security patches will depend on your distribution. Ubuntu users, for example, should get in the habit of running
sudo apt update and
sudo apt upgrade whenever they SSH into their VPS, followed by
sudo reboot to apply any kernel updates. Generally, you should make sure updates don't have any serious reported issues before applying them.
If you don't log in to your system regularly, automatic security updates can be a good idea. In Ubuntu 20.04, you can enable automatic updates via unattended upgrades:
sudo apt-get install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades
You can then run through the interactive installer to configure your options. For CentOS, you should be using yum-cron.
However, it's worth noting that whatever your distribution, automatic updates can have disadvantages. As the system does not automatically restart, users may assume they're safe when in reality kernel updates have not been applied. They can also lead to downtime of services, which can cause problems if you rely on them 24/7. Finally, some packages can have bugs and you won't be able to vet them before they're installed. As a result, it's often best to limit automatic updates to security ones.
Don't Log In as
It is good practice to create a limited account that has to ask for permission via
sudo to execute administrative tasks. You should then use that account to log in each time you use your VPS, disabling remote root login (see next section).
In Ubuntu, type:
Enter a secure, unique password, then type
adduser limited_user sudo to add it to the administrator group.
In CentOS, you can perform the same functions with the commands:
useradd limited_user && passwd limited_user
usermod -aG wheel example_user
exit on either distribution to log out after creating the user, then replace
root with the new user in your SSH client.
Optimize your SSH daemon for security
After creating a limited account and testing your SSH key, it's a good idea to make some changes to the SSH daemon for further protection. Now that you have SSH key authentication set up, you can disable SSH password logins and root login by editing the
/etc/ssh/sshd_config file with your favorite text editor:
cd /etc/ssh nano sshd_config
Add the following line under
# Authentication to turn off root login via SSH:
You can instead use
sudo to run commands or
su - root followed by the password from your limited user.
Configure Your Firewall
A properly configured firewall will only allow the traffic necessary for your VPS' operation, denying everything else. In most Linux distributions, this can be achieved via the use of Iptables.
FirewallID is used for iptables configuration on CentOS/Fedora
UFW - Uncomplicated Firewall, is available as a frontend, is used for Debian and Ubuntu for easier management.
In Windows 10, there's the built-in Firewall application, which does a lot of the heavy lifting for you automatically.
Install and configure Fail2ban
Set up Fail2Ban to ban IP addresses from logging into your VPS after too many failed attempts.
The basic steps to get Fail2ban up and running are as follows:
Update your VPS
sudo apt install -y fail2ban
Enable boot persistence:
systemctl enable fail2ban
Start the fail2ban service:
systemctl start fail2ban