Secure Your Linux VPS
Now that your VPS is up and running, it's time to strengthen its security. This guide walks you through protecting your server against common threats.
π Prerequisites
β Have a working Linux VPS β SSH access with a non-root user β Sudo privileges configured β Completed the Getting Started with Your Linux VPS guide
Configure SSH Key Authentication
SSH key authentication is much more secure than passwords.
On Your Local Computer - Windows (PowerShell)
# Generate an SSH key pair
ssh-keygen -t ed25519 -C "your-email@example.com"
# Press Enter to accept the default location
# Set a passphrase (optional but recommended)
π‘ Tip: The ed25519 key is more secure and faster than RSA. If your system doesn't support it, use ssh-keygen -t rsa -b 4096.
type $env:USERPROFILE\.ssh\id_ed25519.pub | ssh yourname@YOUR_VPS_IP "cat >> ~/.ssh/authorized_keys"
On Your Local Computer - macOS / Linux
# Generate an SSH key pair
ssh-keygen -t ed25519 -C "your-email@example.com"
# Copy the key to your VPS
ssh-copy-id yourname@YOUR_VPS_IP
Test Key Authentication
# Connect to your VPS (should not ask for password)
ssh yourname@YOUR_VPS_IP
β If the connection works without a password, your SSH key is properly configured!
Disable Password Authentication
Once SSH keys are configured, disable password authentication.
β οΈ WARNING
Before disabling password authentication, verify that you can connect with your SSH key! Keep a backup SSH session open.
# Edit SSH configuration
sudo nano /etc/ssh/sshd_config
# Disable password authentication
PasswordAuthentication no
# Disable challenge-response authentication
ChallengeResponseAuthentication no
# Completely disable root login
PermitRootLogin no
# Allow only your user (optional)
AllowUsers yourname
sudo systemctl restart sshd
Change Default SSH Port
Changing the SSH port reduces automated intrusion attempts.
# Edit SSH configuration
sudo nano /etc/ssh/sshd_config
# Default port: 22
Port 2222
π‘ Tip: Choose a port between 1024 and 65535. Avoid common ports like 2222, prefer something like 49152.
Update Firewall - UFW (Ubuntu/Debian)
# Allow the new port
sudo ufw allow 2222/tcp
# Remove the old port
sudo ufw delete allow 22/tcp
# Reload UFW
sudo ufw reload
Update Firewall - FirewallD (CentOS/Rocky)
# Add the new port
sudo firewall-cmd --permanent --add-port=2222/tcp
# Remove the old port
sudo firewall-cmd --permanent --remove-service=ssh
# Reload firewall
sudo firewall-cmd --reload
# Restart SSH
sudo systemctl restart sshd
# To reconnect with the new port
ssh -p 2222 yourname@YOUR_VPS_IP
Install and Configure Fail2ban
Fail2ban protects your server against brute force attacks by temporarily banning suspicious IPs.
Installation
sudo apt update
sudo apt install fail2ban -y
sudo yum install epel-release -y
sudo yum install fail2ban -y
Configure Fail2ban
# Create a local configuration file
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local
[DEFAULT]
# Ban duration (in seconds) - 1 hour
bantime = 3600
# Detection window duration (10 minutes)
findtime = 600
# Number of attempts before ban
maxretry = 5
# Action to perform (ban the IP)
banaction = iptables-multiport
[sshd]
enabled = true
port = 2222
logpath = %(sshd_log)s
backend = %(sshd_backend)s
maxretry = 3
bantime = 86400
Configuration explained:
- bantime = 86400 β Ban for 24 hours
- findtime = 600 β Monitor over a 10-minute window
- maxretry = 3 β Ban after 3 failed attempts
- port = 2222 β If you changed the SSH port
# Start and enable Fail2ban
sudo systemctl start fail2ban
sudo systemctl enable fail2ban
# Check status
sudo systemctl status fail2ban
Verify Fail2ban
View SSH protection status
sudo fail2ban-client status sshd
View all active jails
sudo fail2ban-client status
Useful Fail2ban commands:
| Command | Description |
|---|---|
sudo fail2ban-client status sshd | SSH jail status |
sudo fail2ban-client set sshd unbanip IP | Unban an IP |
sudo fail2ban-client reload | Reload configuration |
sudo tail -f /var/log/fail2ban.log | View logs in real-time |
Configure Advanced Firewall
Configure your firewall to only allow necessary services.
UFW Configuration (Ubuntu/Debian)
# Reset UFW (optional)
sudo ufw --force reset
# Default policy: deny all incoming traffic
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow SSH (with new port)
sudo ufw allow 2222/tcp
# Allow HTTP and HTTPS (if you have a web server)
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
# Limit SSH connections (anti-bruteforce protection)
sudo ufw limit 2222/tcp
# Enable UFW
sudo ufw enable
# Check status
sudo ufw status verbose
FirewallD Configuration (CentOS/Rocky)
# Set default zone
sudo firewall-cmd --set-default-zone=public
# Allow SSH
sudo firewall-cmd --permanent --add-port=2222/tcp
# Allow HTTP/HTTPS
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
# Limit SSH connections
sudo firewall-cmd --permanent --add-rich-rule='rule service name=ssh limit value=3/m accept'
# Reload
sudo firewall-cmd --reload
# Verify
sudo firewall-cmd --list-all
Monitor System Logs
Regularly monitor logs to detect suspicious activity.
View recent SSH login attempts
sudo grep "Failed password" /var/log/auth.log | tail -20
View successful SSH connections
sudo grep "Accepted" /var/log/auth.log | tail -20
Monitor logs in real-time
sudo tail -f /var/log/auth.log
π‘ Tip: On CentOS/Rocky, use /var/log/secure instead of /var/log/auth.log.
Install Security Audit Tools
Lynis - Automatic Security Audit
# Installation on Ubuntu/Debian
sudo apt install lynis -y
# Installation on CentOS/Rocky
sudo yum install lynis -y
# Run a complete audit
sudo lynis audit system
RKHunter - Rootkit Detection
# Installation on Ubuntu/Debian
sudo apt install rkhunter -y
# Installation on CentOS/Rocky
sudo yum install rkhunter -y
# Update database
sudo rkhunter --update
# Run a scan
sudo rkhunter --check
Keep System Updated
# Configure automatic security updates
sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure -plow unattended-upgrades
# Check for updates manually
sudo apt update && sudo apt upgrade -y
β οΈ Important
Security updates are crucial. Configure automatic updates and regularly verify your system is up to date.
Configure Automatic Backups
Never neglect backups!
# Create a directory for backups
mkdir -p ~/backups
# Create backup script
sudo nano /usr/local/bin/backup.sh
#!/bin/bash
# Configuration
BACKUP_DIR="/home/yourname/backups"
DATE=$(date +%Y-%m-%d_%H-%M-%S)
BACKUP_FILE="backup_$DATE.tar.gz"
# Create archive
tar -czf "$BACKUP_DIR/$BACKUP_FILE" \
/etc \
/home/yourname \
--exclude=/home/yourname/backups
# Keep only the last 7 backups
cd "$BACKUP_DIR"
ls -t | tail -n +8 | xargs -r rm
echo "Backup created: $BACKUP_FILE"
# Make the script executable
sudo chmod +x /usr/local/bin/backup.sh
# Add a cron job (daily backup at 3 AM)
sudo crontab -e
0 3 * * * /usr/local/bin/backup.sh
Security Checklist
Verify that you have:
β Configured SSH key authentication β Disabled password authentication β Disabled root login β Changed default SSH port β Installed and configured Fail2ban β Properly configured your firewall β Installed audit tools (Lynis, RKHunter) β Enabled automatic updates β Configured regular backups β Monitored system logs
π¬ Need Help?
If you encounter difficulties:
π Congratulations!
Your VPS is now well secured. Security is an ongoing process: regularly monitor your logs and keep your system updated!
