Secure your Linux VPS
This guide presents best practices for securing your Linux VPS. Security is an ongoing process, these steps constitute a solid foundation.
Test each modification before closing your current SSH session to avoid getting locked out.
1. Update the system
The first step in securing is to keep your system up to date.
Install updates
apt update && apt upgrade -y
Plan to regularly check for security updates. You can automate this, but doing it manually remains preferable to maintain control, as some updates may require intervention.
2. Create a non-root user
Never use root for daily operations.
Create a new user
adduser yourname
Add the user to the sudo group
usermod -aG sudo yourname
Test the connection
In a new terminal, test the connection with the new user:
ssh yourname@YOUR_VPS_IP
Verify that sudo works:
sudo apt update
3. Secure SSH
The SSH service is the entry point to your VPS, it must be properly configured.
3.1. Modify SSH configuration
Once a non-root user is created, log in with it and edit the SSH configuration file:
sudo nano /etc/ssh/sshd_config
Modify or add these lines:
# Disable root login
PermitRootLogin no
# Limit authentication attempts
MaxAuthTries 3
# Connection timeout
LoginGraceTime 30
# Disable X11 forwarding
X11Forwarding no
# Limit access to certain users (optional)
AllowUsers yourname
3.2. Change SSH port (optional)
To avoid automatic scans on port 22:
Port 2222
If you change the SSH port, note it! You will then need to connect with:
ssh -p 2222 yourname@YOUR_VPS_IP
Or change your SSH client configuration.
If you use a VPN or specific firewall to access your VPS, make sure the new port is allowed.
3.3. Restart SSH
First test the configuration:
sudo sshd -t
If everything is OK, restart:
sudo systemctl restart sshd
# or depending on the distribution
sudo systemctl restart ssh
Don't close your current session! Open a new terminal and test the SSH connection before closing the old session.
4. Configure a firewall (UFW)
UFW (Uncomplicated Firewall) is a simple and effective firewall.
A firewall controls incoming and outgoing network traffic, protecting your VPS against unauthorized access.
For example, if you go through a VPN, you might want to restrict SSH access only to VPN IPs.
UFW is not the only option, there is also iptables, firewalld, etc. UFW is recommended for its simplicity.
Installation
sudo apt install -y ufw
Basic configuration
# Block all incoming traffic by default
sudo ufw default deny incoming
# Allow all outgoing traffic
sudo ufw default allow outgoing
# Allow SSH (default port 22)
sudo ufw allow 22/tcp
# If you changed the SSH port
sudo ufw allow 2222/tcp
Allow other services
Depending on your needs:
# HTTP
sudo ufw allow 80/tcp
# HTTPS
sudo ufw allow 443/tcp
# MySQL (only if needed from outside)
sudo ufw allow 3306/tcp
# PostgreSQL
sudo ufw allow 5432/tcp
Enable the firewall
sudo ufw enable
Check status
sudo ufw status verbose
5. Install Fail2ban
Fail2ban protects against brute force attacks by banning suspicious IPs.
Installation
sudo apt install -y fail2ban
Configuration
Create a local configuration:
sudo nano /etc/fail2ban/jail.local
Add this basic configuration:
[DEFAULT]
# Ban for 1 hour
bantime = 3600
# Detection window of 10 minutes
findtime = 600
# Maximum number of attempts
maxretry = 5
# Default action
banaction = ufw
[sshd]
enabled = true
port = 22
# If you changed the SSH port, modify this line
# port = 2222
logpath = %(sshd_log)s
backend = systemd
Start Fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
Check status
sudo fail2ban-client status
sudo fail2ban-client status sshd
🎉 Congratulations
Your Linux VPS is now much more secure! Remember that security is an ongoing process:
- Monitor your logs regularly
- Keep your system up to date
- Perform regular backups
- Periodically audit your configuration
If you encounter any issues or need additional advice, join our Discord.