Bhoaz, LLC
Back to Blog
Cloud & Infrastructure

VPS Security Hardening: Essential Steps for a Secure Server

Just provisioned a VPS? Follow these essential security hardening steps before putting anything into production.

Super Admin
December 15, 2024

VPS Security Hardening: Essential Steps for a Secure Server

A freshly provisioned VPS is not secure by default. Before deploying any applications, you need to harden your server against common attacks. This guide covers essential security measures for Linux servers.

Initial Setup

1. Update Everything

First things first—update all packages:

sudo apt update && sudo apt upgrade -y

Enable automatic security updates:

sudo apt install unattended-upgrades
sudo dpkg-reconfigure unattended-upgrades

2. Create a Non-Root User

Never use root for daily operations:

adduser deploy
usermod -aG sudo deploy

3. Configure SSH Security

Edit /etc/ssh/sshd_config:

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
Port 22022  # Change default port
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2

Don't forget to add your SSH key first!

Firewall Configuration

UFW (Uncomplicated Firewall)

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22022/tcp  # SSH (your custom port)
sudo ufw allow 80/tcp     # HTTP
sudo ufw allow 443/tcp    # HTTPS
sudo ufw enable

Fail2Ban

Install and configure Fail2Ban to block brute force attempts:

sudo apt install fail2ban

Create /etc/fail2ban/jail.local:

[sshd]
enabled = true
port = 22022
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600

System Hardening

Disable Unused Services

List running services and disable what you don't need:

systemctl list-unit-files --type=service --state=enabled
sudo systemctl disable <service-name>

Kernel Hardening

Add to /etc/sysctl.conf:

# IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1

# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0

# Ignore send redirects
net.ipv4.conf.all.send_redirects = 0

# Block SYN attacks
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2

# Log Martians
net.ipv4.conf.all.log_martians = 1

Apply with: sudo sysctl -p

File Permissions

Secure critical files:

chmod 700 /root
chmod 600 /etc/ssh/sshd_config
chmod 644 /etc/passwd
chmod 640 /etc/shadow

Monitoring & Logging

Set Up Log Monitoring

Install and configure logwatch:

sudo apt install logwatch

Enable Process Accounting

sudo apt install acct
sudo touch /var/log/wtmp

Consider Additional Tools

  • AIDE: File integrity monitoring
  • rkhunter: Rootkit detection
  • ClamAV: Antivirus scanning

Regular Maintenance

Create a maintenance checklist:

  • Weekly: Review logs for anomalies
  • Monthly: Full system update
  • Monthly: Review user accounts
  • Quarterly: Security audit
  • Regularly: Backup verification

Conclusion

Security hardening is not a one-time task. Stay vigilant, keep systems updated, and regularly review your security posture. These steps provide a solid foundation, but always adapt to your specific threat model.

Want hassle-free secure hosting? Bhoaz Managed VPS includes security hardening, monitoring, and ongoing maintenance.

Tags

vpssecuritylinuxserver-administrationhardening

Share this post