VPS Security: Essential Hardening Checklist

Why Security Matters

An unsecured VPS can be compromised within hours of deployment. Automated bots constantly scan for vulnerable servers. This checklist covers essential security measures every VPS needs.

1. SSH Hardening

# Edit SSH config
sudo nano /etc/ssh/sshd_config

# Recommended settings:
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
Port 2222  # Change from default 22

# Restart SSH service
sudo systemctl restart sshd

⚠️ Important: Before disabling password auth, ensure your SSH key is properly configured and tested!

2. Firewall Setup (UFW)

UFW (Uncomplicated Firewall) provides simple firewall management (documentation ↗):

# Install UFW
sudo apt install ufw

# Set default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH (use your custom port)
sudo ufw allow 2222/tcp

# Allow web traffic
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

# Enable firewall
sudo ufw enable
sudo ufw status

3. Install Fail2Ban

Automatically ban IPs with too many failed login attempts (documentation ↗):

# Install
sudo apt install fail2ban

# Create local config
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

# Edit settings
sudo nano /etc/fail2ban/jail.local

Recommended settings:

[sshd]
enabled = true
port = 2222
filter = sshd
maxretry = 3
bantime = 3600
findtime = 600

4. Automatic Security Updates

# Install unattended-upgrades
sudo apt install unattended-upgrades

# Enable automatic updates
sudo dpkg-reconfigure -plow unattended-upgrades

5. Security Checklist

6. Additional Recommendations

• Use a non-root user: Create a dedicated user for deployments
• Enable 2FA: Consider Google Authenticator for SSH
• Regular backups: Use provider snapshots or automated backup solutions
• Monitor logs: Check /var/log/auth.log periodically