SECURITY

Essential Security Hardening for Linux VPS

Updated: December 2024
20 min read
8.3K views

Securing your VPS is critical to protecting your data and applications. This comprehensive guide covers essential security hardening steps every server administrator should implement.

Table of Contents

  1. 1. SSH Key Authentication
  2. 2. Advanced Firewall Configuration
  3. 3. Fail2ban Setup
  4. 4. Automatic Security Updates
  5. 5. Change Default SSH Port
  6. 6. Security Auditing

1 SSH Key Authentication

SSH keys are much more secure than passwords. Here's how to set them up:

Generate SSH Key Pair (On Your Local Machine)

# Generate ed25519 key (recommended)
ssh-keygen -t ed25519 -C "[email protected]"

# Or generate RSA 4096 key (alternative)
ssh-keygen -t rsa -b 4096 -C "[email protected]"

# Keys will be saved to:
# ~/.ssh/id_ed25519 (private key)
# ~/.ssh/id_ed25519.pub (public key)

Copy Public Key to Server

# Method 1: Using ssh-copy-id (easiest)
ssh-copy-id username@your_server_ip

# Method 2: Manual copy
cat ~/.ssh/id_ed25519.pub | ssh username@your_server_ip "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

# Method 3: Copy/paste manually
# Print your public key:
cat ~/.ssh/id_ed25519.pub
# Then on server:
mkdir -p ~/.ssh
nano ~/.ssh/authorized_keys
# Paste the key and save

Set Correct Permissions on Server

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

Test SSH Key Login

# Try logging in with key
ssh username@your_server_ip

# Should connect without password!

Disable Password Authentication

Once SSH keys work, disable password login:

sudo nano /etc/ssh/sshd_config

# Change these lines:
PasswordAuthentication no
PubkeyAuthentication yes
ChallengeResponseAuthentication no

# Restart SSH
sudo systemctl restart sshd

Critical Warning

Keep your current SSH session open and test SSH key login in a NEW terminal before disabling password auth!

2 Advanced Firewall Configuration

UFW (Uncomplicated Firewall)

# Reset UFW to defaults
sudo ufw --force reset

# Default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH
sudo ufw allow 22/tcp comment 'SSH'

# Allow HTTP/HTTPS
sudo ufw allow 80/tcp comment 'HTTP'
sudo ufw allow 443/tcp comment 'HTTPS'

# Allow specific IP only (restrict SSH access)
sudo ufw allow from 203.0.113.0/24 to any port 22

# Enable firewall
sudo ufw enable

# Check status
sudo ufw status verbose

Rate Limiting

Protect against brute force attacks:

# Limit SSH connections (max 6 attempts in 30 seconds)
sudo ufw limit ssh/tcp

Application Profiles

# List available profiles
sudo ufw app list

# Allow application by profile
sudo ufw allow 'Nginx Full'
sudo ufw allow 'OpenSSH'

3 Fail2ban Setup

Fail2ban automatically blocks IPs after failed login attempts.

Install and Configure

# Install fail2ban
sudo apt install fail2ban -y

# Copy default config
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

# Edit configuration
sudo nano /etc/fail2ban/jail.local

Recommended Configuration

Add this to /etc/fail2ban/jail.local:

[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 5
destemail = [email protected]
sendername = Fail2Ban
action = %(action_mwl)s

[sshd]
enabled = true
port = ssh
logpath = /var/log/auth.log
maxretry = 3
bantime = 86400

Start and Enable

# Start fail2ban
sudo systemctl start fail2ban
sudo systemctl enable fail2ban

# Check status
sudo fail2ban-client status
sudo fail2ban-client status sshd

# View banned IPs
sudo fail2ban-client get sshd banned

# Unban an IP
sudo fail2ban-client set sshd unbanip 192.168.1.100

4 Automatic Security Updates 

# Install unattended-upgrades
sudo apt install unattended-upgrades apt-listchanges -y

# Configure
sudo dpkg-reconfigure --priority=low unattended-upgrades

# Edit configuration
sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

# Enable automatic reboot if needed (optional)
# Uncomment and set:
# Unattended-Upgrade::Automatic-Reboot "true";
# Unattended-Upgrade::Automatic-Reboot-Time "02:00";

5 Change Default SSH Port

Moving SSH from port 22 reduces automated attacks: 

# Edit SSH config
sudo nano /etc/ssh/sshd_config

# Change port (use high port like 2222-9999)
Port 2222

# Update firewall BEFORE restarting SSH!
sudo ufw allow 2222/tcp
sudo ufw delete allow 22/tcp

# Test SSH config
sudo sshd -t

# Restart SSH
sudo systemctl restart sshd

# Test new port in NEW terminal:
ssh -p 2222 username@your_server_ip

Important

Keep your current session open while testing! Ensure the new port works before closing old connections.

6 Security Auditing

Monitor Login Attempts

# View recent logins
last -a | head -20

# View failed login attempts
sudo grep "Failed password" /var/log/auth.log

# View successful SSH logins
sudo grep "Accepted" /var/log/auth.log

# Currently logged in users
who
w

Install and Use Lynis

# Install Lynis
sudo apt install lynis -y

# Run security audit
sudo lynis audit system

# View report
sudo cat /var/log/lynis.log

Check for Rootkits

# Install rkhunter
sudo apt install rkhunter -y

# Update database
sudo rkhunter --update

# Run scan
sudo rkhunter --check

Security Checklist

  • ✓ SSH keys enabled, password auth disabled
  • ✓ Firewall configured with minimal open ports
  • ✓ Fail2ban protecting against brute force
  • ✓ Automatic security updates enabled
  • ✓ SSH on non-standard port
  • ✓ Regular security audits scheduled

Was this article helpful?

Need more help?

Contact Support