Securing your unmanaged VPS: A step-by-step guide. 

Securing an unmanaged VPS is a critical task, as you are solely responsible for its protection. Neglecting security can lead to data breaches, website defacement, DDoS attacks, and your server being used for malicious activities. This guide provides a step-by-step approach to securing your unmanaged Linux VPS.

Disclaimer: Security is an ongoing process, not a one-time setup. This guide covers essential steps, but continuous monitoring, updates, and vigilance are crucial.

Prerequisites:

  • An unmanaged Linux VPS (Ubuntu, Debian, CentOS, AlmaLinux, Rocky Linux are common).
  • SSH client (PuTTY/MobaXterm for Windows, Terminal for macOS/Linux).
  • Basic command-line familiarity.
  • Crucially, a working internet connection.

Step 1: Initial Login and Immediate Actions

  1. Login as Root (Initially): Use the IP address and root password provided by your VPS host.

    Bash

    ssh root@your_vps_ip_address
    

    If you get a security warning about the host key, accept it.

  2. Change Root Password: If your provider gave you a temporary password, change it immediately to a strong, unique one.

    Bash

    passwd
    

    Enter the new password twice. Use a mix of uppercase, lowercase, numbers, and symbols.

  3. Update All System Packages: This patches known vulnerabilities in the operating system and installed software.

    • Ubuntu/Debian:
      Bash

      sudo apt update
      sudo apt upgrade -y
      
    • CentOS/AlmaLinux/Rocky Linux:
      Bash

      sudo yum update -y
      # Or for newer versions: sudo dnf update -y
      

    Reboot if the kernel was updated:

    Bash

    sudo reboot
    

    You’ll be disconnected; wait a minute or two and then reconnect.


Step 2: Create a New Sudo User and Secure SSH

This is fundamental for daily operations and significantly reduces the risk of direct root compromises.

  1. Create a New Standard User: Choose a strong username.

    • Ubuntu/Debian:
      Bash

      adduser your_username
      

      Follow the prompts to set a strong password and optional user information.

    • CentOS/AlmaLinux/Rocky Linux:
      Bash

      useradd your_username
      passwd your_username # Set the password for the new user
      

      Follow the prompts.

  2. Grant Sudo Privileges to the New User: This allows your_username to execute commands with administrative privileges when needed.

    • Ubuntu/Debian:
      Bash

      usermod -aG sudo your_username
      
    • CentOS/AlmaLinux/Rocky Linux:
      Bash

      usermod -aG wheel your_username
      
  3. Test the New User Login: Crucially, open a NEW SSH session (do not close the root session yet). Log in with your new user:

    Bash

    ssh your_username@your_vps_ip_address
    

    Verify sudo access by trying a simple command:

    Bash

    sudo apt update # Ubuntu/Debian
    sudo yum update # CentOS/AlmaLinux/Rocky Linux
    

    It should ask for your your_username‘s password. If this works, you’re good.

  4. Disable Root SSH Login: This prevents brute-force attacks directly on the root account.

    • From your new sudo user’s session:
      Bash

      sudo nano /etc/ssh/sshd_config
      
    • Find the line PermitRootLogin yes and change it to:
      PermitRootLogin no
      
    • Save and exit (Ctrl+X, Y, Enter for nano).
    • Restart the SSH service to apply changes:
      Bash

      sudo systemctl restart sshd
      
    • Now you can close the root SSH session. From now on, you will always log in as your_username.
  5. Set Up SSH Key Authentication (Highly Recommended): This is much more secure than passwords, as it uses cryptographic keys.

    • Generate an SSH Key Pair (on your local machine):
      • macOS/Linux:
        Bash

        ssh-keygen -t rsa -b 4096
        

        Follow prompts (press Enter for default location, optionally set a passphrase for extra security).

      • Windows (PuTTYgen for PuTTY users): Open PuTTYgen, click “Generate,” move your mouse randomly, then save both public (id_rsa.pub) and private (id_rsa.ppk) keys.
    • Copy Public Key to VPS:
      • macOS/Linux:
        Bash

        ssh-copy-id your_username@your_vps_ip_address
        

        Enter your your_username‘s password when prompted.

      • Windows (PuTTY/manual):
        1. Connect to your VPS with your password as your_username.
        2. Create the .ssh directory and authorized_keys file if they don’t exist:
          Bash

          mkdir -p ~/.ssh
          chmod 700 ~/.ssh
          touch ~/.ssh/authorized_keys
          chmod 600 ~/.ssh/authorized_keys
          
        3. Open your locally saved id_rsa.pub file (the public key) with a text editor. Copy its entire content.
        4. On your VPS, edit the authorized_keys file:
          Bash

          nano ~/.ssh/authorized_keys
          
        5. Paste your public key into this file. Save and exit.
    • Disable Password Authentication (Optional but Recommended): Once you can log in using your SSH key, disable password logins for even greater security.
      • Login to your VPS via SSH key.
      • Edit sshd_config again:
        Bash

        sudo nano /etc/ssh/sshd_config
        
      • Find PasswordAuthentication yes and change it to:
        PasswordAuthentication no
        
      • Save and exit. Restart SSH service:
        Bash

        sudo systemctl restart sshd
        
      • Crucially, test this again! Open a new SSH session and try to log in with your SSH key. If it works, try to log in with just your password (it should fail). If it doesn’t work with the key, re-enable PasswordAuthentication yes and troubleshoot.

Step 3: Configure a Firewall

A firewall is your server’s first line of defense, blocking unwanted traffic.

  • For Ubuntu/Debian (UFW – Uncomplicated Firewall):

    Bash

    sudo apt install ufw -y # Install if not present
    sudo ufw allow OpenSSH  # Allow SSH (port 22) - ESSENTIAL, so you don't lock yourself out
    sudo ufw default deny incoming # Deny all other incoming by default
    sudo ufw default allow outgoing # Allow all outgoing
    sudo ufw enable # Enable the firewall
    sudo ufw status verbose # Check status
    
    • Open ports for services you run:
      • HTTP (web server): sudo ufw allow http or sudo ufw allow 80
      • HTTPS (SSL web server): sudo ufw allow https or sudo ufw allow 443
      • FTP (if used): sudo ufw allow 21/tcp (and possibly passive ports) – Avoid FTP if possible, use SFTP.
      • MySQL (if accessed remotely): sudo ufw allow mysql or sudo ufw allow 3306Only if truly necessary, restrict by IP if possible.
  • For CentOS/AlmaLinux/Rocky Linux (firewalld):

    Bash

    sudo systemctl enable firewalld --now # Enable and start
    sudo firewall-cmd --permanent --add-service=ssh # Allow SSH
    sudo firewall-cmd --permanent --add-service=http # Allow HTTP
    sudo firewall-cmd --permanent --add-service=https # Allow HTTPS
    sudo firewall-cmd --reload # Apply changes
    sudo firewall-cmd --list-all # Check status
    
    • Open other ports as needed (e.g., MySQL if accessed remotely):
      Bash

      sudo firewall-cmd --permanent --add-port=3306/tcp
      sudo firewall-cmd --reload
      

Step 4: Install and Configure Fail2Ban

Fail2Ban monitors logs for suspicious activity (like repeated failed login attempts) and automatically bans the offending IP addresses for a set period.

  • Install Fail2Ban:

    • Ubuntu/Debian:
      Bash

      sudo apt install fail2ban -y
      
    • CentOS/AlmaLinux/Rocky Linux:
      Bash

      sudo yum install epel-release -y
      sudo yum install fail2ban fail2ban-systemd -y # For CentOS 7+
      
  • Configure Fail2Ban: Create a local configuration file to override defaults without directly modifying the main config.

    Bash

    sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
    sudo nano /etc/fail2ban/jail.local
    
    • Find and modify the [sshd] section (or create it if missing for some reason):
      • Ensure enabled = true
      • Consider setting bantime (e.g., bantime = 1h for 1 hour ban)
      • Consider setting maxretry (e.g., maxretry = 3 for 3 failed attempts)
    • Add your IP address to ignoreip to prevent yourself from being banned (e.g., ignoreip = 127.0.0.1 ::1 your_local_ip_address).
    • Save and exit.
  • Start and Enable Fail2Ban:

    Bash

    sudo systemctl start fail2ban
    sudo systemctl enable fail2ban
    sudo systemctl status fail2ban # Check status
    

    You can check banned IPs with sudo fail2ban-client status sshd.


Step 5: Install and Configure Automated Updates (Highly Recommended)

While you’ve manually updated, setting up automatic security updates is crucial.

  • Ubuntu/Debian (Unattended Upgrades):

    Bash

    sudo apt install unattended-upgrades -y
    sudo dpkg-reconfigure --priority=low unattended-upgrades
    

    Follow the prompts. It’s usually safe to enable automatic security updates. You can also edit /etc/apt/apt.conf.d/50unattended-upgrades to customize.

  • CentOS/AlmaLinux/Rocky Linux (dnf-automatic or yum-cron):

    • For dnf-automatic (newer CentOS/AlmaLinux/Rocky Linux):
      Bash

      sudo dnf install dnf-automatic -y
      sudo nano /etc/dnf/automatic.conf
      

      Edit apply_updates = yes and emit_via = email (or other methods).

      Bash

      sudo systemctl enable dnf-automatic.timer --now
      
    • For yum-cron (older CentOS/RHEL):
      Bash

      sudo yum install yum-cron -y
      sudo nano /etc/yum/yum-cron.conf
      

      Set apply_updates = yes and email_to if you want email notifications.

      Bash

      sudo systemctl start yum-cron
      sudo systemctl enable yum-cron
      

Step 6: Regular Backups

This is not a security measure per se, but it’s your last line of defense against data loss due to successful attacks, accidental deletion, or hardware failure.

  • VPS Provider Backups: Many providers offer automated backup services for an extra fee. This is often the easiest option.
  • Manual Backups:
    • tar for archiving files: sudo tar -czvf /backup/website_backup.tar.gz /var/www/html
    • mysqldump for databases: sudo mysqldump -u root -p database_name > /backup/database_name.sql
  • Automated Backup Scripts: Write a script to automate tar and mysqldump, then schedule it with cron.
  • Offsite Storage: Always store backups off your VPS (e.g., Google Drive, Amazon S3, Dropbox, another server). Use rsync or scp to transfer.

Step 7: Basic Malware and Rootkit Scanning

Tools to periodically check for malicious software.

  • ClamAV (Antivirus):
    Bash

    sudo apt install clamav clamav-daemon -y # Ubuntu/Debian
    sudo yum install epel-release -y && sudo yum install clamav clamd -y # CentOS/AlmaLinux/Rocky Linux
    sudo freshclam # Update virus definitions
    sudo clamscan -r -i / # Scan entire system (can take a long time)
    
  • Chkrootkit (Rootkit Scanner):
    Bash

    sudo apt install chkrootkit -y # Ubuntu/Debian
    sudo yum install chkrootkit -y # CentOS/AlmaLinux/Rocky Linux (may need EPEL)
    sudo chkrootkit
    
  • Rootkit Hunter (rkhunter):
    Bash

    sudo apt install rkhunter -y # Ubuntu/Debian
    sudo yum install rkhunter -y # CentOS/AlmaLinux/Rocky Linux (may need EPEL)
    sudo rkhunter --update
    sudo rkhunter --check
    

    These tools are for scanning, not real-time protection. Run them periodically.

Step 8: Keep Services and Software Updated and Secure

  • Web Server (Apache/Nginx):
    • Keep it updated.
    • Configure it for security (e.g., disable unused modules, set appropriate permissions for web root, disable directory listings, use mod_security for Apache or equivalent for Nginx).
  • Database Server (MySQL/MariaDB/PostgreSQL):
    • Keep it updated.
    • Run mysql_secure_installation if using MySQL/MariaDB.
    • Use strong, unique passwords for database users.
    • Restrict database access to localhost if possible (only allow your web server to connect). If remote access is needed, use firewall rules to limit by source IP.
  • PHP (if used):
    • Use the latest stable PHP version.
    • Disable dangerous functions in php.ini (e.g., disable_functions = exec, passthru, shell_exec, system, proc_open, popen, curl_exec, curl_multi_exec, parse_ini_file, show_source).
    • Set expose_php = Off.
  • Application Security:
    • If running CMS like WordPress, keep core, themes, and plugins updated. Use strong passwords for admin accounts.
    • Regularly audit code for custom applications.

Step 9: Log Monitoring

  • Regularly check system logs for unusual activity.
    • journalctl -u sshd (SSH logs)
    • tail -f /var/log/auth.log (Ubuntu/Debian authentication logs)
    • tail -f /var/log/secure (CentOS/AlmaLinux/Rocky Linux authentication logs)
    • Web server access and error logs (e.g., /var/log/apache2/access.log, /var/log/nginx/error.log).
  • Consider using a log management tool (e.g., ELK Stack, Splunk, Graylog) for larger setups.

Step 10: General Best Practices

  • Use Strong, Unique Passwords: For all accounts and services.
  • Principle of Least Privilege: Grant users and services only the minimum permissions they need to function.
  • Remove Unused Services/Software: Reduces the attack surface.
  • Stay Informed: Follow security news, especially for your OS and applications.
  • Perform Regular Audits: Periodically review your server’s security configurations.

Securing an unmanaged VPS is an ongoing commitment. By following these steps, you’ll establish a strong security foundation for your server, but remember to stay proactive and adapt as new threats emerge.

Hot this week

What People Are Saying About Justin Bieber’s New Album, Swag

Justin Bieber’s surprise album, Swag, has set social media...

Justin Bieber’s “Swag”: 5 Reasons His Surprise Album Is His Most Personal and Powerful Yet

Justin Bieber has shocked and delighted fans with the...

Justin Bieber Drops Surprise Album “Swag”—Here’s Everything You Need to Know

Pop superstar Justin Bieber is back—and he’s brought the...

Why Is My Check Engine Light Flashing?

First things first: If your check engine light is flashing...

How to Get Rid of Fruit Flies in the Kitchen—Fast

1. Find the Source First, channel your inner detective. Fruit...

Topics

What People Are Saying About Justin Bieber’s New Album, Swag

Justin Bieber’s surprise album, Swag, has set social media...

Justin Bieber Drops Surprise Album “Swag”—Here’s Everything You Need to Know

Pop superstar Justin Bieber is back—and he’s brought the...

Why Is My Check Engine Light Flashing?

First things first: If your check engine light is flashing...

How to Get Rid of Fruit Flies in the Kitchen—Fast

1. Find the Source First, channel your inner detective. Fruit...

How to Recover a Deleted Instagram Account

First, Let’s Clear Up: Deleted vs. Deactivated Deactivated (Temporarily...

How to Fix “Payment Not Processing” on PayPal

1. Double-Check Your Payment Information Make sure your card...

Why Can’t I Add My Debit Card to Apple Pay?

Trying to add your debit card to Apple Pay...
spot_img

Related Articles

Popular Categories

spot_imgspot_img