{"id":26536,"date":"2025-06-23T11:38:45","date_gmt":"2025-06-23T09:38:45","guid":{"rendered":"https:\/\/tremhost.com\/blog\/?p=26536"},"modified":"2025-06-23T11:38:45","modified_gmt":"2025-06-23T09:38:45","slug":"securing-your-unmanaged-vps-a-step-by-step-guide","status":"publish","type":"post","link":"https:\/\/tremhost.com\/blog\/securing-your-unmanaged-vps-a-step-by-step-guide\/","title":{"rendered":"Securing your unmanaged VPS: A step-by-step guide.\u00a0"},"content":{"rendered":"
<\/div>

Securing an unmanaged VPS is a critical task, as you are solely responsible for its protection. Neglecting security can lead to data breaches, website defacement, DDoS attacks, and your server being used for malicious activities. This guide provides a step-by-step approach to securing your unmanaged Linux VPS.<\/p>\n

Disclaimer:<\/strong> Security is an ongoing process, not a one-time setup. This guide covers essential steps, but continuous monitoring, updates, and vigilance are crucial.<\/p>\n

\n

Prerequisites:<\/h3>\n
    \n
  • An unmanaged Linux VPS (Ubuntu, Debian, CentOS, AlmaLinux, Rocky Linux are common).<\/li>\n
  • SSH client (PuTTY\/MobaXterm for Windows, Terminal for macOS\/Linux).<\/span><\/li>\n
  • Basic command-line familiarity.<\/li>\n
  • Crucially, a working internet connection.<\/strong><\/li>\n<\/ul>\n
    \n

    Step 1: Initial Login and Immediate Actions<\/h3>\n
      \n
    1. \n

      Login as Root (Initially):<\/strong> Use the IP address and root password provided by your VPS host.<\/p>\n

      \n
      Bash<\/span><\/p>\n
      <\/div>\n<\/div>\n
      \n
      \n
      ssh root@your_vps_ip_address\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n
      If you get a security warning about the host key, accept it.<\/p>\n<\/li>\n
    2. \n
      Change Root Password:<\/strong> If your provider gave you a temporary password, change it immediately to a strong, unique one.<\/p>\n
      \n
      Bash<\/span><\/p>\n
      <\/div>\n<\/div>\n
      \n
      \n
      passwd\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n
      Enter the new password twice. Use a mix of uppercase, lowercase, numbers, and symbols.<\/p>\n<\/li>\n
    3. \n
      Update All System Packages:<\/strong> This patches known vulnerabilities in the operating system and installed software.<\/p>\n
        \n
      • Ubuntu\/Debian:<\/strong>\n
        \n
        Bash<\/span><\/p>\n
        <\/div>\n<\/div>\n
        \n
        \n
        sudo apt update\r\nsudo apt upgrade -y\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/li>\n
      • CentOS\/AlmaLinux\/Rocky Linux:<\/strong>\n
        \n
        Bash<\/span><\/p>\n
        <\/div>\n<\/div>\n
        \n
        \n
        sudo yum update -y\r\n# Or for newer versions: sudo dnf update -y<\/span>\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/li>\n<\/ul>\n
        Reboot if the kernel was updated:<\/p>\n
        \n
        Bash<\/span><\/p>\n
        <\/div>\n<\/div>\n
        \n
        \n
        sudo reboot\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n
        You’ll be disconnected; wait a minute or two and then reconnect.<\/p>\n<\/li>\n<\/ol>\n
        \n
        Step 2: Create a New Sudo User and Secure SSH<\/h3>\n
        This is fundamental for daily operations and significantly reduces the risk of direct root compromises.<\/p>\n
          \n
        1. \n
          Create a New Standard User:<\/strong> Choose a strong username.<\/p>\n
            \n
          • Ubuntu\/Debian:<\/strong>\n
            \n
            Bash<\/span><\/p>\n
            <\/div>\n<\/div>\n
            \n
            \n
            adduser your_username\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n
            Follow the prompts to set a strong password and optional user information.<\/li>\n
          • CentOS\/AlmaLinux\/Rocky Linux:<\/strong>\n
            \n
            Bash<\/span><\/p>\n
            <\/div>\n<\/div>\n
            \n
            \n
            useradd your_username\r\npasswd your_username # Set the password for the new user<\/span>\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n
            Follow the prompts.<\/li>\n<\/ul>\n<\/li>\n
          • \n
            Grant Sudo Privileges to the New User:<\/strong> This allows your_username<\/code> to execute commands with administrative privileges when needed.<\/p>\n
              \n
            • Ubuntu\/Debian:<\/strong>\n
              \n
              Bash<\/span><\/p>\n
              <\/div>\n<\/div>\n
              \n
              \n
              usermod -aG sudo your_username\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/li>\n
            • CentOS\/AlmaLinux\/Rocky Linux:<\/strong>\n
              \n
              Bash<\/span><\/p>\n
              <\/div>\n<\/div>\n
              \n
              \n
              usermod -aG wheel your_username\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/li>\n<\/ul>\n<\/li>\n
            • \n
              Test the New User Login:<\/strong>Crucially, open a NEW SSH session<\/strong> (do not close the root session yet). Log in with your new user:<\/p>\n
              \n
              Bash<\/span><\/p>\n
              <\/div>\n<\/div>\n
              \n
              \n
              ssh your_username@your_vps_ip_address\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n
              Verify sudo<\/code> access by trying a simple command:<\/p>\n
              \n
              Bash<\/span><\/p>\n
              <\/div>\n<\/div>\n
              \n
              \n
              sudo apt update # Ubuntu\/Debian<\/span>\r\nsudo yum update # CentOS\/AlmaLinux\/Rocky Linux<\/span>\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n
              It should ask for your your_username<\/code>‘s password. If this works, you’re good.<\/p>\n<\/li>\n
            • \n
              Disable Root SSH Login:<\/strong> This prevents brute-force attacks directly on the root account.<\/p>\n
                \n
              • From your new sudo<\/code> user’s session:<\/strong>\n
                \n
                Bash<\/span><\/p>\n
                <\/div>\n<\/div>\n
                \n
                \n
                sudo nano \/etc\/ssh\/sshd_config\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/li>\n
              • Find the line PermitRootLogin yes<\/code> and change it to:\n
                \n
                \n
                \n
                PermitRootLogin no\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/li>\n
              • Save and exit (Ctrl+X, Y, Enter for nano).<\/li>\n
              • Restart the SSH service to apply changes:\n
                \n
                Bash<\/span><\/p>\n
                <\/div>\n<\/div>\n
                \n
                \n
                sudo systemctl restart sshd\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/li>\n
              • Now you can close the root SSH session. From now on, you will always log in as your_username<\/code>.<\/li>\n<\/ul>\n<\/li>\n
              • \n
                Set Up SSH Key Authentication (Highly Recommended):<\/strong> This is much more secure than passwords, as it uses cryptographic keys.<\/p>\n
                  \n
                • Generate an SSH Key Pair (on your local machine):<\/strong>\n
                    \n
                  • macOS\/Linux:<\/strong>\n
                    \n
                    Bash<\/span><\/p>\n
                    <\/div>\n<\/div>\n
                    \n
                    \n
                    ssh-keygen -t rsa -b 4096\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n
                    Follow prompts (press Enter for default location, optionally set a passphrase for extra security).<\/li>\n
                  • Windows (PuTTYgen for PuTTY users):<\/strong> Open PuTTYgen, click “Generate,” move your mouse randomly, then save both public (id_rsa.pub<\/code>) and private (id_rsa.ppk<\/code>) keys.<\/li>\n<\/ul>\n<\/li>\n
                  • Copy Public Key to VPS:<\/strong>\n
                      \n
                    • macOS\/Linux:<\/strong>\n
                      \n
                      Bash<\/span><\/p>\n
                      <\/div>\n<\/div>\n
                      \n
                      \n
                      ssh-copy-id your_username@your_vps_ip_address\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n
                      Enter your your_username<\/code>‘s password when prompted.<\/li>\n
                    • Windows (PuTTY\/manual):<\/strong>\n
                        \n
                      1. Connect to your VPS with your password as your_username<\/code>.<\/li>\n
                      2. Create the .ssh<\/code> directory and authorized_keys<\/code> file if they don’t exist:\n
                        \n
                        Bash<\/span><\/p>\n
                        <\/div>\n<\/div>\n
                        \n
                        \n
                        mkdir -p ~\/.ssh\r\nchmod 700 ~\/.ssh\r\ntouch ~\/.ssh\/authorized_keys\r\nchmod 600 ~\/.ssh\/authorized_keys\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/li>\n
                      3. Open your locally saved id_rsa.pub<\/code> file (the public key) with a text editor. Copy its entire content.<\/li>\n
                      4. On your VPS, edit the authorized_keys<\/code> file:\n
                        \n
                        Bash<\/span><\/p>\n
                        <\/div>\n<\/div>\n
                        \n
                        \n
                        nano ~\/.ssh\/authorized_keys\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/li>\n
                      5. Paste your public key into this file. Save and exit.<\/li>\n<\/ol>\n<\/li>\n<\/ul>\n<\/li>\n
                      6. Disable Password Authentication (Optional but Recommended):<\/strong> Once you can log in using your SSH key, disable password logins for even greater security.\n
                          \n
                        • Login to your VPS via SSH key.<\/strong><\/li>\n
                        • Edit sshd_config<\/code> again:\n
                          \n
                          Bash<\/span><\/p>\n
                          <\/div>\n<\/div>\n
                          \n
                          \n
                          sudo nano \/etc\/ssh\/sshd_config\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/li>\n
                        • Find PasswordAuthentication yes<\/code> and change it to:\n
                          \n
                          \n
                          \n
                          PasswordAuthentication no\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/li>\n
                        • Save and exit. Restart SSH service:\n
                          \n
                          Bash<\/span><\/p>\n
                          <\/div>\n<\/div>\n
                          \n
                          \n
                          sudo systemctl restart sshd\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/li>\n
                        • Crucially, test this again!<\/strong> Open a new<\/em> SSH session and try to log in with your SSH key. If it works, try to log in with just your password (it should fail). If it doesn’t work with the key, re-enable PasswordAuthentication yes<\/code> and troubleshoot.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n
                          \n
                          Step 3: Configure a Firewall<\/h3>\n
                          A firewall is your server’s first line of defense, blocking unwanted traffic.<\/p>\n
                            \n
                          • \n
                            For Ubuntu\/Debian (UFW – Uncomplicated Firewall):<\/strong><\/p>\n
                            \n
                            Bash<\/span><\/p>\n
                            <\/div>\n<\/div>\n
                            \n
                            \n
                            sudo apt install ufw -y # Install if not present<\/span>\r\nsudo ufw allow OpenSSH  # Allow SSH (port 22) - ESSENTIAL, so you don't lock yourself out<\/span>\r\nsudo ufw default deny incoming # Deny all other incoming by default<\/span>\r\nsudo ufw default allow outgoing # Allow all outgoing<\/span>\r\nsudo ufw enable<\/span> # Enable the firewall<\/span>\r\nsudo ufw status verbose # Check status<\/span>\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n
                              \n
                            • Open ports for services you run:<\/strong>\n
                                \n
                              • HTTP (web server): sudo ufw allow http<\/code> or sudo ufw allow 80<\/code><\/li>\n
                              • HTTPS (SSL web server): sudo ufw allow https<\/code> or sudo ufw allow 443<\/code><\/li>\n
                              • FTP (if used): sudo ufw allow 21\/tcp<\/code> (and possibly passive ports) – Avoid FTP if possible, use SFTP.<\/strong><\/li>\n
                              • MySQL (if accessed remotely): sudo ufw allow mysql<\/code> or sudo ufw allow 3306<\/code> – Only if truly necessary, restrict by IP if possible.<\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n
                              • \n
                                For CentOS\/AlmaLinux\/Rocky Linux (firewalld):<\/strong><\/p>\n
                                \n
                                Bash<\/span><\/p>\n
                                <\/div>\n<\/div>\n
                                \n
                                \n
                                sudo systemctl enable<\/span> firewalld --now # Enable and start<\/span>\r\nsudo firewall-cmd --permanent --add-service=ssh # Allow SSH<\/span>\r\nsudo firewall-cmd --permanent --add-service=http # Allow HTTP<\/span>\r\nsudo firewall-cmd --permanent --add-service=https # Allow HTTPS<\/span>\r\nsudo firewall-cmd --reload # Apply changes<\/span>\r\nsudo firewall-cmd --list-all # Check status<\/span>\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n
                                  \n
                                • Open other ports as needed (e.g., MySQL if accessed remotely):<\/strong>\n
                                  \n
                                  Bash<\/span><\/p>\n
                                  <\/div>\n<\/div>\n
                                  \n
                                  \n
                                  sudo firewall-cmd --permanent --add-port=3306\/tcp\r\nsudo firewall-cmd --reload\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
                                  \n
                                  Step 4: Install and Configure Fail2Ban<\/h3>\n
                                  Fail2Ban monitors logs for suspicious activity (like repeated failed login attempts) and automatically bans the offending IP addresses for a set period.<\/p>\n
                                    \n
                                  • \n
                                    Install Fail2Ban:<\/strong><\/p>\n
                                      \n
                                    • Ubuntu\/Debian:<\/strong>\n
                                      \n
                                      Bash<\/span><\/p>\n
                                      <\/div>\n<\/div>\n
                                      \n
                                      \n
                                      sudo apt install fail2ban -y\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/li>\n
                                    • CentOS\/AlmaLinux\/Rocky Linux:<\/strong>\n
                                      \n
                                      Bash<\/span><\/p>\n
                                      <\/div>\n<\/div>\n
                                      \n
                                      \n
                                      sudo yum install epel-release -y\r\nsudo yum install fail2ban fail2ban-systemd -y # For CentOS 7+<\/span>\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/li>\n<\/ul>\n<\/li>\n
                                    • \n
                                      Configure Fail2Ban:<\/strong> Create a local configuration file to override defaults without directly modifying the main config.<\/p>\n
                                      \n
                                      Bash<\/span><\/p>\n
                                      <\/div>\n<\/div>\n
                                      \n
                                      \n
                                      sudo cp \/etc\/fail2ban\/jail.conf \/etc\/fail2ban\/jail.local\r\nsudo nano \/etc\/fail2ban\/jail.local\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n
                                        \n
                                      • Find and modify the [sshd]<\/code> section (or create it if missing for some reason):<\/strong>\n
                                          \n
                                        • Ensure enabled = true<\/code><\/li>\n
                                        • Consider setting bantime<\/code> (e.g., bantime = 1h<\/code> for 1 hour ban)<\/li>\n
                                        • Consider setting maxretry<\/code> (e.g., maxretry = 3<\/code> for 3 failed attempts)<\/li>\n<\/ul>\n<\/li>\n
                                        • Add your IP address to ignoreip<\/code><\/strong> to prevent yourself from being banned (e.g., ignoreip = 127.0.0.1 ::1 your_local_ip_address<\/code>).<\/li>\n
                                        • Save and exit.<\/strong><\/li>\n<\/ul>\n<\/li>\n
                                        • \n
                                          Start and Enable Fail2Ban:<\/strong><\/p>\n
                                          \n
                                          Bash<\/span><\/p>\n
                                          <\/div>\n<\/div>\n
                                          \n
                                          \n
                                          sudo systemctl start fail2ban\r\nsudo systemctl enable<\/span> fail2ban\r\nsudo systemctl status fail2ban # Check status<\/span>\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n
                                          You can check banned IPs with sudo fail2ban-client status sshd<\/code>.<\/p>\n<\/li>\n<\/ul>\n
                                          \n
                                          Step 5: Install and Configure Automated Updates (Highly Recommended)<\/h3>\n
                                          While you’ve manually updated, setting up automatic security updates is crucial.<\/p>\n
                                            \n
                                          • \n
                                            Ubuntu\/Debian (Unattended Upgrades):<\/strong><\/p>\n
                                            \n
                                            Bash<\/span><\/p>\n
                                            <\/div>\n<\/div>\n
                                            \n
                                            \n
                                            sudo apt install unattended-upgrades -y\r\nsudo dpkg-reconfigure --priority=low unattended-upgrades\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n
                                            Follow the prompts. It’s usually safe to enable automatic security updates. You can also edit \/etc\/apt\/apt.conf.d\/50unattended-upgrades<\/code> to customize.<\/p>\n<\/li>\n
                                          • \n
                                            CentOS\/AlmaLinux\/Rocky Linux (dnf-automatic or yum-cron):<\/strong><\/p>\n
                                              \n
                                            • For dnf-automatic (newer CentOS\/AlmaLinux\/Rocky Linux):<\/strong>\n
                                              \n
                                              Bash<\/span><\/p>\n
                                              <\/div>\n<\/div>\n
                                              \n
                                              \n
                                              sudo dnf install dnf-automatic -y\r\nsudo nano \/etc\/dnf\/automatic.conf\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n
                                              Edit apply_updates = yes<\/code> and emit_via = email<\/code> (or other methods).<\/p>\n
                                              \n
                                              Bash<\/span><\/p>\n
                                              <\/div>\n<\/div>\n
                                              \n
                                              \n
                                              sudo systemctl enable<\/span> dnf-automatic.timer --now\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/li>\n
                                            • For yum-cron (older CentOS\/RHEL):<\/strong>\n
                                              \n
                                              Bash<\/span><\/p>\n
                                              <\/div>\n<\/div>\n
                                              \n
                                              \n
                                              sudo yum install yum-cron -y\r\nsudo nano \/etc\/yum\/yum-cron.conf\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n
                                              Set apply_updates = yes<\/code> and email_to<\/code> if you want email notifications.<\/p>\n
                                              \n
                                              Bash<\/span><\/p>\n
                                              <\/div>\n<\/div>\n
                                              \n
                                              \n
                                              sudo systemctl start yum-cron\r\nsudo systemctl enable<\/span> yum-cron\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
                                              \n
                                              Step 6: Regular Backups<\/h3>\n
                                              This is not a security measure per se<\/em>, but it’s your last line of defense against data loss due to successful attacks, accidental deletion, or hardware failure.<\/p>\n
                                                \n
                                              • VPS Provider Backups:<\/strong> Many providers offer automated backup services for an extra fee. This is often the easiest option.<\/li>\n
                                              • Manual Backups:<\/strong>\n
                                                  \n
                                                • tar<\/code> for archiving files: sudo tar -czvf \/backup\/website_backup.tar.gz \/var\/www\/html<\/code><\/li>\n
                                                • mysqldump<\/code> for databases: sudo mysqldump -u root -p database_name > \/backup\/database_name.sql<\/code><\/li>\n<\/ul>\n<\/li>\n
                                                • Automated Backup Scripts:<\/strong> Write a script to automate tar<\/code> and mysqldump<\/code>, then schedule it with cron<\/code>.<\/li>\n
                                                • Offsite Storage:<\/strong> Always store backups off your VPS (e.g., Google Drive, Amazon S3, Dropbox, another server). Use rsync<\/code> or scp<\/code> to transfer.<\/li>\n<\/ul>\n
                                                  \n
                                                  Step 7: Basic Malware and Rootkit Scanning<\/h3>\n
                                                  Tools to periodically check for malicious software.<\/p>\n
                                                    \n
                                                  • ClamAV (Antivirus):<\/strong>\n
                                                    \n
                                                    Bash<\/span><\/p>\n
                                                    <\/div>\n<\/div>\n
                                                    \n
                                                    \n
                                                    sudo apt install clamav clamav-daemon -y # Ubuntu\/Debian<\/span>\r\nsudo yum install epel-release -y && sudo yum install clamav clamd -y # CentOS\/AlmaLinux\/Rocky Linux<\/span>\r\nsudo freshclam # Update virus definitions<\/span>\r\nsudo clamscan -r -i \/ # Scan entire system (can take a long time)<\/span>\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/li>\n
                                                  • Chkrootkit (Rootkit Scanner):<\/strong>\n
                                                    \n
                                                    Bash<\/span><\/p>\n
                                                    <\/div>\n<\/div>\n
                                                    \n
                                                    \n
                                                    sudo apt install chkrootkit -y # Ubuntu\/Debian<\/span>\r\nsudo yum install chkrootkit -y # CentOS\/AlmaLinux\/Rocky Linux (may need EPEL)<\/span>\r\nsudo chkrootkit\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/li>\n
                                                  • Rootkit Hunter (rkhunter):<\/strong>\n
                                                    \n
                                                    Bash<\/span><\/p>\n
                                                    <\/div>\n<\/div>\n
                                                    \n
                                                    \n
                                                    sudo apt install rkhunter -y # Ubuntu\/Debian<\/span>\r\nsudo yum install rkhunter -y # CentOS\/AlmaLinux\/Rocky Linux (may need EPEL)<\/span>\r\nsudo rkhunter --update\r\nsudo rkhunter --check\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n
                                                    These tools are for scanning, not real-time protection. Run them periodically.<\/em><\/li>\n<\/ul>\n
                                                    \n
                                                    Step 8: Keep Services and Software Updated and Secure<\/h3>\n
                                                      \n
                                                    • Web Server (Apache\/Nginx):<\/strong>\n
                                                        \n
                                                      • Keep it updated.<\/li>\n
                                                      • Configure it for security (e.g., disable unused modules, set appropriate permissions for web root, disable directory listings, use mod_security<\/code> for Apache or equivalent for Nginx).<\/li>\n<\/ul>\n<\/li>\n
                                                      • Database Server (MySQL\/MariaDB\/PostgreSQL):<\/strong>\n
                                                          \n
                                                        • Keep it updated.<\/li>\n
                                                        • Run mysql_secure_installation<\/code> if using MySQL\/MariaDB.<\/li>\n
                                                        • Use strong, unique passwords for database users.<\/li>\n
                                                        • Restrict database access to localhost<\/code> if possible (only allow your web server to connect). If remote access is needed, use firewall rules to limit by source IP.<\/li>\n<\/ul>\n<\/li>\n
                                                        • PHP (if used):<\/strong>\n
                                                            \n
                                                          • Use the latest stable PHP version.<\/li>\n
                                                          • Disable dangerous functions in php.ini<\/code> (e.g., disable_functions = exec, passthru, shell_exec, system, proc_open, popen, curl_exec, curl_multi_exec, parse_ini_file, show_source<\/code>).<\/li>\n
                                                          • Set expose_php = Off<\/code>.<\/li>\n<\/ul>\n<\/li>\n
                                                          • Application Security:<\/strong>\n
                                                              \n
                                                            • If running CMS like WordPress, keep core, themes, and plugins updated. Use strong passwords for admin accounts.<\/li>\n
                                                            • Regularly audit code for custom applications.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
                                                              \n
                                                              Step 9: Log Monitoring<\/h3>\n
                                                                \n
                                                              • Regularly check system logs for unusual activity.\n
                                                                  \n
                                                                • journalctl -u sshd<\/code> (SSH logs)<\/li>\n
                                                                • tail -f \/var\/log\/auth.log<\/code> (Ubuntu\/Debian authentication logs)<\/li>\n
                                                                • tail -f \/var\/log\/secure<\/code> (CentOS\/AlmaLinux\/Rocky Linux authentication logs)<\/li>\n
                                                                • Web server access and error logs (e.g., \/var\/log\/apache2\/access.log<\/code>, \/var\/log\/nginx\/error.log<\/code>).<\/li>\n<\/ul>\n<\/li>\n
                                                                • Consider using a log management tool (e.g., ELK Stack, Splunk, Graylog) for larger setups.<\/li>\n<\/ul>\n
                                                                  \n
                                                                  Step 10: General Best Practices<\/h3>\n
                                                                    \n
                                                                  • Use Strong, Unique Passwords:<\/strong> For all accounts and services.<\/li>\n
                                                                  • Principle of Least Privilege:<\/strong> Grant users and services only the minimum permissions they need to function.<\/li>\n
                                                                  • Remove Unused Services\/Software:<\/strong> Reduces the attack surface.<\/li>\n
                                                                  • Stay Informed:<\/strong> Follow security news, especially for your OS and applications.<\/li>\n
                                                                  • Perform Regular Audits:<\/strong> Periodically review your server’s security configurations.<\/li>\n<\/ul>\n
                                                                    \n
                                                                    Securing an unmanaged VPS is an ongoing commitment. By following these steps, you’ll establish a strong security foundation for your server, but remember to stay proactive and adapt as new threats emerge.<\/p>\n","protected":false},"excerpt":{"rendered":"
                                                                    Securing an unmanaged VPS is a critical task, as you are solely responsible for its protection. Neglecting security can lead to data breaches, website defacement, DDoS attacks, and your server being used for malicious activities. This guide provides a step-by-step approach to securing your unmanaged Linux VPS. Disclaimer: Security is an ongoing process, not a […]<\/p>\n","protected":false},"author":226,"featured_media":26548,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"tdm_status":"","tdm_grid_status":"","footnotes":""},"categories":[163],"tags":[],"class_list":{"0":"post-26536","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-hosting"},"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/tremhost.com\/blog\/wp-json\/wp\/v2\/posts\/26536","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/tremhost.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tremhost.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tremhost.com\/blog\/wp-json\/wp\/v2\/users\/226"}],"replies":[{"embeddable":true,"href":"https:\/\/tremhost.com\/blog\/wp-json\/wp\/v2\/comments?post=26536"}],"version-history":[{"count":2,"href":"https:\/\/tremhost.com\/blog\/wp-json\/wp\/v2\/posts\/26536\/revisions"}],"predecessor-version":[{"id":26551,"href":"https:\/\/tremhost.com\/blog\/wp-json\/wp\/v2\/posts\/26536\/revisions\/26551"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/tremhost.com\/blog\/wp-json\/wp\/v2\/media\/26548"}],"wp:attachment":[{"href":"https:\/\/tremhost.com\/blog\/wp-json\/wp\/v2\/media?parent=26536"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tremhost.com\/blog\/wp-json\/wp\/v2\/categories?post=26536"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tremhost.com\/blog\/wp-json\/wp\/v2\/tags?post=26536"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}