VPS Security Hardening Checklist
Securing your VPS is essential to protect your data and applications. This comprehensive checklist covers all critical security measures you should implement on your Domain India VPS immediately after provisioning.
1. System Updates
Keep your operating system and all packages up to date.
Ubuntu/Debian
sudo apt update && sudo apt upgrade -yCentOS/RHEL
sudo yum update -y
# or on newer versions
sudo dnf update -yTip: Enable automatic security updates to stay protected:
```bash
sudo apt install unattended-upgrades
sudo dpkg-reconfigure unattended-upgrades
```
2. Create a Non-Root User
Avoid using the root account for daily operations.
# Create a new user
adduser myuser
# Grant sudo privileges
usermod -aG sudo myuser
# Switch to new user
su - myuserTest that the new user can run sudo commands before proceeding.
3. Secure SSH Access
3a. Use SSH Key Authentication
# On your local machine, generate a key
ssh-keygen -t ed25519
# Copy to server
ssh-copy-id myuser@YOUR_VPS_IP3b. Disable Root Login and Password Authentication
Edit SSH configuration:
sudo nano /etc/ssh/sshd_configSet the following values:
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
UsePAM no
X11Forwarding no
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2Restart SSH:
sudo systemctl restart sshdTip: Keep your current SSH session open while testing the new configuration in a separate terminal. This prevents lockouts.
3c. Change the Default SSH Port
Edit /etc/ssh/sshd_config:
Port 2222Update your firewall rules before restarting SSH:
sudo ufw allow 2222/tcp
sudo ufw delete allow 22/tcp
sudo systemctl restart sshd4. Configure a Firewall
# Set defaults
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow your SSH port
sudo ufw allow 2222/tcp
# Allow web traffic (if running a web server)
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
# Enable firewall
sudo ufw enable5. Install and Configure Fail2ban
Fail2ban automatically blocks IPs that show malicious signs.
sudo apt install fail2ban -yCreate a local configuration:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.localKey settings:
[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600
findtime = 600Restart fail2ban:
sudo systemctl restart fail2ban
sudo systemctl enable fail2ban
# Check status
sudo fail2ban-client status sshd6. Disable Unused Services
List running services and disable what you do not need:
# List all running services
systemctl list-units --type=service --state=running
# Disable unnecessary services
sudo systemctl stop SERVICE_NAME
sudo systemctl disable SERVICE_NAMECommon services to review: cups, avahi-daemon, bluetooth, rpcbind.
7. Set Up Intrusion Detection
Install and configure rkhunter to check for rootkits:
sudo apt install rkhunter -y
sudo rkhunter --update
sudo rkhunter --checkSet up a daily scan via cron:
sudo crontab -e
# Add:
0 3 * * * /usr/bin/rkhunter --check --skip-keypress --report-warnings-only | mail -s "rkhunter report" [email protected]8. Secure Shared Memory
Prevent shared memory exploits:
sudo nano /etc/fstabAdd:
tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 09. Configure Log Monitoring
Important log files to monitor:
/var/log/auth.log-- authentication attempts/var/log/syslog-- system events/var/log/fail2ban.log-- blocked IPs/var/log/ufw.log-- firewall activity
Install logwatch for daily summaries:
sudo apt install logwatch -y
sudo logwatch --detail High --mailto [email protected] --range today10. Set Up Automatic Backups
Schedule regular backups of critical data:
# Simple backup script
sudo nano /usr/local/bin/backup.sh#!/bin/bash
DATE=$(date +%Y%m%d)
tar -czf /backup/server-backup-$DATE.tar.gz /etc /var/www /home
find /backup -mtime +30 -deletesudo chmod +x /usr/local/bin/backup.sh
sudo crontab -e
# Add:
0 2 * * * /usr/local/bin/backup.shQuick Reference Checklist
- System fully updated
- Non-root user created with sudo access
- SSH key authentication enabled
- Root login disabled
- Password authentication disabled
- SSH port changed from default
- Firewall configured and enabled
- Fail2ban installed and configured
- Unused services disabled
- Intrusion detection installed
- Shared memory secured
- Log monitoring configured
- Automated backups scheduled
Related Articles
- Setting Up a Firewall on Your VPS (UFW/iptables)
- How to Connect to Your VPS via SSH
- Monitoring VPS Resources (CPU, RAM, Disk)
Need help hardening your VPS? Contact our support team at [email protected] or open a ticket at https://domainindia.com/support.