Complete VPS Security Hardening Guide

Your VPS is exposed to the internet 24/7. Without proper security, it's only a matter of time before someone compromises it. This guide covers everything you need to lock down your server.

Why This Matters

Every minute, automated bots scan the internet for vulnerable servers. A fresh VPS can receive thousands of login attempts within hours of being created. Proper security isn't optional—it's the difference between a reliable server and becoming part of a botnet.

What's at stake:

• Your data and your users' data
• Your server being used for spam or attacks
• Crypto mining malware draining your resources
• Complete loss of control over your infrastructure

Prerequisites

• A fresh VPS (we recommend Hostinger VPS for their security features and DDoS protection)
• SSH access to your server
• Basic command line knowledge

Step 1: Update Your System

Before anything else, update all packages:

# Ubuntu/Debian
sudo apt update && sudo apt upgrade -y

# CentOS/RHEL
sudo dnf update -y

Enable automatic security updates:

# Ubuntu/Debian
sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure -plow unattended-upgrades

Step 2: Create a Non-Root User

Never use root for daily operations:

# Create new user
adduser deploy

# Add to sudo group
usermod -aG sudo deploy

# Switch to new user
su - deploy

Step 3: Configure SSH Security

Edit your SSH configuration:

sudo nano /etc/ssh/sshd_config

Apply these settings:

# Disable root login
PermitRootLogin no

# Disable password authentication (after setting up keys!)
PasswordAuthentication no

# Change default port (optional but recommended)
Port 2222

# Limit login attempts
MaxAuthTries 3

# Set login timeout
LoginGraceTime 60

# Disable empty passwords
PermitEmptyPasswords no

# Disable X11 forwarding if not needed
X11Forwarding no

Set up SSH key authentication BEFORE disabling passwords:

# On your LOCAL machine, generate a key
ssh-keygen -t ed25519 -C "your-email@example.com"

# Copy to server
ssh-copy-id -i ~/.ssh/id_ed25519.pub deploy@your-server-ip

Restart SSH:

sudo systemctl restart sshd

Test your new connection in a separate terminal before closing your current session!

Step 4: Configure the Firewall

Use UFW (Uncomplicated Firewall):

# Install UFW
sudo apt install ufw -y

# Set default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH (use your custom port if changed)
sudo ufw allow 2222/tcp

# Allow HTTP/HTTPS
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

# Enable firewall
sudo ufw enable

# Check status
sudo ufw status verbose

Step 5: Install and Configure Fail2Ban

Fail2Ban automatically blocks IPs with too many failed login attempts:

sudo apt install fail2ban -y

Create a local configuration:

sudo nano /etc/fail2ban/jail.local

Add:

[DEFAULT]
bantime = 1h
findtime = 10m
maxretry = 5
banaction = ufw

[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 24h

Start Fail2Ban:

sudo systemctl enable fail2ban
sudo systemctl start fail2ban

# Check banned IPs
sudo fail2ban-client status sshd

Step 6: Disable Unused Services

List running services:

sudo systemctl list-units --type=service --state=running

Disable anything you don't need:

sudo systemctl disable --now cups
sudo systemctl disable --now avahi-daemon
sudo systemctl disable --now bluetooth

Step 7: Set Up Intrusion Detection

Install AIDE (Advanced Intrusion Detection Environment):

sudo apt install aide -y

# Initialize database
sudo aideinit

# Move database
sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

# Check for changes (run periodically)
sudo aide --check

Step 8: Configure Kernel Security Parameters

Edit sysctl configuration:

sudo nano /etc/sysctl.d/99-security.conf

Add:

# IP spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0

# Disable source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0

# SYN flood protection
net.ipv4.tcp_syncookies = 1

# Ignore ping broadcasts
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Log suspicious packets
net.ipv4.conf.all.log_martians = 1

Apply changes:

sudo sysctl -p /etc/sysctl.d/99-security.conf

Step 9: Set Up Log Monitoring

Configure logwatch for daily reports:

sudo apt install logwatch -y

# Generate report
sudo logwatch --detail High --mailto your@email.com --service All --range today

Set up a daily cron job:

echo "0 0 * * * /usr/sbin/logwatch --output mail --mailto your@email.com --detail high" | sudo tee /etc/cron.d/logwatch

Step 10: Enable Two-Factor Authentication (Optional)

Install Google Authenticator:

sudo apt install libpam-google-authenticator -y

# Run setup as your user
google-authenticator

Answer the prompts and save your backup codes!

Edit PAM configuration:

sudo nano /etc/pam.d/sshd

Add at the top:

auth required pam_google_authenticator.so

Edit SSH config:

sudo nano /etc/ssh/sshd_config

Set:

ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive

Restart SSH:

sudo systemctl restart sshd

Best Practices

1. Regular updates - Schedule weekly update checks
2. Minimal software - Only install what you need
3. Strong passwords - Use a password manager, minimum 16 characters
4. Principle of least privilege - Users only get access they need
5. Regular audits - Review logs and access weekly
6. Backup before changes - Always have a rollback plan
7. Monitor actively - Set up alerts for suspicious activity
8. Use VPN for sensitive access - Consider WireGuard for admin access

Common Mistakes to Avoid

❌ Disabling password auth before setting up SSH keys - You'll lock yourself out

❌ Opening too many firewall ports - Each open port is an attack surface

❌ Using root for everything - One mistake can destroy your system

❌ Ignoring logs - Attacks often show warning signs before succeeding

❌ Weak SSH keys - Use Ed25519 or RSA 4096-bit minimum

❌ Same password everywhere - If one service is compromised, all are

❌ Forgetting about outbound rules - Malware phones home through outbound connections

❌ Not testing changes - Always test SSH access before closing your session

Security Checklist

Use this checklist for every new server:

• System updated
• Non-root user created
• SSH keys configured
• Password authentication disabled
• SSH port changed (optional)
• Firewall enabled
• Fail2Ban installed
• Unused services disabled
• Automatic updates enabled
• Log monitoring configured

FAQ

How often should I update my server?

Security updates should be applied as soon as possible—ideally automatically. For other updates, weekly is a good schedule.

Is changing the SSH port really necessary?

It's not required, but it dramatically reduces automated attacks in your logs. Bots mostly scan port 22. It's security through obscurity—not a replacement for real security, but a helpful addition.

What if I lock myself out?

This is why Hostinger VPS and similar providers offer console access. You can access your server through their control panel even if SSH is broken.

Should I use a VPN to access my server?

For highly sensitive servers, yes. WireGuard is lightweight and fast. For most use cases, properly configured SSH with key authentication and Fail2Ban is sufficient.

How do I know if my server has been compromised?

Signs include: unexpected CPU usage, unknown processes, modified files (AIDE will catch this), unfamiliar cron jobs, and unexplained network traffic. Regular monitoring is key.

Is root login really that dangerous?

Yes. Root has unlimited power. A typo or compromised session can destroy everything. Using sudo gives you a safety buffer and audit trail.

---

Next steps: Once your server is secured, check out our Docker Compose deployment guide to start deploying applications safely.