tips for increasing the security of your Linux VPS

Security tips for your Linux VPS

6 min read

Over the last couple of decades, the Linux user base has been slowly growing in size as more and more people make the switch from Windows.

In the world of hosting, these changes are even more evident as experienced professionals and relative newcomers prefer to make use of a Linux distribution as their operating system, hence why the popularity of Linux-based VPS servers has become so widespread.

The common reason for this change is the fact that Linux has better overall security with statements that malware for Linux distributions is much harder to create and release.

However, it is important to remember that your Linux-based OS can only be secure if it is appropriately configured.

Because of this, we are going to be sharing some valuable tips in this article that you should definitely consider utilizing in order to make your VPS server more secure.

Keep your system updated

First and foremost, it is absolutely crucial that you keep your system updated at all times. Installing frequent software updates can be quite a boring and time-consuming task, but you should never neglect it!

Such periodic updates can also fix and patch potential exploits such as backdoors. It wasn’t that long ago that over 50% of all existing WordPress installations were found to have a dangerous exploit, leaving them vulnerable and susceptible to cyberattacks.

Here is how you can update your Linux distribution.

Updating Debian & Ubuntu

Update the package list:

apt-get update

Update the packages themselves:

apt-get upgrade

Updating CentOS & AlmaLinux

yum update

Remembering to update your system regularly will ensure that you will not experience any security exploit issues.

Use the non-standard (non-default) SSH port

By default, the SSH service’s listening port is set to port 22. Leaving this unchanged can result in your VPS server becoming a target for online hackers as port 22 is generally the main target when it comes to automated attacks.

To change the port, you only need to modify the service configuration file as illustrated below:

nano /etc/ssh/sshd_config

The following text should appear (or similar, depending on the configuration file):

# What ports, IPs and protocols we listen for
Port 22

All you need to do here, is to simply replace the number 22 with a different port number.

IMPORTANT: You should never use a port number that is already being used on your system!

Once you have changed the port, save and exit the configuration file and then restart the service:

systemctl restart sshd

This will automatically apply your changes. Keep in mind that you need to indicate the new port every time you request an SSH connection to your server.

For a detailed, step-by-step explanation, you can check out our tutorial on how to change your server’s SSH port.

Create a user with restricted rights

Our next tip involves creating a user with restricted rights. Generally speaking, you don't need to have root privileges in order to perform tasks via a standard user. You can easily create a new user with restricted rights and protect your server using the following command:

adduser CustomUserName

Next, fill in the requested information (name, password and other data). This new user will be allowed to log in via SSH. When you establish a connection, you can now use your newly-created credentials.

When you are successfully logged in, in order to perform any operations that require root permission, simply type the following command:

su root

Then, type the password and the active login will be switched to the root user.

Disable root user login

Having root access means having the most permissions on an operating system. We strongly recommend you disable direct root user access via the SSH protocol.

Leaving only root access as an access type for your server can result in irreversible damage!

IMPORTANT: Prior to disabling the root user login function, ensure to create another user like we mentioned in the previous section!

To disable the server access via the root user, you can follow these steps.

Modify the SSH configuration file

First, open up the SSH configuration file, like we mentioned in the initial section of this article using the following command:

nano /etc/ssh/sshd_config

Next, locate this section:

# Authentication: 
LoginGraceTime 120
PermitRootLogin yes 
StrictModes yes

Look for the line - PermitRootLogin and replace 'yes' with 'no'!

To apply the changes, you just need to restart the SSH service:

systemctl restart sshd

Once completed, you will notice that connections to your server via the root user will be automatically rejected.

Use security keys for identification

Using Security Keys (SSH Keys) has a number of security advantages.

Firstly, you can access your terminal without having to enter your password. Secondly, you can completely disable the process of having to log in with a password, meaning that a password would not be required to connect to the server.

This step protects your server against some possible attacks such as brute force attacks.

For more information, you can check out our tutorial on how to create a SSH key.

Install Fail2ban

Another great thing you can do to secure your server is to install Fail2ban.

This lightweight software prevents intrusion as it is designed to block unknown IP addresses that are trying to penetrate and gain access to your system. To install the software package, you can use the following command.

How to Instal Fail2ban for Ubuntu & Debian

apt-get install fail2ban

How to Install Fail2ban for CentOS

yum install epel-release
yum install fail2ban

Once the package installs successfully, you will need to adjust its configuration file in order to set it up with your system. 

IMPORTANT: Before making any changes to the configuration file, we strongly recommend creating a backup of the original using the following command:

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.backup

Once you have made a backup of the original file, open up the Fail2ban configuration file using this command and adjust the settings:

nano /etc/fail2ban/jail.conf

When you finish editing the config file, restart the service with:

service fail2ban restart

For any additional information on the software, you can check out the official Fail2ban documentation.

Configure the internal firewall

Linux distributions come with a firewall service named ‘iptables’. By default, it doesn't have any active rules. To verify that it is indeed located on your system, type the following command:

iptables -L

We recommend creating and adjusting some firewall rules according to your needs. However, the firewall service is configured differently for each Linux distribution. You need to check out the official documentation for the Linux OS of your choice in order to make adjustments accordingly.

Backup your system and your data

Finally, it is important to mention that security doesn’t only mean protecting your system against external attacks.

As a matter of fact, having a backup or a snapshot of your system and its data on a remote server can help you fully restore any information that might be lost due to a hacker attack or a physical server malfunction.

Because of this, make sure to start generating regular server backups and store them in different locations.

Overall, having these extra layers of protection for your Linux VPS server can be quite helpful. Our VPS servers, for example, support all of the aforementioned additional security measures and we also provide advanced DDoS protection up to 1.8Tbps! Finally, if you are not using Linux, but running Windows Server, you might also want to secure your VPS using our Windows tips!

Subscribe to our newsletter.

Join 5000+ subscribers and receive helpful content, deals and more! We promise no spam - 100% great content. Unsubscribe anytime.

Deploy a secure and reliable cloud server now!

Configure
Payment methods we accept:
Bitcoin
Lightning Network (Bitcoin)
Credit card
Bank transfer