Secure Linux VPS

Learn best practices to secure your Linux VPS against common threats. This complete guide covers secure SSH configuration, UFW firewall, Fail2ban to block brute-force attacks and security updates.

:::warning Important Test each modification before closing your current SSH session to avoid getting locked out. :::

This guide presents best practices for securing your Linux VPS. Security is an ongoing process, these steps constitute a solid foundation.

1. Update the system

The first step in securing is to keep your system up to date.

Install updates

apt update && apt upgrade -y

:::tip Regular updates Plan to regularly check for security updates. You can automate this, but doing it manually remains preferable to maintain control, as some updates may require intervention. :::

2. Create a non-root user

Never use root for daily operations.

Create a new user

adduser yourname

Add the user to the sudo group

usermod -aG sudo yourname

Test the connection

In a new terminal, test the connection with the new user:

ssh yourname@YOUR_VPS_IP

Verify that sudo works:

sudo apt update

3. Secure SSH

The SSH service is the entry point to your VPS, it must be properly configured.

3.1. Modify SSH configuration

Once a non-root user is created, log in with it and edit the SSH configuration file:

sudo nano /etc/ssh/sshd_config

Modify or add these lines:

# Disable root login
PermitRootLogin no

# Limit authentication attempts
MaxAuthTries 3

# Connection timeout
LoginGraceTime 30

# Disable X11 forwarding
X11Forwarding no

# Limit access to certain users (optional)
AllowUsers yourname

3.2. Change SSH port (optional)

To avoid automatic scans on port 22:

Port 2222

:::warning Warning If you change the SSH port, note it! You will then need to connect with:

ssh -p 2222 yourname@YOUR_VPS_IP

Or change your SSH client configuration.

:::

:::warning VPN/Firewall If you use a VPN or specific firewall to access your VPS, make sure the new port is allowed. :::

3.3. Restart SSH

First test the configuration:

sudo sshd -t

If everything is OK, restart:

sudo systemctl restart sshd

# or depending on the distribution

sudo systemctl restart ssh

:::tip Important Don't close your current session! Open a new terminal and test the SSH connection before closing the old session. :::

4. Configure a firewall (UFW)

UFW (Uncomplicated Firewall) is a simple and effective firewall.

:::info Why a firewall? A firewall controls incoming and outgoing network traffic, protecting your VPS against unauthorized access.

For example, if you go through a VPN, you might want to restrict SSH access only to VPN IPs.

UFW is not the only option, there is also iptables, firewalld, etc. UFW is recommended for its simplicity. :::

Installation

sudo apt install -y ufw

Basic configuration

# Block all incoming traffic by default
sudo ufw default deny incoming

# Allow all outgoing traffic
sudo ufw default allow outgoing

# Allow SSH (default port 22)
sudo ufw allow 22/tcp

# If you changed the SSH port
sudo ufw allow 2222/tcp

Allow other services

Depending on your needs:

# HTTP
sudo ufw allow 80/tcp

# HTTPS
sudo ufw allow 443/tcp

# MySQL (only if needed from outside)
sudo ufw allow 3306/tcp

# PostgreSQL
sudo ufw allow 5432/tcp

Enable the firewall

sudo ufw enable

Check status

sudo ufw status verbose

5. Install Fail2ban

Fail2ban protects against brute force attacks by banning suspicious IPs.

Installation

sudo apt install -y fail2ban

Configuration

Create a local configuration:

sudo nano /etc/fail2ban/jail.local

Add this basic configuration:

[DEFAULT]
# Ban for 1 hour
bantime = 3600

# Detection window of 10 minutes
findtime = 600

# Maximum number of attempts
maxretry = 5

# Default action
banaction = ufw

[sshd]
enabled = true
port = 22
# If you changed the SSH port, modify this line
# port = 2222
logpath = %(sshd_log)s
backend = systemd

Start Fail2ban

sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Check status

sudo fail2ban-client status
sudo fail2ban-client status sshd

🎉 Congratulations

Your Linux VPS is now much more secure! Remember that security is an ongoing process:

Monitor your logs regularly
Keep your system up to date
Perform regular backups
Periodically audit your configuration

:::info Need help? If you encounter any issues or need additional advice, join our Discord. :::

1. Update the system​

Install updates​

2. Create a non-root user​

Create a new user​

Add the user to the sudo group​

Test the connection​

3. Secure SSH​

3.1. Modify SSH configuration​

3.2. Change SSH port (optional)​

3.3. Restart SSH​

4. Configure a firewall (UFW)​

Installation​

Basic configuration​

Allow other services​

Enable the firewall​

Check status​

5. Install Fail2ban​

Installation​

Configuration​

Start Fail2ban​

Check status​

🎉 Congratulations​

1. Update the system

Install updates

2. Create a non-root user

Create a new user

Add the user to the sudo group

Test the connection

3. Secure SSH

3.1. Modify SSH configuration

3.2. Change SSH port (optional)

3.3. Restart SSH

4. Configure a firewall (UFW)

Installation

Basic configuration

Allow other services

Enable the firewall

Check status

5. Install Fail2ban

Installation

Configuration

Start Fail2ban

Check status

🎉 Congratulations