Securing Your VPS
A fresh VPS is exposed to the public internet from the moment it boots. Automated scanners will find it within minutes, attempting brute-force logins and probing for open services. This guide covers the essential hardening steps you should complete after your first login.
1. Use SSH Keys Instead of Passwords
Password-based SSH login is the most common attack vector. Switching to key-based authentication eliminates brute-force password attacks entirely.
Generate a key pair on your local machine (if you don't already have one):
ssh-keygen -t ed25519 -C "your-email@example.com"
Copy the public key to your server:
ssh-copy-id root@your-server-ip
Verify that you can log in with the key, then disable password authentication:
# /etc/ssh/sshd_config
PasswordAuthentication no
PubkeyAuthentication yes
Restart the SSH service:
sudo systemctl restart sshd
You can also manage SSH keys from the Sitequest dashboard.
2. Disable Root Login (Optional but Recommended)
Instead of logging in as root, create a regular user with sudo privileges:
adduser deploy
usermod -aG sudo deploy
Copy your SSH key to the new user, then disable root login:
# /etc/ssh/sshd_config
PermitRootLogin no
Restart SSH after the change. If you lock yourself out, you can use the VNC console for emergency access.
3. Change the Default SSH Port (Optional)
Moving SSH to a non-standard port reduces noise from automated scanners. It is not a security measure on its own, but it significantly cuts down on log spam:
# /etc/ssh/sshd_config
Port 2222
Remember to update your firewall rules to allow the new port before restarting SSH.
4. Configure the Firewall
A firewall limits which ports are accessible from the internet. Only expose what your server actually needs.
On Debian/Ubuntu (ufw)
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp # SSH (or your custom port)
sudo ufw allow 80/tcp # HTTP
sudo ufw allow 443/tcp # HTTPS
sudo ufw enable
On AlmaLinux/Rocky (firewalld)
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload
You can also configure firewall rules from the Sitequest dashboard.
5. Keep the System Updated
Unpatched software is one of the most exploited attack vectors. Update regularly:
# Debian/Ubuntu
sudo apt update && sudo apt upgrade -y
# AlmaLinux/Rocky
sudo dnf update -y
Enable Automatic Security Updates
On Debian/Ubuntu, install unattended-upgrades:
sudo apt install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades
On AlmaLinux/Rocky, enable dnf-automatic:
sudo dnf install dnf-automatic
sudo systemctl enable --now dnf-automatic-install.timer
This ensures critical security patches are applied even if you forget to run manual updates.
6. Install fail2ban
fail2ban monitors log files for repeated failed login attempts and temporarily bans the offending IP addresses. It is effective against brute-force attacks on any exposed service.
# Debian/Ubuntu
sudo apt install fail2ban
# AlmaLinux/Rocky
sudo dnf install epel-release
sudo dnf install fail2ban
Start and enable the service:
sudo systemctl enable --now fail2ban
The default configuration protects SSH out of the box. You can add custom jails for other services (Nginx, Postfix, etc.) in /etc/fail2ban/jail.local.
7. Reduce the Attack Surface
Every running service is a potential entry point. Minimise what is exposed:
- Remove unused packages: Uninstall software you don't need.
- Disable unused services: Check running services with
systemctl list-units --type=service --state=runningand disable anything unnecessary. - Close unused ports: If a service is only needed locally, bind it to
127.0.0.1instead of0.0.0.0. - Use DDoS protection: Enable Layer 4 and Layer 7 protection for production workloads.
8. Use Strong Authentication Everywhere
Beyond SSH, apply the same principle to all services:
- Database servers (MySQL, PostgreSQL) — bind to
127.0.0.1, use strong passwords, disable remote root access - Web panels — always use HTTPS, enable two-factor authentication if available
- APIs — use token-based authentication, implement rate limiting
Security Checklist
| Step | Status |
|---|---|
| SSH key authentication enabled | |
| Password authentication disabled | |
| Firewall configured, only needed ports open | |
| Automatic security updates enabled | |
| fail2ban installed and running | |
| Unused services disabled | |
| Database bound to localhost | |
| DDoS protection enabled |
Work through each item after setting up a new server. Revisit the list periodically to ensure nothing has drifted.
Next Steps
- SSH access and key management — manage keys from the dashboard
- Firewall configuration — set up rules from the Sitequest panel
- DDoS protection — enable Layer 4 and Layer 7 filtering
- Choose the right Linux distro — pick the OS that fits your project