How to Secure Your VPS

How to Secure Your VPS (Initial Hardening Guide)

Overview

At UP-NETWORK, all VPS instances are delivered with a clean and unconfigured operating system.

Except for:

Hostname
Network configuration
Root credentials
Basic VMManager6 setup

No additional security hardening is applied by default.

👉 It is the customer’s responsibility to secure the system before production use.

This guide explains the essential security steps to properly protect your VPS.

Why Securing Your VPS Is Important

An unsecured VPS is vulnerable to:

Brute-force attacks
Malware infections
Data breaches
Cryptomining abuse
Service disruption
Blacklisting of your IP address

Public servers are scanned automatically within minutes after deployment.

⚠️ A fresh VPS without protection is at risk.

Step 1 — Update the Operating System

Always start by updating your system.

Debian / Ubuntu

apt update && apt upgrade -y

Rocky / Alma / CentOS

dnf update -y

Reboot if required:

reboot

Step 2 — Create a Non-Root User

Never use root for daily administration.

Create a user

adduser adminuser

Grant sudo privileges

usermod -aG sudo adminuser     # Debian / Ubuntu
usermod -aG wheel adminuser    # RHEL-based

su - adminuser
sudo whoami

Should return:

root

Step 3 — Secure SSH Access

3.1 Change Default SSH Settings

Edit SSH configuration:

nano /etc/ssh/sshd_config

Modify:

Port 2222
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes

➡️ Choose a custom port (example: 2222).

Restart SSH:

systemctl restart sshd

3.2 Use SSH Key Authentication (Highly Recommended)

On your local computer:

ssh-keygen

Upload your key:

ssh-copy-id -p 2222 adminuser@your-server-ip

Test login:

ssh -p 2222 adminuser@your-server-ip

Step 4 — Configure Firewall

A firewall is mandatory.

Using UFW (Debian/Ubuntu)

apt install ufw -y
ufw allow 2222/tcp
ufw allow 80/tcp
ufw allow 443/tcp
ufw enable

Check status:

ufw status

Using Firewalld (RHEL-based)

dnf install firewalld -y
systemctl enable --now firewalld

firewall-cmd --add-port=2222/tcp --permanent
firewall-cmd --add-service=http --permanent
firewall-cmd --add-service=https --permanent
firewall-cmd --reload

Step 5 — Install Fail2Ban (Anti-Bruteforce Protection)

Fail2Ban blocks malicious login attempts.

Installation

apt install fail2ban -y
# or
dnf install fail2ban -y

Enable:

systemctl enable --now fail2ban

Basic Configuration

Create local config:

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
nano /etc/fail2ban/jail.local

Ensure SSH protection:

[sshd]
enabled = true
port = 2222
maxretry = 3
bantime = 1h

Restart:

systemctl restart fail2ban

Check status:

fail2ban-client status sshd

Step 6 — Enable Automatic Security Updates

Debian / Ubuntu

apt install unattended-upgrades -y
dpkg-reconfigure unattended-upgrades

RHEL-based

dnf install dnf-automatic -y
systemctl enable --now dnf-automatic.timer

Step 7 — Secure Network Services

Disable Unused Services

List running services:

ss -tulnp
systemctl list-units --type=service

Stop unnecessary services:

systemctl disable servicename
systemctl stop servicename

Only expose what you need.

Bind Services to Private IP (When Possible)

For internal services (databases, admin panels):

Bind them to:

127.0.0.1

or private VXLAN network IP.

Example (MySQL):

bind-address = 127.0.0.1

Step 8 — Secure Web Servers (If Applicable)

HTTPS with Let’s Encrypt

Install Certbot:

apt install certbot python3-certbot-nginx -y

Generate certificate:

certbot --nginx

Auto-renew:

certbot renew --dry-run

Enable Security Headers

Example (Nginx):

add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";

Step 9 — Backup Strategy (Critical)

Security also means data protection.

We strongly recommend:

Offsite backups
Automated backups
Encrypted backups

Minimum setup:

rsync + cron

BorgBackup
Restic
S3-compatible storage

Test restoration regularly.

Step 10 — Monitoring & Logs

Enable Log Monitoring

Check logs:

journalctl -xe
tail -f /var/log/auth.log

Install logwatch:

apt install logwatch -y

Resource Monitoring

Recommended tools:

htop
glances
netdata

Example:

apt install htop -y

Step 11 — Kernel & System Hardening (Advanced)

For advanced users:

Disable ICMP redirects
Enable TCP SYN cookies
Restrict kernel modules

Example:

nano /etc/sysctl.conf

Add:

net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

Apply:

sysctl -p

Recommended Security Checklist

Before going live, verify:

✅ System fully updated ✅ Root login disabled ✅ SSH key authentication ✅ Firewall active ✅ Fail2Ban running ✅ Automatic updates enabled ✅ Backups configured ✅ HTTPS enabled ✅ Unused services removed

Managed Security Services (Optional)

If you prefer a fully managed environment, UP-NETWORK offers:

VPS Hardening
Security Audits
Managed Firewall
Backup Management
Incident Response

Contact our support team for professional security services.

Responsibility Disclaimer

UP-NETWORK provides infrastructure only.

Customers are responsible for:

System configuration
Security hardening
Software updates
Data protection
Compliance

We cannot be held responsible for breaches caused by misconfiguration.

Need Help?

If you need assistance securing your VPS:

Support: [email protected], client area, +41 (0) 22 519 72 24 Client Area: https://manager.up-network.ch

Our engineers are available to help you. The Basic VPS range includes basic support only, without advanced support. Managed services packages are available from CHF 150 per hour (excl. VAT), billed in 15-minute increments.

For the PRO or PERFORMANCE ranges, we can provide more in-depth assistance within reasonable limits; however, managed services still apply.

Support is guaranteed during our official business hours (Monday to Thursday from 10 a.m. to 6 p.m., and Friday from 10 a.m. to 4 p.m.). Outside these hours, and without a contractual agreement, no support is guaranteed. ⇒ https://up-network.ch/services/managed-infrastructure

PreviousEnabling IPv6 on Your Service NextReinstalling the Operating System

Last updated 7 days ago

hashtagHow to Secure Your VPS (Initial Hardening Guide)

hashtagOverview

hashtagWhy Securing Your VPS Is Important

hashtagStep 1 — Update the Operating System

hashtagDebian / Ubuntu

hashtagRocky / Alma / CentOS

hashtagStep 2 — Create a Non-Root User

hashtagCreate a user

hashtagGrant sudo privileges

hashtagTest login

hashtagStep 3 — Secure SSH Access

hashtag3.1 Change Default SSH Settings

hashtag3.2 Use SSH Key Authentication (Highly Recommended)

hashtagStep 4 — Configure Firewall

hashtagUsing UFW (Debian/Ubuntu)

hashtagUsing Firewalld (RHEL-based)

hashtagStep 5 — Install Fail2Ban (Anti-Bruteforce Protection)

hashtagInstallation

hashtagBasic Configuration

hashtagStep 6 — Enable Automatic Security Updates

hashtagDebian / Ubuntu

hashtagRHEL-based

hashtagStep 7 — Secure Network Services

hashtagDisable Unused Services

hashtagBind Services to Private IP (When Possible)

hashtagStep 8 — Secure Web Servers (If Applicable)

hashtagHTTPS with Let’s Encrypt

hashtagEnable Security Headers

hashtagStep 9 — Backup Strategy (Critical)

hashtagStep 10 — Monitoring & Logs

hashtagEnable Log Monitoring

hashtagResource Monitoring

hashtagStep 11 — Kernel & System Hardening (Advanced)

hashtagRecommended Security Checklist

hashtagManaged Security Services (Optional)

hashtagResponsibility Disclaimer

hashtagNeed Help?