# How to Secure Your VPS ## How to Secure Your VPS (Initial Hardening Guide) ### Overview At **UP-NETWORK**, all VPS instances are delivered with a **clean and unconfigured operating system**. Except for: * Hostname * Network configuration * Root credentials * Basic VMManager6 setup No additional security hardening is applied by default. πŸ‘‰ **It is the customer’s responsibility to secure the system before production use.** This guide explains the **essential security steps** to properly protect your VPS. *** ### Why Securing Your VPS Is Important An unsecured VPS is vulnerable to: * Brute-force attacks * Malware infections * Data breaches * Cryptomining abuse * Service disruption * Blacklisting of your IP address Public servers are scanned automatically within minutes after deployment. ⚠️ **A fresh VPS without protection is at risk.** *** ### Step 1 β€” Update the Operating System Always start by updating your system. #### Debian / Ubuntu ```bash apt update && apt upgrade -y ``` #### Rocky / Alma / CentOS ```bash dnf update -y ``` Reboot if required: ```bash reboot ``` *** ### Step 2 β€” Create a Non-Root User Never use `root` for daily administration. #### Create a user ```bash adduser adminuser ``` #### Grant sudo privileges ```bash usermod -aG sudo adminuser # Debian / Ubuntu usermod -aG wheel adminuser # RHEL-based ``` #### Test login ```bash su - adminuser sudo whoami ``` Should return: ``` root ``` *** ### Step 3 β€” Secure SSH Access #### 3.1 Change Default SSH Settings Edit SSH configuration: ```bash nano /etc/ssh/sshd_config ``` Modify: ``` Port 2222 PermitRootLogin no PasswordAuthentication no PubkeyAuthentication yes ``` ➑️ Choose a custom port (example: 2222). Restart SSH: ```bash systemctl restart sshd ``` *** #### 3.2 Use SSH Key Authentication (Highly Recommended) On your local computer: ```bash ssh-keygen ``` Upload your key: ```bash ssh-copy-id -p 2222 adminuser@your-server-ip ``` Test login: ```bash ssh -p 2222 adminuser@your-server-ip ``` *** ### Step 4 β€” Configure Firewall A firewall is mandatory. #### Using UFW (Debian/Ubuntu) ```bash apt install ufw -y ufw allow 2222/tcp ufw allow 80/tcp ufw allow 443/tcp ufw enable ``` Check status: ```bash ufw status ``` *** #### Using Firewalld (RHEL-based) ```bash dnf install firewalld -y systemctl enable --now firewalld firewall-cmd --add-port=2222/tcp --permanent firewall-cmd --add-service=http --permanent firewall-cmd --add-service=https --permanent firewall-cmd --reload ``` *** ### Step 5 β€” Install Fail2Ban (Anti-Bruteforce Protection) Fail2Ban blocks malicious login attempts. #### Installation ```bash apt install fail2ban -y # or dnf install fail2ban -y ``` Enable: ```bash systemctl enable --now fail2ban ``` *** #### Basic Configuration Create local config: ```bash cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local nano /etc/fail2ban/jail.local ``` Ensure SSH protection: ``` [sshd] enabled = true port = 2222 maxretry = 3 bantime = 1h ``` Restart: ```bash systemctl restart fail2ban ``` Check status: ```bash fail2ban-client status sshd ``` *** ### Step 6 β€” Enable Automatic Security Updates #### Debian / Ubuntu ```bash apt install unattended-upgrades -y dpkg-reconfigure unattended-upgrades ``` *** #### RHEL-based ```bash dnf install dnf-automatic -y systemctl enable --now dnf-automatic.timer ``` *** ### Step 7 β€” Secure Network Services #### Disable Unused Services List running services: ```bash ss -tulnp systemctl list-units --type=service ``` Stop unnecessary services: ```bash systemctl disable servicename systemctl stop servicename ``` Only expose what you need. *** #### Bind Services to Private IP (When Possible) For internal services (databases, admin panels): Bind them to: ``` 127.0.0.1 ``` or private VXLAN network IP. Example (MySQL): ``` bind-address = 127.0.0.1 ``` *** ### Step 8 β€” Secure Web Servers (If Applicable) #### HTTPS with Let’s Encrypt Install Certbot: ```bash apt install certbot python3-certbot-nginx -y ``` Generate certificate: ```bash certbot --nginx ``` Auto-renew: ```bash certbot renew --dry-run ``` *** #### Enable Security Headers Example (Nginx): ``` add_header X-Frame-Options "SAMEORIGIN"; add_header X-Content-Type-Options "nosniff"; add_header X-XSS-Protection "1; mode=block"; ``` *** ### Step 9 β€” Backup Strategy (Critical) Security also means data protection. We strongly recommend: * Offsite backups * Automated backups * Encrypted backups Minimum setup: ```bash rsync + cron ``` or * BorgBackup * Restic * S3-compatible storage Test restoration regularly. *** ### Step 10 β€” Monitoring & Logs #### Enable Log Monitoring Check logs: ```bash journalctl -xe tail -f /var/log/auth.log ``` Install logwatch: ```bash apt install logwatch -y ``` *** #### Resource Monitoring Recommended tools: * htop * glances * netdata Example: ```bash apt install htop -y ``` *** ### Step 11 β€” Kernel & System Hardening (Advanced) For advanced users: * Disable ICMP redirects * Enable TCP SYN cookies * Restrict kernel modules Example: ```bash nano /etc/sysctl.conf ``` Add: ``` net.ipv4.tcp_syncookies = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 ``` Apply: ```bash sysctl -p ``` *** ### Recommended Security Checklist Before going live, verify: βœ… System fully updated\ βœ… Root login disabled\ βœ… SSH key authentication\ βœ… Firewall active\ βœ… Fail2Ban running\ βœ… Automatic updates enabled\ βœ… Backups configured\ βœ… HTTPS enabled\ βœ… Unused services removed *** ### Managed Security Services (Optional) If you prefer a fully managed environment, UP-NETWORK offers: * VPS Hardening * Security Audits * Managed Firewall * Backup Management * Incident Response Contact our support team for professional security services. *** ### Responsibility Disclaimer UP-NETWORK provides infrastructure only. Customers are responsible for: * System configuration * Security hardening * Software updates * Data protection * Compliance We cannot be held responsible for breaches caused by misconfiguration. *** ### Need Help? If you need assistance securing your VPS: Support: , client area, +41 (0) 22 519 72 24\ Client Area: [https://manager.up-network.ch](https://manager.up-network.ch/) Our engineers are available to help you. \ \ The Basic VPS range includes basic support only, without advanced support. Managed services packages are available from CHF 150 per hour (excl. VAT), billed in 15-minute increments. For the PRO or PERFORMANCE ranges, we can provide more in-depth assistance within reasonable limits; however, managed services still apply. Support is guaranteed during our official business hours (Monday to Thursday from 10 a.m. to 6 p.m., and Friday from 10 a.m. to 4 p.m.). Outside these hours, and without a contractual agreement, no support is guaranteed.\ \ β‡’ --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.up-network.ch/documentation/guides/how-to-secure-your-vps.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.