A Linux VPS (Virtual Private Server) offers flexibility, performance, and control, but without proper security, it can become vulnerable to cyberattacks. Hackers often exploit weak authentication, open ports, misconfigured software, and outdated systems to gain unauthorized access.
In this guide, we’ll walk through the best practices to secure your Linux VPS, from initial setup to firewall configurations, intrusion detection, and automated backups.
1. Initial Security Setup
🔹 Choosing a Secure VPS Provider
Your choice of VPS provider is the first step toward security. Look for:
✅ DDoS protection to prevent cyberattacks.
✅ Secure data centers with strong network security.
✅ Regular software updates and security patches.
If you're looking for a secure and performance-optimized Linux VPS, consider 99RDP’s Linux VPS solutions.
🔹 Updating Your System Regularly
An outdated system is vulnerable to security threats. To keep your VPS secure, update your OS and installed packages:
For Debian/Ubuntu:
sudo apt update && sudo apt upgrade -y
For CentOS/RHEL:
sudo yum update -y
🔹 Creating a New User & Disabling Root Login
The root user has unlimited privileges and is a prime target for hackers. Instead, create a new user with limited permissions.
Step 1: Create a New User
sudo adduser newuser
sudo usermod -aG sudo newuser
Step 2: Disable Root Login via SSH
Edit SSH config:
sudo nano /etc/ssh/sshd_config
Change:
PermitRootLogin no
Restart SSH:
sudo systemctl restart ssh
Now, the root account cannot be directly accessed, reducing attack risks.
2. Secure Authentication & Access
🔹 Using SSH Key-Based Authentication
Instead of passwords, use SSH keys for a more secure authentication method.
Step 1: Generate SSH Key on Your Local Machine
ssh-keygen -t rsa -b 4096
Step 2: Copy SSH Public Key to VPS
ssh-copy-id newuser@your_vps_ip
Step 3: Disable Password Authentication
Edit /etc/ssh/sshd_config:
PasswordAuthentication no
PubkeyAuthentication yes
Restart SSH:
sudo systemctl restart ssh
🔹 Changing Default SSH Port
Hackers target the default SSH port (22) with brute-force attacks. Changing it adds an extra security layer.
1️⃣ Edit SSH configuration:
sudo nano /etc/ssh/sshd_config
2️⃣ Change:
Port 2222 # Choose any unused port
3️⃣ Restart SSH:
sudo systemctl restart ssh
4️⃣ Update the firewall:
sudo ufw allow 2222/tcp
🔹 Enabling Two-Factor Authentication (2FA) for SSH
Install Google Authenticator for 2FA security:
sudo apt install libpam-google-authenticator
google-authenticator
Enable it in /etc/pam.d/sshd and restart SSH:
sudo systemctl restart ssh
Now, users need both an SSH key and a time-based OTP (one-time password) to log in.
3. Network Security Measures
🔹 Setting Up a Firewall (UFW / iptables)
Firewalls block unauthorized traffic and allow only trusted connections.
For UFW (Ubuntu/Debian):
sudo ufw allow 2222/tcp # SSH Port
sudo ufw allow 80/tcp # HTTP
sudo ufw allow 443/tcp # HTTPS
sudo ufw enable
For iptables (CentOS/RHEL):
sudo iptables -A INPUT -p tcp --dport 2222 -j ACCEPT
sudo iptables -A INPUT -j DROP
🔹 Using Fail2Ban to Prevent Brute-Force Attacks
Fail2Ban blocks repeated failed login attempts:
sudo apt install fail2ban -y
sudo systemctl enable fail2ban
Edit /etc/fail2ban/jail.local and restart Fail2Ban:
sudo systemctl restart fail2ban
4. Secure Software & Application Configurations
🔹 Securing Apache/Nginx Web Servers
For Apache:
Disable directory listing:
sudo nano /etc/apache2/apache2.conf
Set:
Options -Indexes
For Nginx:
Disable version exposure:
sudo nano /etc/nginx/nginx.conf
Add:
server_tokens off;
Restart servers:
sudo systemctl restart apache2
sudo systemctl restart nginx
🔹 Securing MySQL/MariaDB Databases
Run the MySQL security script:
mysql_secure_installation
Restrict database access to local connections:
sudo nano /etc/mysql/mysql.conf.d/mysqld.cnf
Set:
bind-address = 127.0.0.1
Restart MySQL:
sudo systemctl restart mysql
5. Regular Monitoring & Backup Strategies
🔹 Setting Up Intrusion Detection Systems (IDS)
Install AIDE (Advanced Intrusion Detection Environment):
sudo apt install aide -y
sudo aideinit
sudo aide --check
🔹 Monitoring Logs with Logwatch
sudo apt install logwatch -y
sudo logwatch --detail high --mailto your@email.com
🔹 Regular Backups & Disaster Recovery Plan
Automate backups using rsync:
rsync -av --exclude='/backup' / /backup/
For cloud backups, use rclone:
rclone sync /backup remote:linux-vps-backup
Final Thoughts & Conclusion
By following these best practices, your Linux VPS will remain secure against potential threats. Here’s a recap of the key security measures:
✅ Disable root login & use SSH keys
✅ Change default SSH ports & enable 2FA
✅ Configure firewalls & Fail2Ban
✅ Secure web & database servers
✅ Enable intrusion detection & automate backups
For secure and high-performance Linux VPS hosting, check out 99RDP’s Linux VPS solutions.

Comments
Post a Comment