Security Tips for Your Linux VPS

June 19, 2024

In recent years, the number of Linux users has been slowly but surely growing as more and more people switch from Windows to open source.

In the world of servers, these changes are even more obvious: both seasoned professionals and beginners choose the Linux distribution as the first operating system for the server, this decision has no alternative, in some cases.

Definitely basic security VPS servers on Linux higher than VPS on Windows. However, it is important to remember that your Linux server will only be completely secure if it is configured correctly.

Therefore, in this article we will share some useful tips that will help make your VPS server more secure.

Update your distribution on time

First of all, it is extremely important to always keep your system up to date. Installing frequent software updates can be quite boring and time-consuming, but it should never be neglected!

Such periodic updates can patch and eliminate potential vulnerabilities such as backdoors. It was recently discovered that over 50% of all existing WordPress installations contained a dangerous vulnerability, leaving them vulnerable to cyber attacks.

Here's how you can update your Linux distribution.

Updating Debian or Ubuntu

Let's start by updating the list of packages:

apt-get update

Update the packages themselves:

apt-get upgrade

CentOS update

yum update

If you remember to update your system regularly, you can avoid any security issues.

Use a non-standard (non-default) SSH port

By default, the SSH service listening port is set to port 22. If you leave this value unchanged, your VPS server may become a target for online hackers, since port 22 is usually the main target when it comes to automated attacks.

To change the port, you only need to change the service configuration file as shown below:

nano /etc/ssh/sshd_config

The following text (or similar, depending on the configuration file) should appear:

# What ports, IP addresses and protocols we listen to Port 22

All you need to do here is simply replace the number 22 with a different port number.

IMPORTANT: You should never use a port number that is already in use on your system!

After changing the port, save and exit the configuration file, and then restart the service:

systemctl restart sshd

This will automatically apply your changes. Keep in mind that you need to specify a new port every time you request an SSH connection to your server.

Create a user with limited rights

Our next tip involves creating a user with limited rights. Generally speaking, you don't need root privileges to perform tasks as a regular user. You can easily create a new user with limited rights and secure your server with the following command:

adduser CustomUserName

Next, fill in the requested information (name, password and other data). This new user will be allowed to login via SSH. Now when you establish a connection, you can use your newly created credentials.

Once you have successfully logged in, to perform any operations that require root permission, simply enter the following command:

su root

Then enter the password and the active login will be switched to the root user.

Disable root user login

Having root access means having most of the permissions in the operating system. We strongly recommend that you disable direct root user access via SSH.

Leaving your server's access type as root only can cause permanent damage!

IMPORTANT: Before disabling the root login feature, be sure to create another user as we mentioned in the previous section!

To disable access to the server through the root user, you can follow these steps.

Change the SSH configuration file

First, open the SSH configuration file as we mentioned in the initial section of this article with the following command:

nano /etc/ssh/sshd_config

Next, find this section:

# Authentication: LoginGraceTime 120 PermitRootLogin yes StrictModes yes

Find the line - PermitRootLogin and replace yes on no

To apply the changes you just need to restart the SSH service:

systemctl restart sshd

Once completed, you will notice that connections to your server through the root user will be automatically rejected.

Use security keys for identification

Using security keys (SSH keys) has a number of security benefits.

First, you can access your terminal without having to enter a password. Secondly, you can disable the password login process entirely, meaning you won't need a password to connect to the server.

This step protects your server from some possible attacks such as brute force attacks.

Install fail2ban

Another great thing you can do to secure your server is is to install Fail2ban.

This lightweight software prevents intrusion as it is designed to block unknown IP addresses that try to infiltrate and gain access to your system. To install the software package, you can use the following command.

How to install Fail2ban for Ubuntu and Debian

apt-get install fail2ban

How to install Fail2ban for CentOS

yum install epel-release yum install fail2ban

After successfully installing the package, you will need to edit its configuration file to configure it on your system.

IMPORTANT: Before making any changes to the configuration file, we strongly recommend that you create a backup copy of the original using the following command:

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.backup

Once you have backed up the original file, open the Fail2ban configuration file with this command and configure the settings:

nano /etc/fail2ban/jail.conf

When you are done editing the configuration file, restart the service with:

service fail2ban restart

Any additional information about the software can be found in official Fail2ban documentation.

Set up an internal firewall

Linux distributions include a firewall service called "iptables". By default it has no active rules. To verify that it is indeed on your system, enter the following command:

iptables -L

We recommend creating and configuring some firewall rules to suit your needs. However, the firewall service is configured differently for each Linux distribution. You need to familiarize yourself with official documentation for your chosen Linux OS, to make the appropriate changes.

Back up your VPS

SIDATA already provides a free backup copy for 7 days.

To create backups for a longer period, order the service - Cloud storage, cost from 0.5 UAH per 1 GB and make a backup copy.

Having a data backup on your VPS server can help you fully recover any information that may have been lost due to a hacker attack or physical server malfunction.

Vasilenko Sergiy

Technical Director of SIDATA

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not the user has consented to the use of cookies. It does not store any personal data.