A vanilla VPS is a blank slate, ideal for deploying your applications and services. However, it is critical to secure your VPS to prevent unauthorized access and vulnerabilities. This guide provides step-by-step instructions to secure a fresh installation of a Linux-based VPS, such as AlmaLinux or Alpine, catering to users with basic Linux familiarity but minimal server administration experience.

Why Securing Your VPS is Important

Out-of-the-box VPS installations often come with default configurations that might expose your server to attacks. Proper security measures protect your data, applications, and overall system integrity.

Step-by-Step Guide to Securing Your VPS

1. Update Your System

Regular updates ensure you have the latest security patches.

# Update on AlmaLinux or RHEL-based distributions
sudo yum update -y

# Update on Alpine Linux
sudo apk update && sudo apk upgrade

2. Create a Non-Root User

Avoid using the root account for daily tasks to minimize the risk of accidental changes or breaches.

# Add a new user
sudo adduser username

# Grant sudo privileges
sudo usermod -aG wheel username  # For AlmaLinux

3. Disable Root Login

Prevent direct root access via SSH to reduce attack risks.

  1. Edit the SSH configuration file: sudo nano /etc/ssh/sshd_config
  2. Set: PermitRootLogin no
  3. Restart SSH: sudo systemctl restart sshd

4. Set Up SSH Key Authentication

Switch to SSH key-based authentication for stronger security.

  1. Generate a key pair on your local machine: ssh-keygen -t rsa -b 4096
  2. Copy the public key to your server: ssh-copy-id username@your-server-ip
  3. Disable password authentication: sudo nano /etc/ssh/sshd_config Update: PasswordAuthentication no
  4. Restart SSH: sudo systemctl restart sshd

5. Change the Default SSH Port

Changing the SSH port can reduce unauthorized login attempts.

  1. Edit the SSH configuration: sudo nano /etc/ssh/sshd_config
  2. Update: Port 2222
  3. Restart SSH: sudo systemctl restart sshd
  4. Update your firewall to allow the new port.

6. Enable a Firewall

Restrict traffic to only necessary services.

AlmaLinux (with firewalld):

sudo systemctl enable firewalld
sudo systemctl start firewalld
sudo firewall-cmd --permanent --add-port=2222/tcp
sudo firewall-cmd --reload

Alpine Linux (with iptables):

sudo iptables -A INPUT -p tcp --dport 2222 -j ACCEPT
sudo iptables-save > /etc/iptables.rules

7. Install Fail2Ban

Protect your server from brute force attacks.

# Install Fail2Ban on AlmaLinux
sudo yum install fail2ban -y
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

# Install Fail2Ban on Alpine Linux
sudo apk add fail2ban

8. Close Unnecessary Ports

Identify and block unused ports to minimize exposure:

sudo netstat -tuln  # List open ports
sudo iptables -A INPUT -p tcp --dport [PORT] -j DROP

9. Harden Network Configurations

Secure network settings by modifying the sysctl configuration.

  1. Edit the file: sudo nano /etc/sysctl.conf
  2. Add: net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.all.log_martians = 1
  3. Apply changes: sudo sysctl -p

10. Regularly Back Up Your Data

Set up automated backups to secure your data against accidental loss or corruption.

  • Use tools like rsync or tar.
  • Schedule backups with cron.

11. Monitor Logs

Regularly review logs for suspicious activity:

# View authentication logs
sudo tail -f /var/log/auth.log

12. Use Malware Detection Tools

Install and configure tools like ClamAV to scan for malware:

sudo yum install clamav -y  # For AlmaLinux
sudo apk add clamav         # For Alpine Linux
sudo freshclam
sudo clamscan -r /home

Additional Tips

  • Use strong, unique passwords for all user accounts.
  • Enable automatic updates for software and services.
  • Disable unnecessary services or daemons.
  • Test server accessibility after making security changes.

Learn More with ENGINYRING

Conclusion

By implementing these steps, you can significantly improve the security of your vanilla VPS. Regular monitoring and updates ensure your system stays secure as new vulnerabilities emerge.