How to Secure a Vanilla VPS: A Comprehensive Guide for Linux Beginners
A vanilla VPS is a blank slate, ideal for deploying your applications and services. However, it is critical to secure your VPS to prevent unauthorized access and vulnerabilities. This guide provides step-by-step instructions to secure a fresh installation of a Linux-based VPS, such as AlmaLinux or Alpine, catering to users with basic Linux familiarity but minimal server administration experience.
Why Securing Your VPS is Important
Out-of-the-box VPS installations often come with default configurations that might expose your server to attacks. Proper security measures protect your data, applications, and overall system integrity.
Step-by-Step Guide to Securing Your VPS
1. Update Your System
Regular updates ensure you have the latest security patches.
# Update on AlmaLinux or RHEL-based distributions
sudo yum update -y
# Update on Alpine Linux
sudo apk update && sudo apk upgrade
2. Create a Non-Root User
Avoid using the root account for daily tasks to minimize the risk of accidental changes or breaches.
# Add a new user
sudo adduser username
# Grant sudo privileges
sudo usermod -aG wheel username # For AlmaLinux
3. Disable Root Login
Prevent direct root access via SSH to reduce attack risks.
- Edit the SSH configuration file:
sudo nano /etc/ssh/sshd_config - Set:
PermitRootLogin no - Restart SSH:
sudo systemctl restart sshd
4. Set Up SSH Key Authentication
Switch to SSH key-based authentication for stronger security.
- Generate a key pair on your local machine:
ssh-keygen -t rsa -b 4096 - Copy the public key to your server:
ssh-copy-id username@your-server-ip - Disable password authentication:
sudo nano /etc/ssh/sshd_configUpdate:PasswordAuthentication no - Restart SSH:
sudo systemctl restart sshd
5. Change the Default SSH Port
Changing the SSH port can reduce unauthorized login attempts.
- Edit the SSH configuration:
sudo nano /etc/ssh/sshd_config - Update:
Port 2222 - Restart SSH:
sudo systemctl restart sshd - Update your firewall to allow the new port.
6. Enable a Firewall
Restrict traffic to only necessary services.
AlmaLinux (with firewalld):
sudo systemctl enable firewalld
sudo systemctl start firewalld
sudo firewall-cmd --permanent --add-port=2222/tcp
sudo firewall-cmd --reload
Alpine Linux (with iptables):
sudo iptables -A INPUT -p tcp --dport 2222 -j ACCEPT
sudo iptables-save > /etc/iptables.rules
7. Install Fail2Ban
Protect your server from brute force attacks.
# Install Fail2Ban on AlmaLinux
sudo yum install fail2ban -y
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
# Install Fail2Ban on Alpine Linux
sudo apk add fail2ban
8. Close Unnecessary Ports
Identify and block unused ports to minimize exposure:
sudo netstat -tuln # List open ports
sudo iptables -A INPUT -p tcp --dport [PORT] -j DROP
9. Harden Network Configurations
Secure network settings by modifying the sysctl configuration.
- Edit the file:
sudo nano /etc/sysctl.conf - Add:
net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.all.log_martians = 1 - Apply changes:
sudo sysctl -p
10. Regularly Back Up Your Data
Set up automated backups to secure your data against accidental loss or corruption.
- Use tools like
rsyncortar. - Schedule backups with
cron.
11. Monitor Logs
Regularly review logs for suspicious activity:
# View authentication logs
sudo tail -f /var/log/auth.log
12. Use Malware Detection Tools
Install and configure tools like ClamAV to scan for malware:
sudo yum install clamav -y # For AlmaLinux
sudo apk add clamav # For Alpine Linux
sudo freshclam
sudo clamscan -r /home
Additional Tips
- Use strong, unique passwords for all user accounts.
- Enable automatic updates for software and services.
- Disable unnecessary services or daemons.
- Test server accessibility after making security changes.
Learn More with ENGINYRING
Conclusion
By implementing these steps, you can significantly improve the security of your vanilla VPS. Regular monitoring and updates ensure your system stays secure as new vulnerabilities emerge.
