News

What’s your go-to process for securing a freshly provisioned VPS?

Photo of author

By Carl Jenkins


My Go-To VPS Hardening Process (Step-By-Step)
1. Update Everything Immediately

# Debian/Ubuntu
apt update && apt full-upgrade -y

# RHEL/CentOS/Alma/Rocky
dnf update -y

Why: Patches kernel vulns, SSH bugs, OpenSSL issues, etc.

2. Create a Non-Root User With Sudo

adduser ivan
usermod -aG sudo ivan # Debian/Ubuntu
# or
usermod -aG wheel ivan # RHEL-based

Logging in as root should be avoided.

3. Set Up SSH Key Authentication

Generate a key (on your local machine):

ssh-keygen -t ed25519

Upload it:

mkdir -p ~/.ssh
nano ~/.ssh/authorized_keys # paste key
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

4. Lock Down SSH

Edit:

nano /etc/ssh/sshd_config

Recommended changes:

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
Port 22 # optional: change to a different port

Then reload:

systemctl reload sshd

5. Install a Firewall (UFW or firewalld)
UFW example:

ufw default deny incoming
ufw default allow outgoing
ufw allow 22/tcp
ufw enable

firewalld example (CentOS/Alma/Rocky):

firewall-cmd –add-service=ssh –permanent
firewall-cmd –reload

6. Install Fail2Ban or SSHGuard

These ban repeated SSH brute-force attempts.

Fail2Ban:

apt install fail2ban -y
# OR
dnf install fail2ban -y
systemctl enable –now fail2ban

7. Configure Automatic Security Updates
Debian/Ubuntu:

apt install unattended-upgrades -y
dpkg-reconfigure unattended-upgrades

RHEL/Alma/Rocky:

dnf install dnf-automatic -y
systemctl enable –now dnf-automatic.timer

8. Set Up Basic Logging & Monitoring

  • Install logwatch
  • Configure systemd journal persistence
  • Optionally: install Netdata, Prometheus node exporter, or cockpit

Example:

apt install logwatch -y

9. Disable Unnecessary Services

Check active services:

systemctl list-units –type=service

Disable what you don’t need:

systemctl disable –now service_name

10. If You’re Hosting Public Services: Run Them in Containers

Docker or Podman isolates each app from the system:

apt install docker.io

11. Optional: Kernel Hardening With Sysctl

Edit:

nano /etc/sysctl.d/10-security.conf

Recommended:

kernel.kptr_restrict = 2
kernel.dmesg_restrict = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_syncookies = 1

Apply:

sysctl –system

12. Setup Backups + Snapshots

  • Configure off-server backups (Backblaze B2, S3, rsync to another VPS).
  • Enable provider snapshots (OVH, Hetzner, DO, Linode, etc.)

13. Use a WAF if Hosting Websites

Options:

  • Cloudflare (free)
  • Nginx ModSecurity
  • Caddy security plugins

✔ TL;DR Checklist

  • Patch system
  • Create sudo user
  • SSH keys
  • Disable root login
  • Firewall + Fail2ban
  • Auto security updates
  • Disable unnecessary services
  • Monitoring/logging
  • Snapshots + backups



Source link

How to eliminate render-blocking resources in WordPress

The ultimate guide to each Magento version: What, why, and how to update