Introduction
Security is your responsibility on a VPS (not like shared hosting). This guide provides 20 actionable steps to harden your Hostxpeed VPS against common attacks. Most steps take less than a minute. Complete all within 10 minutes for a production-ready secure server.
Step 1: Update System Immediately
sudo apt update && sudo apt upgrade -y (Ubuntu/Debian) or sudo yum update -y (RHEL). Outdated packages are the #1 attack vector. Set up automatic security updates: sudo apt install unattended-upgrades, then sudo dpkg-reconfigure --priority=low unattended-upgrades. For RHEL: sudo dnf install dnf-automatic, sudo systemctl enable --now dnf-automatic.timer. Reboot if kernel updated.
Step 2: Create Sudo User and Disable Root SSH
sudo adduser myusername, sudo usermod -aG sudo myusername (Ubuntu) or wheel (RHEL). Test login as new user. Then edit /etc/ssh/sshd_config: set PermitRootLogin no. Also set PasswordAuthentication no (after setting up SSH keys). Then sudo systemctl restart sshd. Never log in as root directly. Use sudo for admin tasks.
Step 3: SSH Key Authentication Only
On local machine: ssh-keygen -t ed25519 -C "your_email@example.com" (press enter for default). Then ssh-copy-id myusername@your_vps_ip. Test ssh myusername@your_vps_ip (should not ask password). Then in /etc/ssh/sshd_config set PasswordAuthentication no, ChallengeResponseAuthentication no, UsePAM no. Restart SSH. Keep a backup terminal open while testing - if lockout, use Hostxpeed VNC console to fix.
Step 4: Change SSH Port (Optional but Recommended)
Edit /etc/ssh/sshd_config: Port 2222 (or 50000-65535). Then sudo ufw allow 2222/tcp (if using UFW). Restart SSH: sudo systemctl restart sshd. Test in new terminal: ssh -p 2222 myusername@vps_ip. If works, remove port 22 from firewall. This drastically reduces automated brute force attempts (bots scan port 22 only).
Step 5: Configure Firewall (UFW for Ubuntu)
sudo ufw default deny incoming, sudo ufw default allow outgoing. sudo ufw allow 2222/tcp (your SSH port), sudo ufw allow 80/tcp, sudo ufw allow 443/tcp. For web apps, also allow 8080, 3000, etc. sudo ufw enable, sudo ufw status verbose. Check before enabling: sudo ufw show added. For RHEL: sudo firewall-cmd --permanent --add-service=http, --add-service=https, --add-port=2222/tcp, then sudo firewall-cmd --reload.
Step 6: Install Fail2ban to Block Brute Force
sudo apt install fail2ban -y. Create local config: sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local. Edit /etc/fail2ban/jail.local: under [sshd] set enabled = true, port = 2222 (your custom port), maxretry = 3, bantime = 3600 (1 hour). Also enable [sshd-ddos]. Restart: sudo systemctl restart fail2ban. Check bans: sudo fail2ban-client status sshd. Fail2ban also protects Apache, Nginx, MySQL, etc. - uncomment relevant jails.
Step 7: Disable Unused Network Services
Check listening ports: sudo ss -tulpn. Look for services you don't need (e.g., rpcbind, avahi-daemon, cups). Disable: sudo systemctl disable --now servicename. For example, if not using FTP, remove vsftpd. If not using mail server, disable postfix or exim. Each listening service is an attack surface. Minimal servers should only show SSH and web ports (80,443).
Step 8: Set Up Automatic Security Updates
Already started in step 1, but verify: sudo systemctl status unattended-upgrades. Configure which packages: sudo nano /etc/apt/apt.conf.d/50unattended-upgrades - ensure security updates line uncommented. For reboot: add Unattended-Upgrade::Automatic-Reboot "true"; Unattended-Upgrade::Automatic-Reboot-Time "03:00";. For kernels, this is critical. Test: sudo unattended-upgrades --dry-run.
Step 9: Harden Kernel Parameters (sysctl)
Edit /etc/sysctl.conf and add: net.ipv4.tcp_syncookies = 1 (protect against SYN flood), net.ipv4.ip_forward = 0 (disable routing unless needed), net.ipv4.conf.all.rp_filter = 1 (source validation), net.ipv4.tcp_sack = 0 (reduce risk), net.ipv4.tcp_timestamps = 0 (reduce timing attacks). Apply: sudo sysctl -p. For IPv6 (if not used): net.ipv6.conf.all.disable_ipv6 = 1, net.ipv6.conf.default.disable_ipv6 = 1.
Step 10: Install and Configure Lynis for Auditing
sudo apt install lynis -y. Run: sudo lynis audit system. Lynis provides security score (higher better) and action list. Focus on warnings (suggestions). Common fixes: ensure /tmp mounted with noexec,nosuid, set umask 027 in /etc/profile, configure systemd timeouts. Run monthly. Lynis also checks for outdated packages, weak passwords, unnecessary users.
Step 11: Monitor Login Attempts with Logwatch
sudo apt install logwatch -y. Run manually: sudo logwatch --detail High --Service All --range today. Set up daily email: sudo nano /etc/cron.daily/00logwatch, add --mailto admin@example.com. Logwatch summarizes SSH attempts, failed logins, disk usage, package updates. Review daily (5 minutes). Detect patterns: thousands of failed SSH attempts (fail2ban should be blocking).
Step 12: Install Rootkit Hunter (rkhunter)
sudo apt install rkhunter -y. Run initial scan: sudo rkhunter --check --skip-keypress. It checks for rootkits, backdoors, hidden processes. Warnings often false positives (e.g., SSH protocol version). Investigate each. Set up daily cron: sudo rkhunter --cronjob --report-warnings-only. Email results. Particularly important after installing untrusted software.
Step 13: Use ModSecurity for Web Applications
For Nginx: compile with ModSecurity or use Nginx ModSecurity WAF (now maintained). For Apache: sudo apt install libapache2-mod-security2, sudo a2enmod security2. Use OWASP Core Rule Set (CRS). These block SQL injection, XSS, path traversal, etc. Update rules weekly. Minimal performance impact (2-5% CPU). Without WAF, you rely only on application code.
Step 14: Separate Services with Different Users
Run each service (Nginx, MySQL, Redis, Node.js) under its own system user. Avoid running as root or www-data for everything. Example: sudo useradd -r -s /bin/false appuser, then configure service to run as that user. Check with ps aux | grep service_name. This limits blast radius if one service compromised.
Step 15: Regular File Integrity Monitoring (AIDE)
sudo apt install aide -y. Initialize: sudo aideinit. It creates database of file hashes (/var/lib/aide/aide.db.new). Move to /var/lib/aide/aide.db. Run daily: sudo aide --check. It alerts if critical files changed (e.g., /usr/bin, /etc/passwd). False positives on log files and config changes - ignore those paths by editing /etc/aide/aide.conf. Essential for detecting intrusions.
Step 16: Secure MySQL/MariaDB
Run sudo mysql_secure_installation. Set root password, remove anonymous users, disallow remote root login, remove test database. For production, bind to localhost only (or private network). Create application user with least privileges (no DROP, CREATE). Use different credentials per app. Regularly audit privileges: SELECT user,host FROM mysql.user; Additionally, enable query logging for suspicious activity.
Step 17: Use AppArmor or SELinux
Ubuntu: AppArmor (enabled by default). Check status: sudo aa-status. Enforce profiles for Nginx, MySQL: sudo apt install apparmor-profiles apparmor-profiles-extra. For custom app, create profile with aa-genprof. RHEL: SELinux (enforcing). Check: getenforce. Use audit2allow to create policies. Steep learning curve but prevents many zero-day exploits (e.g., nginx writing to /etc/cron.d).
Step 18: Remove Compilers and Development Tools
After server setup, remove gcc, make, g++, etc.: sudo apt remove gcc make g++ build-essential (Ubuntu) or sudo yum remove gcc make (RHEL). Attackers can't compile exploit code if compilers missing. Keep if you compile software regularly. Also disable kernel module loading: add blacklist to /etc/modprobe.d/ for unused modules (e.g., firewire, thunderbolt).
Step 19: Set Up Backup and Disaster Recovery
Automated offsite backups (using Hostxpeed backup service or rsync to separate VPS). Ensure backups are encrypted and restore-tested quarterly. In case of compromise, you can restore clean system. Also backup configurations (/etc/ssh, /etc/nginx, /etc/fail2ban) separately. Use immutable backups (e.g., AWS S3 Object Lock) to prevent ransomware deletion.
Step 20: Regular Security Audits (Monthly)
Combine tools: Lynis (score, recommendations), rkhunter (rootkits), AIDE (file changes), logwatch (auth attempts), and manual checks: sudo systemctl list-units --state=failed (failed services), df -h (disk space), lastlog (recent logins), journalctl -p err -b (boot errors). Subscribe to security mailing lists (US-CERT, your distro). Schedule 30 minutes monthly for review. Prevention cheaper than incident response.
Bonus: Use Security-Focused Linux Distributions
Consider hardening-focused distros: Alpine Linux (musl libc, smaller attack surface), OpenBSD (security by default), or SELinux-hardened Fedora Server. Not for beginners. For most, Ubuntu LTS with above steps + AppArmor sufficient. Hostxpeed offers Ubuntu 22.04/24.04 LTS as one-click OS - recommended for security and long-term support.
Automate with Ansible Script
Save above steps as Ansible playbook to apply to new VPS instantly. Example playbook tasks: update packages, create sudo user, configure SSH, install fail2ban, set firewall, run lynis. Hostxpeed provides security baseline playbooks (GitHub). Use terraform + ansible for infrastructure-as-code with baked-in security.
Conclusion: Security is Continuous
These 20 steps reduce attack surface by 95% against automated threats. However, stay vigilant: monitor logs, apply updates weekly, and review user access quarterly. Hostxpeed provides DDoS protection and network firewall, but host-level security is your responsibility. Start with steps 1-5 today; implement others over next week. Regular audits ensure long-term safety.