Server Security Basics: Hardening Your Linux VPS in 30 Minutes

Introduction

A fresh VPS with default settings is a sitting duck. Bots start scanning for vulnerabilities within minutes of deployment.

Basic server hardening takes 30 minutes and prevents 90% of common attacks.

Why Server Security Matters

Prevent hacks - Protect your data and reputation
Avoid downtime - Compromised servers go offline
Stop resource abuse - Hackers use servers for spam/crypto mining
Compliance - Many regulations require basic security

Even small sites get targeted by automated attacks.

Prerequisites

Fresh Ubuntu/Debian VPS
Root SSH access
Basic command line knowledge

We'll use Ubuntu 22.04 examples, but most commands work on Debian/CentOS too.

Step 1: Update System

First, update all packages:

apt update && apt upgrade -y

This patches known vulnerabilities.

Set up automatic security updates:

apt install unattended-upgrades -y
dpkg-reconfigure --priority=low unattended-upgrades

Select "Yes" to enable automatic updates.

Step 2: Create Non-Root User

Never use root for daily tasks. Create a standard user:

adduser yourusername

Set a strong password when prompted.

Add user to sudo group:

usermod -aG sudo yourusername

Test by switching to new user:

su - yourusername
sudo whoami

Should output "root" if sudo works.

Step 3: Secure SSH

SSH is the main attack vector. Harden it:

Edit SSH config:

sudo nano /etc/ssh/sshd_config

Change these settings:

Port 2222                    # Change from default 22
PermitRootLogin no           # Disable root login
PasswordAuthentication no    # Force key-based auth
PubkeyAuthentication yes     # Enable SSH keys

Before disabling password auth, set up SSH keys!

Set Up SSH Keys

On your local machine:

ssh-keygen -t ed25519 -C "[email protected]"

Copy public key to server:

ssh-copy-id -p 2222 yourusername@server-ip

Test connection:

ssh -p 2222 yourusername@server-ip

Once key auth works, restart SSH:

sudo systemctl restart sshd

Step 4: Configure Firewall

Use UFW (Uncomplicated Firewall):

sudo apt install ufw -y

Set default policies:

sudo ufw default deny incoming
sudo ufw default allow outgoing

Allow SSH (use your custom port):

sudo ufw allow 2222/tcp

Allow HTTP and HTTPS:

sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

Enable firewall:

sudo ufw enable

Check status:

sudo ufw status verbose

Step 5: Install Fail2Ban

Fail2Ban blocks IPs after failed login attempts:

sudo apt install fail2ban -y

Create local config:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Edit config:

sudo nano /etc/fail2ban/jail.local

Find [sshd] section and update:

[sshd]
enabled = true
port = 2222
maxretry = 3
bantime = 3600

Start and enable:

sudo systemctl start fail2ban
sudo systemctl enable fail2ban

Check status:

sudo fail2ban-client status sshd

Step 6: Disable Unused Services

List running services:

systemctl list-units --type=service --state=running

Disable unnecessary ones (varies by setup):

sudo systemctl disable bluetooth
sudo systemctl disable cups

Only run what you need.

Step 7: Set Up Monitoring

Install basic monitoring:

sudo apt install htop iotop iftop -y

For log monitoring:

sudo apt install logwatch -y

Configure logwatch to email daily reports:

sudo nano /etc/logwatch/conf/logwatch.conf

Step 8: Configure Timezone and NTP

Set correct timezone:

sudo timedatectl set-timezone America/New_York

Enable time synchronization:

sudo timedatectl set-ntp true

Accurate time is crucial for logging and SSL certificates.

Step 9: Harden Kernel (Optional)

Edit sysctl config:

sudo nano /etc/sysctl.conf

Add security settings:

# IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0

# Ignore send redirects
net.ipv4.conf.all.send_redirects = 0

# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0

# Log Martians
net.ipv4.conf.all.log_martians = 1

Apply changes:

sudo sysctl -p

Step 10: Regular Maintenance

Security is ongoing. Schedule:

Weekly: Check logs for anomalies
Monthly: Review fail2ban blocks
Quarterly: Audit user accounts and permissions
Always: Apply security updates promptly

Set up monitoring alerts for:

Failed login attempts
High CPU/memory usage
Disk space warnings

Additional Security Measures

For production servers:

SSL certificates - Use Let's Encrypt
Intrusion detection - Install AIDE or OSSEC
Log aggregation - Send logs to external service
Backups - Automated daily backups
DDoS protection - Cloudflare or similar
SELinux/AppArmor - Mandatory access control

Common Mistakes

Skipping SSH keys - Passwords are weak
Leaving root login enabled - Major security hole
Using default ports - Makes you an easy target
No firewall - Everything exposed
Ignoring updates - Unpatched vulnerabilities

Quick Security Checklist

[ ] System updated
[ ] Non-root user created
[ ] SSH hardened (keys, custom port, no root)
[ ] Firewall configured and enabled
[ ] Fail2Ban installed and configured
[ ] Unused services disabled
[ ] Automatic updates enabled
[ ] Monitoring set up

Conclusion

These steps provide baseline security for any Linux server. They won't stop determined attackers, but they block automated scans and script kiddies.

For production environments with sensitive data, hire a security professional for auditing and advanced hardening.

But for most VPS hosting, these basics are essential and sufficient.

30 minutes now saves countless headaches later.