How to Secure Your Linux VPS in 10 Steps

How to Secure Your Linux VPS in 10 Steps

A freshly provisioned Linux VPS is an open door. Within minutes of going live, automated bots will be probing your server for weak passwords, outdated software, and misconfigured services. If you don’t lock things down immediately, it’s only a matter of time before something goes wrong.

This guide walks you through 10 essential security steps every VPS owner should complete right after setup — whether you’re running Ubuntu, Debian, or CentOS. No advanced sysadmin experience required.

⚠️Before you start: Make sure you have console access to your VPS through your provider’s dashboard. If you accidentally lock yourself out of SSH, you’ll need it to recover access.

STEP 01
Update Your System Packages
Easy

The very first thing you should do on a new VPS is update all installed packages. Operating system vendors constantly patch security vulnerabilities, and a fresh server image from your provider may already be weeks or months out of date.

Ubuntu / Debian
$ apt update && apt upgrade -y
$ apt autoremove -y   # Remove unused packages
CentOS / AlmaLinux / Rocky
$ dnf update -y

After upgrading, reboot if a kernel update was installed: reboot

STEP 02
Create a Non-Root Sudo User
Easy

Logging in as root is dangerous — any mistake runs with full system privileges. Create a regular user and grant it sudo access for administrative tasks.

Create user & grant sudo
$ adduser youruser
$ usermod -aG sudo youruser   # Ubuntu/Debian
$ usermod -aG wheel youruser  # CentOS/RHEL

Switch to the new user and verify sudo access:

Verify sudo
$ su - youruser
$ sudo whoami   # Should output: root

STEP 03
Set Up SSH Key Authentication
Easy

SSH key pairs are vastly more secure than passwords. A cryptographic key pair is virtually impossible to brute-force, while even a strong password can eventually be cracked.

On your local machine, generate a key pair if you don’t already have one:

Local machine
$ ssh-keygen -t ed25519 -C "your@email.com"

Then copy the public key to your VPS:

Copy key to server
$ ssh-copy-id youruser@your-server-ip

# Or manually:
$ cat ~/.ssh/id_ed25519.pub | ssh youruser@your-server-ip \
  "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
💡Use ed25519 keys — they’re faster and more secure than the older RSA-2048 standard. If you must use RSA, use at least 4096 bits.

STEP 04
Disable Root Login & Password Authentication
Medium

Once your SSH key is working, disable password-based login entirely. This eliminates brute-force attacks targeting SSH overnight.

Edit SSH config
$ nano /etc/ssh/sshd_config

Find and set these three lines:

/etc/ssh/sshd_config
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes

Restart SSH to apply changes:

Restart SSH daemon
$ systemctl restart sshd
🚨Critical: Before restarting sshd, open a second SSH session in a separate terminal window to verify your key-based login works. If you restart sshd while the only active session disconnects, you could lock yourself out permanently.

STEP 05
Change the Default SSH Port
Easy

SSH runs on port 22 by default, and automated scanners hit this port millions of times per day. Changing it to a non-standard port (e.g., 2222 or any port above 1024) reduces noise significantly.

/etc/ssh/sshd_config
Port 2222   # Choose any unused port between 1024–65535
Connect with custom port
$ ssh -p 2222 youruser@your-server-ip

Remember to allow the new port through your firewall (covered in Step 6) before restarting sshd.

STEP 06
Configure a Firewall (UFW)
Easy

UFW (Uncomplicated Firewall) is the simplest way to manage firewall rules on Ubuntu/Debian. The goal: deny everything by default, then explicitly allow only what you need.

Set up UFW
$ apt install ufw -y

# Set default policies
$ ufw default deny incoming
$ ufw default allow outgoing

# Allow your custom SSH port
$ ufw allow 2222/tcp

# Allow web traffic (if running a web server)
$ ufw allow 80/tcp
$ ufw allow 443/tcp

# Enable the firewall
$ ufw enable
$ ufw status verbose
💡Only open ports for services you’re actually running. Every open port is a potential attack surface. Review ufw status periodically and close anything you no longer need.

STEP 07
Install Fail2Ban
Easy

Fail2Ban monitors log files and automatically bans IP addresses that show signs of malicious activity — like repeatedly failing SSH login attempts. It’s one of the most effective and lightweight security tools available.

Install & configure Fail2Ban
$ apt install fail2ban -y

# Create a local config override
$ cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
$ nano /etc/fail2ban/jail.local

In jail.local, update the SSH section:

/etc/fail2ban/jail.local
[sshd]
enabled  = true
port     = 2222       # Your custom SSH port
maxretry = 5         # Ban after 5 failed attempts
bantime  = 3600      # Ban for 1 hour (seconds)
findtime = 600       # Within a 10-minute window
Start Fail2Ban
$ systemctl enable fail2ban
$ systemctl start fail2ban
$ fail2ban-client status sshd   # Verify it's running

STEP 08
Enable Automatic Security Updates
Easy

Manually updating your server is easy to forget. Enable unattended upgrades to automatically apply security patches — without touching feature updates that might break things.

Ubuntu / Debian
$ apt install unattended-upgrades -y
$ dpkg-reconfigure --priority=low unattended-upgrades

Confirm the configuration at /etc/apt/apt.conf.d/20auto-upgrades contains:

20auto-upgrades
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

STEP 09
Secure Shared Memory
Medium

The /run/shm shared memory space can be exploited to run malicious code. Mount it with restrictions to prevent execution.

Edit /etc/fstab
$ nano /etc/fstab

# Add this line at the bottom:
tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0

Remount to apply without rebooting:

Apply changes
$ mount -o remount /run/shm

STEP 10
Set Up Intrusion Detection (Lynis / rkhunter)
Medium

Intrusion detection tools scan your server for known vulnerabilities, rootkits, and misconfigurations. Run them periodically to catch problems before attackers do.

Option A: Lynis (Full Security Audit)

Install & run Lynis
$ apt install lynis -y
$ lynis audit system   # Generates a detailed security report

Lynis outputs a hardening index score and a list of recommended improvements. Work through the suggestions over time.

Option B: rkhunter (Rootkit Scanner)

Install & run rkhunter
$ apt install rkhunter -y
$ rkhunter --update
$ rkhunter --check --skip-keypress
💡Schedule rkhunter as a weekly cron job and have it email you results. Catching a rootkit in week one is far less catastrophic than discovering it six months later.

✅ 2025 VPS Security Checklist — Print & Keep

Update all system packages and reboot if kernel was updated

Create a non-root sudo user for daily administration

Generate ed25519 SSH key pair and copy public key to server

Disable root login and password authentication in sshd_config

Change SSH port from 22 to a custom port

Configure UFW firewall — deny all, allow only necessary ports

Install and configure Fail2Ban for SSH protection

Enable automatic security updates via unattended-upgrades

Secure /run/shm shared memory in /etc/fstab

Run Lynis audit and address high-priority recommendations

FAQ Frequently Asked Questions

How long does it take to complete all 10 steps?
For someone comfortable with the Linux command line, 30–45 minutes. If you’re new to Linux, budget 1–2 hours and take your time — especially on Step 4 (disabling password auth). Rushing that step is how people get locked out.
Do I need all 10 steps, or can I skip some?
Steps 1–7 are essential for every server. Steps 8–10 are strongly recommended but optional. Never skip Steps 3 and 4 — SSH key auth and disabling password login are the single highest-impact changes you can make.
Should I use a firewall even if my VPS provider has one?
Yes. Your provider’s network firewall is a first line of defense, but a host-based firewall (UFW) gives you additional control at the OS level. Defense in depth — multiple security layers — is always better than relying on a single control.
Is this guide applicable to managed VPS hosting?
Some steps (like package updates and firewall rules) may be handled by your managed hosting provider. Check with them before making changes. For unmanaged VPS hosting, all 10 steps apply.
What other security measures should I take beyond this guide?
For a hardened production server: enable two-factor authentication for SSH (using Google Authenticator PAM), set up centralized log monitoring, configure SSL/TLS for all services, use a secrets manager for credentials, and perform regular encrypted backups stored off-server.

🔒 Your Server Is Now Battle-Ready

Security isn’t a one-time task — it’s an ongoing practice. These 10 steps give you a strong baseline, but you should revisit your server’s security posture regularly: run Lynis audits monthly, review your firewall rules quarterly, and stay current with CVE announcements for any software you run.The good news: most attackers are opportunistic. A server that follows even half of these steps is significantly more hardened than the average unprotected VPS, and most automated bots will move on to easier targets.

 

Fast • Reliable • Affordable VPS - DO It Now!

Get top VPS hosting with VPS.DO’s fast, low-cost plans. Try risk-free with our 7-day no-questions-asked refund and start today!

Contact Us

VPS.DO offers reliable, cost-effective KVM VPS hosting as a robust Cloud-as-a-Service solution worldwide. We DO our best to power your success with unbeatable VPS value.

Copyright © 2026 VPS.DO

Services
Information
Account