Who is this for?
This guide is built for DevOps professionals, SaaS engineers, and infrastructure teams managing production workloads on self-managed VPS environments. If you’re responsible for securing your company’s Linux servers, running container workloads, or maintaining custom web stacks—this checklist is for you.
When you deploy a VPS, you’re taking control—but also taking on responsibility. From SSH ports to firewall rules, every misstep is a new opportunity for malicious actors. The internet doesn’t wait. Threats are continuous, automated, and unforgiving.
At Virtarix, we’ve seen the impact of good (and bad) server hygiene. This isn’t just theory—it’s a guide drawn from real-world infrastructure, tailored for the demands of high-performance cloud environments.
Let’s walk through the must-haves:
1. Keep Your OS Updated
Outdated systems are open doors. Apply security patches automatically using tools like unattended-upgrades (Ubuntu) or dnf-automatic (RHEL/CentOS).
2. Create a Non-Root Admin User
Use sudo privileges instead of operating as root. Restrict root login entirely via SSH (PermitRootLogin no).
3. Use SSH Keys, Not Passwords
Public/private key pairs prevent brute-force login attempts. Use tools like ssh-keygen and ssh-copy-id.
4. Change the Default SSH Port
Avoid port 22 to reduce bot scans. Example: Port 2222 in /etc/ssh/sshd_config.
5. Enable a Firewall
Use ufw or firewalld to whitelist only required ports. Example: ufw allow 443.
6. Install Fail2Ban or Similar
Automatically block repeated failed login attempts. Protects SSH, web servers, and more.l
7. Set Up Intrusion Detection
Deploy AIDE or OSSEC to track unexpected file changes and generate alerts.
8. Disable Unused Services
Stop and disable daemons like FTP, Telnet, or unused database servers.
9. Harden SSH Configuration
Limit users with AllowUsers, restrict login attempts with MaxAuthTries, and disable root access.
10. Automate Security Updates
Use cron jobs or package tools to auto-apply patches. Don’t rely on manual updates.
11. Enable SELinux or AppArmor
These kernel security modules isolate apps and enforce strict permissions.
12. Run Regular Audits
Use Lynis, OpenVAS, or chkrootkit for scheduled security assessments.
13. Monitor Logs Proactively
Tools like Logwatch or GoAccess help surface suspicious activity from system logs.
14. Back Up Securely
Schedule encrypted, offsite backups via tools like restic, duplicity, or BorgBackup.
15. Harden Containers
Use rootless containers, restrict syscalls with seccomp, and isolate workloads via namespaces and cgroups.
VPS Security Tools & Tactics at a Glance
| Category | Recommended Tool/Technique | Purpose |
|---|---|---|
| Access Control | SSH Keys, sudo, non-root user | Secure authentication and limit privileges |
| Network Security | UFW, firewalld, custom SSH port | Control inbound traffic, obscure attack surface |
| Brute-force Protection | Fail2Ban, SSH rate limiting | Block repeated unauthorized access attempts |
| Intrusion Detection | AIDE, OSSEC | Alert on suspicious file/system behavior |
| System Hardening | AppArmor, SELinux | Enforce strict access policies for apps/processes |
| Patching & Updates | unattended-upgrades, cron jobs | Keep OS and software protected against vulnerabilities |
| Container Security | Rootless containers, namespaces | Isolate workloads and enforce security boundaries |
| Backup & Recovery | Restic, BorgBackup | Ensure encrypted, reliable backup strategies |
