Securing Your VPS: The First 5 Steps

When you spin up a new Virtual Private Server (VPS) on cloud providers like Cloudflare, DigitalOcean, or AWS, it's immediately exposed to the public internet. Within minutes, automated bots will start scanning your IP for vulnerabilities and attempting brute-force logins.

Here are the first five essential steps you must take to secure your Linux VPS.

1. Update Your System

Always start by updating the package manager and installing the latest security patches.

sudo apt update && sudo apt upgrade -y

2. Create a Non-Root User

Running applications as root is dangerous. Create a limited user with sudo privileges.

adduser devsec
usermod -aG sudo devsec

3. Configure SSH Keys and Disable Password Login

Password authentication is inherently weak against modern brute-force dictionaries.

1. Generate an SSH keypair on your local machine using ssh-keygen.
2. Copy the public key to your VPS using ssh-copy-id devsec@your_server_ip.
3. Edit /etc/ssh/sshd_config and set PasswordAuthentication no.
4. Restart the SSH service: sudo systemctl restart ssh.

4. Set Up a UFW Firewall

The Uncomplicated Firewall (UFW) makes it easy to block unnecessary ports.

sudo ufw allow OpenSSH
sudo ufw enable

Always ensure OpenSSH is allowed before enabling the firewall, or you will lock yourself out!

5. Install Fail2Ban

Fail2Ban monitors log files for malicious activity (like repeated failed login attempts) and temporarily bans the offending IP addresses using firewall rules.

sudo apt install fail2ban -y
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Conclusion

By following these fundamental steps, you've drastically reduced the attack surface of your server. In our next post, we will explore deeper security measures like setting up a VPN or using Cloudflare Tunnels for zero-trust access.