A Practical Guide to VPS Hardening: 15 Essential Security Steps for Linux Servers

Deploying a new Virtual Private Server (VPS) is an exciting moment. It’s a blank canvas, a powerful and private space on the internet ready for you to build your next project. However, a default Linux server installation is like a new house with factory-set locks on the doors; it’s functional, but it’s not truly secure. Every day, automated bots and malicious actors scan the internet for newly deployed servers, probing them for common vulnerabilities left open by default. Leaving your VPS in its initial state is an open invitation for trouble. True server security isn't about a single, magical solution; it's about a systematic process of building layers of defense. This is known as "server hardening."

This comprehensive guide is designed to be your go-to Linux server security checklist. We will walk you through 15 essential steps to transform your new, vulnerable VPS into a hardened, resilient fortress. These practices are the foundation of professional system administration and are critical for protecting your data, applications, and reputation. Whether you are a beginner launching your first WordPress site or an experienced developer setting up a complex application, following this guide will dramatically improve your server's security posture. We will cover everything from basic user management and firewall configuration to automated updates and intrusion detection, providing clear explanations and the exact commands you need to execute along the way.

The 15-Step VPS Hardening Checklist

Before you begin, ensure you are logged into your server as the root user. These initial steps are best performed with root privileges before we lock that account down.

Step 1: Update Your System Software

The very first step on any new server is to ensure all installed software is up to date. The operating system image your provider uses might be several weeks or months old, meaning it could be missing critical security patches. Running an update and upgrade ensures you are starting from a secure, current baseline.

For Debian/Ubuntu Systems:

apt update && apt upgrade -y

For CentOS/AlmaLinux/Rocky Linux Systems:

dnf update -y

Step 2: Create a New User with Sudo Privileges

Operating as the root user continuously is dangerous. A single mistake or typo can have catastrophic consequences. The best practice is to create a new, non-root user for your daily tasks and grant it 'sudo' privileges, which allows it to perform administrative actions when needed by prefixing commands with sudo.

# Create the new user (replace 'youruser' with your desired username)
adduser youruser

# Add the user to the 'sudo' group (Debian/Ubuntu) or 'wheel' group (CentOS/AlmaLinux)
# For Debian/Ubuntu:
usermod -aG sudo youruser

# For CentOS/AlmaLinux:
usermod -aG wheel youruser

Step 3: Configure SSH Key Authentication

Password-based authentication is vulnerable to brute-force attacks. SSH key authentication is a far more secure method. It uses a pair of cryptographic keys: a private key that you keep on your local computer and a public key that you place on the server. The server will only allow connections from someone who possesses the corresponding private key.

First, from your local computer, generate an SSH key pair if you don't have one:

ssh-keygen -t rsa -b 4096

Next, copy the public key to your new user on the server (replace 'youruser' and 'your_server_ip'):

ssh-copy-id youruser@your_server_ip

Now you can log in to your server as the new user without a password.

Step 4: Disable Root Login and Password Authentication via SSH

Now that you have a sudo user with SSH key access, you should disable direct root login and password-based authentication entirely. This significantly reduces the attack surface of your server.

Open the SSH configuration file with a text editor:

sudo nano /etc/ssh/sshd_config

Find and change the following lines. You may need to uncomment them (remove the #) and change 'yes' to 'no'.

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
ChallengeResponseAuthentication no

Save the file and restart the SSH service to apply the changes:

sudo systemctl restart sshd

Step 5: Change the Default SSH Port

Automated bots scan for open SSH ports on the default port 22. While this is security through obscurity, changing the port can significantly reduce the number of automated login attempts logged on your server. Choose a port number between 1024 and 65535.

In the same /etc/ssh/sshd_config file, find the line #Port 22. Uncomment it and change 22 to your chosen port (e.g., Port 2255). Save the file and restart SSH again.

Important: Before you log out, make sure you update your firewall to allow the new port! You will also need to specify the new port when you connect in the future: ssh -p 2255 youruser@your_server_ip.

Step 6: Set Up a Basic Firewall with UFW

A firewall is a non-negotiable security layer. It controls incoming and outgoing network traffic. UFW (Uncomplicated Firewall) is a user-friendly front-end for managing firewall rules on Linux.

First, set the default policies to deny all incoming traffic and allow all outgoing traffic:

sudo ufw default deny incoming
sudo ufw default allow outgoing

Step 7: Configure Essential UFW Rules

With the defaults set, you now need to explicitly allow traffic for the services you need. At a minimum, this will be SSH, HTTP, and HTTPS.

# Allow your new SSH port (replace 2255 with your chosen port)
sudo ufw allow 2255/tcp

# Allow standard web traffic
sudo ufw allow http
sudo ufw allow https

# Enable the firewall
sudo ufw enable

The firewall will now be active and will persist through reboots.

Step 8: Install and Configure Fail2ban

Fail2ban is an intrusion prevention software framework that protects computer servers from brute-force attacks. It scans log files and bans IP addresses that show malicious signs, such as too many password failures.

# For Debian/Ubuntu:
sudo apt install fail2ban -y

# For CentOS/AlmaLinux (requires EPEL repository):
sudo dnf install epel-release -y
sudo dnf install fail2ban -y

# Start and enable the service
sudo systemctl start fail2ban
sudo systemctl enable fail2ban

Fail2ban works out of the box to protect SSH, but it can be configured to protect many other services.

Step 9: Remove Unnecessary Network Services

Every service listening on a network port is a potential entry point for an attacker. A core principle of server hardening is to minimize the attack surface by removing any software that is not absolutely necessary for the server's function. Use a tool like ss or netstat to see what services are listening.

sudo ss -tuln

If you see services you don't recognize or need, find the package name and remove it using your system's package manager.

Step 10: Set Up Automatic Security Updates

Manually running updates is good, but automating the process for security patches ensures that your server is protected against newly discovered vulnerabilities as quickly as possible, without requiring your intervention.

For Debian/Ubuntu:

sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure -plow unattended-upgrades

For CentOS/AlmaLinux:

sudo dnf install dnf-automatic -y
sudo systemctl enable --now dnf-automatic.timer

Step 11: Secure Shared Memory

The /run/shm directory is used for shared memory. By default, it's often mounted as world-writable, which can be exploited by attackers in certain scenarios. You can harden it by editing your file systems table (fstab).

sudo nano /etc/fstab

Add the following line to the end of the file:

tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0

Save the file and reboot the server for the change to take effect.

Step 12: Install an Intrusion Detection System (IDS)

While Fail2ban is great for blocking known brute-force attacks, a modern IDS like CrowdSec provides a more advanced, collaborative layer of defense. CrowdSec identifies aggressive behavior and shares the attacking IP's information with a global network, proactively blocking threats identified by other users.

Step 13: Disable Unused Filesystems

To further reduce the attack surface, you can prevent the kernel from loading filesystems that you don't use (like cramfs, freevxfs, jffs2, hfs, hfsplus, squashfs, udf). This is an advanced step but adds another layer of hardening.

# Create a new config file
sudo nano /etc/modprobe.d/uncommon-fs.conf

# Add these lines
install cramfs /bin/true
install freevxfs /bin/true
install jffs2 /bin/true
install hfs /bin/true
install hfsplus /bin/true
install squashfs /bin/true
install udf /bin/true

Step 14: Implement a Regular Backup Strategy

Security is also about recovery. Even the most hardened server can fall victim to a zero-day exploit or a configuration error. A reliable, automated, and regularly tested backup strategy is your ultimate safety net. Ensure your backups are stored off-server in a secure, geographically separate location.

Step 15: Conduct Regular Security Audits

Security is not a one-time setup; it's an ongoing process. Schedule regular audits of your server. Use tools like lynis or rkhunter to scan for common vulnerabilities, review your firewall rules, check user permissions, and analyze logs for any suspicious activity. Staying vigilant is the key to long-term security.

Conclusion: Security as a Continuous Process

By completing this 15-step checklist, you have transformed your default server installation from a soft target into a hardened, secure environment. You have established multiple layers of defense that will protect you from the vast majority of automated and opportunistic attacks. Remember that server security is a continuous process of vigilance, maintenance, and adaptation. New threats emerge, and software vulnerabilities are discovered daily, which is why automated updates and regular audits are so critical.

At ENGINYRING, we build our virtual server offerings with security as a top priority, providing a robust foundation for you to build upon. If you prefer to focus on your business and leave the complexities of server management and hardening to the experts, our managed services team is here to help. Contact us today to learn how we can provide a fully secured and optimized hosting environment for your projects.