15 VPS Security Tips to Avoid Attacks on Your Server

Knowing how to secure your Linux will help you avoid various cyber threats and attacks. However, it is not a one-time task. In addition to applying the best security practices, you have to monitor your virtual private server continuously.

With this in mind, we are going to delve into Linux security and its most common weaknesses. We will also discuss 15 VPS security tips to prevent cyber attacks.

Linux security and common weaknesses

Although Linux is famous for its secure system, it does have some vulnerabilities. Many security threats can harm your server security and data.

Let’s review in detail the list of the most common threats and weaknesses:

• Malware: refers to intrusive software intentionally designed to harm computers and their operating systems. It comes in many forms, including Trojans, ransomware, viruses, and spyware.
• sniffing attack: It occurs when a hacker uses packet sniffers to intercept and extract data from a network.
• Brute force attack: hacking method in which an attacker uses trial and error to guess login credentials.
• SQL injection: occurs when a hacker exploits the code of a web application to access the server’s database.
• Cross site scripting (XSS): a client-side attack during which a hacker injects malicious code into a website.
• Without control at the functional level: servers can cause it by not checking access rights properly, giving general users root privileges.
• Broken authentication: identity theft that typically occurs due to unencrypted data, weak passwords, or misconfigured application session timeouts.

Before implementing any security measures, know the elements that you should watch out for. Here are some of them:

• VPS Hosting Security
• server software
• SSH connection
• root access and logins
• Passwords and credentials
• firewall
• FTP connection
• User rights and privileges
• server logs

15 VPS Security Tips to Protect Your Server Security

This section contains 15 security tips to protect your VPS hosting.

1. Identify the security of your web hosting

The hosting provider you choose needs to have a strong security infrastructure and offer additional protection to keep your server safe. At , we provide advanced security modules to protect our VPS, such as mod_security, firewall, Suhosin PHP hardening, and PHP open_basedir protection.

Additionally, uses BitNinja’s full-stack server protection and built-in advanced DDoS mitigation to improve overall VPS security. When it comes to shared hosting servers, we offer Monarx anti-malware software.

Additionally, offers regular automated backups and live snapshots that you can use to restore your website immediately in case it goes down.

2. Change the default SSH port

If you continue to use port 22 to access your virtual server through an SSH connection, there is a high probability of hacking attempts. This is because attackers can scan open ports to perform brute force attacks and gain remote access to the server.

We recommend that you use a different port for SSH to protect your data against cyber attacks.

Here’s how to change the SSH port:

1. Open the Terminal and go into SSH.
2. Edit the service configuration file by running the following command:

nano /etc/ssh/sshd_config

3. Locate the line that says port 22.
4. Replaces the 22 for a new port number and delete #.

5. Save the changes and press exit.
6. Restart the service by entering the following command and pressing Enter:

service ssh restart

• For CentOS and Red Hat Enterprise Linux (RHEL)

systemctl restart sshd.service

7. Finally, try to login to SSH using the new port.

3. Disable root logins

Every Linux VPS has a root user who has the highest privileges compared to the other users on the system. Cyber ​​criminals can target them to gain full access to the server.

Therefore, it is critical to disable root logins to protect servers from brute force attacks. We also recommend creating an alternate username with the privilege to execute root level commands.

Follow these steps to disable root logins:

1. Open the Terminal and access your SSH account.
2. To open and edit the configuration file, run the following command using nano or vi:

nano /etc/ssh/sshd_config

3. Find the following parameter and change it to No:

PermitRootLogin=no

4. Save the changes and restart the SSH service by running the following command:

service ssh restart

• For CentOS and Red Hat Enterprise Linux (RHEL)

systemctl restart sshd.service

5. This will disable root login.

4. Use strong passwords

Passwords that contain information related to your identity or simple passphrases are easy to guess. Therefore, create a long and strong password with various elements, such as lowercase and uppercase letters, numbers, and special characters. By doing so, you will protect your system against brute force attacks.

Also, don’t reuse the same password.

You can also use online tools like or to create strong passwords. Both offer customization options, such as limiting password length and character usage.

5. Start using SSH keys

If you still use a password to access your SSH account, you may become a target for sniffing attacks. To avoid this, use SSH keys instead. Basically, SSH keys are a more secure authentication method than passwords.

Because these keys are generated by computers, they can be up to 4096 bits long, making them longer and more complex than a password.

SSH keys come in two sets: public and private. The former is stored on the server, while the latter is stored on the user’s machine. When a login attempt is detected, the server generates a random string and encrypts it with a public key. The encrypted message can only be decrypted using the associated private key.

Here’s how to generate an SSH key on Linux:

1. open the app Terminal and go into SSH.
2. To generate public and private keys, type the following command and press Enter:

ssh-keygen -t rsa

3. Once the answer appears, press Enter:

Enter file in which to save the key (/root/.ssh/id_rsa):

4. You will be prompted to enter the password twice. If you don’t have it, you can press Enter twice.

Enter passphrase (empty for no passphrase): Enter same passphrase again:

5. Your private and public keys have been successfully saved.

6. Configure an Internal Firewall (IP Tables)

As HTTP traffic can come from anywhere, it is essential to filter it to ensure that only visitors with excellent reputations can access your system. Doing so will help you avoid unwanted traffic and DDoS attacks.

Linux distributions come with an internal firewall service called . This tool monitors traffic to and from your server using tables. It uses rules called chains to filter incoming and outgoing data packets.

With it, you can adjust the firewall restrictions according to your needs. Here’s how to install and check the current iptables configuration on Ubuntu:

1. Open the Terminal and go into SSH.
2. Install iptables by running the following command:

sudo apt-get install iptables

3. Once the installation is complete, type the following command and press Enter:

sudo iptables -L -v

4. The output will include a list of all rules in a verbose format.

7. Configure UFW Firewall

We recommend enabling a Uncomplicated Firewall (UFW) as an additional layer to track incoming and outgoing traffic to your system. It is a network filtering firewall that is designed to be easy to use.

UFW acts as the front-end for iptables and is often pre-installed on Linux distributions. In general, it will deny all incoming connections and allow outgoing ones, lowering the risk of potential threats. In addition, you can modify and add rules to the firewall according to your preferences.

Here we explain how to activate it in Ubuntu:

1. Open the Terminal and connect via SSH.
2. Type the following command to enable UFW and press Enter:

sudo ufw enable

3. If the response indicates that the command was not found, install the firewall using this command:

sudo apt-get install ufw

4. After the installation is complete, run the command from the second step to enable UFW.

5. Check the status of the firewall using the following command:

sudo ufw status

8. Use SFTP instead of FTP

While FTP connections do not have encryption enabled, FTP over TLS (FTPS) only encrypts credentials and not file transfers.

As a result, using both connections can put your data at risk. Hackers can easily perform a sniffing attack to steal your login credentials and intercept file transfers.

To avoid this, use FTP over SSH or instead. This is a secure FTP connection as it fully encrypts all data including credentials and files being transferred. Additionally, SFTP protects users from man-in-the-middle attacks, as the client must be authenticated by the server before accessing the system.

Follow these steps to set up an SFTP connection:

1. Open the Terminal and go into SSH.
2. Start an SFTP connection by entering this command and clicking Enter:

sftp user@server_ipaddress

either

sftp user@remotehost_domainname

3. If you are using a custom port, run the following command:

sftp -oPort=customport user@server_ipaddress

either

sftp -oPort=customport user@remotehost_domainname

4. Once you’re connected, an SFTP prompt will appear.

9. Configure Fail2Ban

Fail2Ban Monitor system logs and block hackers after multiple failed logins. In addition, it protects servers against DoS, DDoS, dictionary and brute force attacks. Fail2Ban uses iptables and firewalld to ban IP addresses.

Follow the steps below to configure Fail2Ban on Ubuntu:

1. Open the Terminal and initiate an SSH connection.
2. Install the Fail2Ban software package by entering the following command and clicking Enter:

sudo apt-get install fail2ban

3. The following output will appear. Write Y press Enter.

Do you want to continue? Y

4. Once the installation is complete, check the status by running the following command:

sudo systemctl status fail2ban

5. The Fail2Ban software must be up and running.

10. Install an antivirus

In addition to setting up a firewall to filter incoming traffic, consider monitoring the files stored on your VPS. Since Linux is not innately immune to attack by…