Security

Base Server Hardening

Checklist of fundamental security operations to secure a new VPS before putting it into production

These are the minimum security operations to perform on every new server before putting it into production.

Quick Checklist

OperationPriority
Update system🔴 Critical
Change root password🔴 Critical
Configure SSH keys🔴 Critical
Enable firewall🔴 Critical
Install Fail2ban🟠 High
Disable SSH password login🟠 High
Create non-root user🟠 High
Change SSH port🟡 Medium
Configure automatic updates🟡 Medium

1. Update the System

apt update && apt upgrade -y   # Debian/Ubuntu
dnf update -y                  # CentOS/AlmaLinux

2. Configure SSH Keys and Disable Passwords

# On your computer: copy your public key
ssh-copy-id root@SERVER_IP

# On the server: disable password login
nano /etc/ssh/sshd_config

Set:

PasswordAuthentication no
PermitRootLogin prohibit-password
systemctl restart sshd

3. Enable the Firewall

ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
ufw allow http
ufw allow https
ufw enable

4. Install Fail2ban

apt install fail2ban -y
systemctl enable --now fail2ban

See the complete guide: Fail2ban

5. Create a Non-Root User

adduser deploy
usermod -aG sudo deploy

6. Configure Automatic Security Updates

# Debian/Ubuntu
apt install unattended-upgrades -y
dpkg-reconfigure --priority=low unattended-upgrades
nano /etc/ssh/sshd_config
# Change the port (optional)
Port 2222

# Disable root login with password
PermitRootLogin prohibit-password

# Disable password authentication
PasswordAuthentication no

# Disable interactive keyboard authentication
ChallengeResponseAuthentication no

# Disable X11 forwarding if not needed
X11Forwarding no

# Limit authentication attempts
MaxAuthTries 3

# Timeout for idle sessions (in seconds)
ClientAliveInterval 300
ClientAliveCountMax 2

# Disable login for users without password
PermitEmptyPasswords no
systemctl restart sshd

Verify SSH Configuration

sshd -T | grep -E 'passwordauth|permitroot|port|maxauthtries'

Monitor Access

Regularly check who has accessed your server:

# Last successful logins
last | head -20

# Failed login attempts
lastb | head -20

# SSH logs in real-time
journalctl -u sshd -f

Automatic Security Audit Tool

You can use Lynis for automated security audit:

apt install lynis -y
lynis audit system

Lynis analyzes your server configuration and suggests improvements with a security score.

LVM - Logical Volume Manager

Manage disk storage flexibly with LVM: resize volumes online, add disks, create snapshots, and use thin provisioning.

Fail2ban: Brute Force Protection

How to install and configure Fail2ban to protect your server from SSH and web brute force attacks

On this page

Quick Checklist1. Update the System2. Configure SSH Keys and Disable Passwords3. Enable the Firewall4. Install Fail2ban5. Create a Non-Root User6. Configure Automatic Security UpdatesComplete Recommended SSH ConfigurationVerify SSH ConfigurationMonitor AccessAutomatic Security Audit Tool