VPS Security Hardening: 15-Minute Guide for Production Servers

A fresh VPS is exposed to the internet within seconds of deployment. Automated bots scan for default configurations, weak passwords, and open ports around the clock. This guide walks you through the essential security hardening steps that every production server needs — and you can complete them all in about 15 minutes.

1. Harden SSH Access

SSH is the #1 attack vector for VPS servers. Lock it down first:

bash

# Generate an SSH key pair (on your local machine)
ssh-keygen -t ed25519 -C "your@email.com"

# Copy public key to the server
ssh-copy-id -i ~/.ssh/id_ed25519.pub root@YOUR_SERVER_IP

# Test key-based login before disabling passwords
ssh -i ~/.ssh/id_ed25519 root@YOUR_SERVER_IP

Now disable password authentication and root login:

bash

# Edit SSH config
sudo nano /etc/ssh/sshd_config

# Set these values:
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
MaxAuthTries 3
Port 2222  # Change from default 22

# Restart SSH
sudo systemctl restart sshd

⚠️ Always keep an existing SSH session open while testing new SSH settings. If you lock yourself out, you'll need console access from your VPS provider.

2. Configure the Firewall

bash

# Install and enable UFW (Ubuntu/Debian)
sudo apt install ufw -y

# Default: deny all incoming, allow outgoing
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow only what you need
sudo ufw allow 2222/tcp comment "SSH"
sudo ufw allow 80/tcp comment "HTTP"
sudo ufw allow 443/tcp comment "HTTPS"

# Enable the firewall
sudo ufw enable
sudo ufw status verbose

3. Install Fail2ban

Fail2ban automatically bans IPs that show malicious signs (failed login attempts, exploit scanning):

bash

sudo apt install fail2ban -y

# Create local config
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

# Set these in [sshd] section:
[sshd]
enabled = true
port = 2222
maxretry = 3
bantime = 3600
findtime = 600

# Start fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

# Check banned IPs
sudo fail2ban-client status sshd

4. Automatic Security Updates

bash

# Install unattended-upgrades
sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure -plow unattended-upgrades

# Verify it's active
sudo systemctl status unattended-upgrades

5. Create a Non-Root User

bash

# Create deploy user with sudo access
sudo adduser deploy
sudo usermod -aG sudo deploy

# Copy SSH keys to new user
sudo mkdir -p /home/deploy/.ssh
sudo cp ~/.ssh/authorized_keys /home/deploy/.ssh/
sudo chown -R deploy:deploy /home/deploy/.ssh
sudo chmod 700 /home/deploy/.ssh
sudo chmod 600 /home/deploy/.ssh/authorized_keys

# Test login as deploy user before disabling root

6. Basic Monitoring

bash

# Install monitoring tools
sudo apt install htop iotop nethogs -y

# Check active connections
ss -tulnp

# Monitor login attempts
sudo journalctl -u sshd --since "1 hour ago" | grep "Failed"

# Set up logwatch for daily email reports
sudo apt install logwatch -y
sudo logwatch --detail high --mailto you@email.com --range today

7. Docker Security (If Applicable)

If you're running Docker containers:

bash

# Don't run containers as root
# In Dockerfile:
RUN addgroup --system app && adduser --system --group app
USER app

# Limit container resources
docker run --memory=512m --cpus=1 --read-only your-image

# Don't expose Docker socket
# NEVER mount /var/run/docker.sock in production containers

Quick Checklist

SSH key authentication only, password login disabled
SSH on non-default port, root login disabled
UFW firewall with only required ports open
Fail2ban protecting SSH and web services
Automatic security updates enabled
Non-root user for daily operations
Monitoring and log review in place

🛡️ ZentisLabs VPS instances come with UFW pre-configured and SSH key authentication enabled. Deploy a hardened VPS in 60 seconds from your dashboard.

1. Harden SSH Access

SSH is the #1 attack vector for VPS servers. Lock it down first:

bash

# Generate an SSH key pair (on your local machine)
ssh-keygen -t ed25519 -C "your@email.com"

# Copy public key to the server
ssh-copy-id -i ~/.ssh/id_ed25519.pub root@YOUR_SERVER_IP

# Test key-based login before disabling passwords
ssh -i ~/.ssh/id_ed25519 root@YOUR_SERVER_IP

Now disable password authentication and root login:

bash

# Edit SSH config
sudo nano /etc/ssh/sshd_config

# Set these values:
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
MaxAuthTries 3
Port 2222  # Change from default 22

# Restart SSH
sudo systemctl restart sshd

⚠️ Always keep an existing SSH session open while testing new SSH settings. If you lock yourself out, you'll need console access from your VPS provider.

2. Configure the Firewall

bash

# Install and enable UFW (Ubuntu/Debian)
sudo apt install ufw -y

# Default: deny all incoming, allow outgoing
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow only what you need
sudo ufw allow 2222/tcp comment "SSH"
sudo ufw allow 80/tcp comment "HTTP"
sudo ufw allow 443/tcp comment "HTTPS"

# Enable the firewall
sudo ufw enable
sudo ufw status verbose

3. Install Fail2ban

Fail2ban automatically bans IPs that show malicious signs (failed login attempts, exploit scanning):

bash

sudo apt install fail2ban -y

# Create local config
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

# Set these in [sshd] section:
[sshd]
enabled = true
port = 2222
maxretry = 3
bantime = 3600
findtime = 600

# Start fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

# Check banned IPs
sudo fail2ban-client status sshd

4. Automatic Security Updates

bash

# Install unattended-upgrades
sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure -plow unattended-upgrades

# Verify it's active
sudo systemctl status unattended-upgrades

5. Create a Non-Root User

bash

# Create deploy user with sudo access
sudo adduser deploy
sudo usermod -aG sudo deploy

# Copy SSH keys to new user
sudo mkdir -p /home/deploy/.ssh
sudo cp ~/.ssh/authorized_keys /home/deploy/.ssh/
sudo chown -R deploy:deploy /home/deploy/.ssh
sudo chmod 700 /home/deploy/.ssh
sudo chmod 600 /home/deploy/.ssh/authorized_keys

# Test login as deploy user before disabling root

6. Basic Monitoring

bash

# Install monitoring tools
sudo apt install htop iotop nethogs -y

# Check active connections
ss -tulnp

# Monitor login attempts
sudo journalctl -u sshd --since "1 hour ago" | grep "Failed"

# Set up logwatch for daily email reports
sudo apt install logwatch -y
sudo logwatch --detail high --mailto you@email.com --range today

7. Docker Security (If Applicable)

If you're running Docker containers:

bash

# Don't run containers as root
# In Dockerfile:
RUN addgroup --system app && adduser --system --group app
USER app

# Limit container resources
docker run --memory=512m --cpus=1 --read-only your-image

# Don't expose Docker socket
# NEVER mount /var/run/docker.sock in production containers

Quick Checklist

SSH key authentication only, password login disabled
SSH on non-default port, root login disabled
UFW firewall with only required ports open
Fail2ban protecting SSH and web services
Automatic security updates enabled
Non-root user for daily operations
Monitoring and log review in place

🛡️ ZentisLabs VPS instances come with UFW pre-configured and SSH key authentication enabled. Deploy a hardened VPS in 60 seconds from your dashboard.

VPS Security Hardening: 15-Minute Guide for Production Servers

1. Harden SSH Access

2. Configure the Firewall

3. Install Fail2ban

4. Automatic Security Updates

5. Create a Non-Root User

6. Basic Monitoring

7. Docker Security (If Applicable)

Quick Checklist

Ready to get started?

Related Articles

How to Set Up a Rotating Proxy in Python, Node.js, and Bash (2025 Guide)

Best VPS for Web Scraping in 2025: Performance Benchmarks

Deploy Ollama on a VPS: Run LLMs Privately in 10 Minutes

VPS Security Hardening: 15-Minute Guide for Production Servers

1. Harden SSH Access

2. Configure the Firewall

3. Install Fail2ban

4. Automatic Security Updates

5. Create a Non-Root User

6. Basic Monitoring

7. Docker Security (If Applicable)

Quick Checklist

Ready to get started?

Related Articles

How to Set Up a Rotating Proxy in Python, Node.js, and Bash (2025 Guide)

Best VPS for Web Scraping in 2025: Performance Benchmarks

Deploy Ollama on a VPS: Run LLMs Privately in 10 Minutes