VPS Security Checklist: 30+ Essential Steps to Secure Your Server

Securing a VPS is critical from day one. This comprehensive checklist covers everything from initial setup to ongoing maintenance to keep your server safe from attacks.

Phase 1: Immediate Setup (Do This First!)

1. Update System Packages

apt update && apt upgrade -y
apt autoremove -y

2. Create a Non-Root User

# Create user
adduser username
# Add to sudo group
usermod -aG sudo username
# Switch to new user
su - username

3. Set Up SSH Keys (Not Passwords)

# On your LOCAL machine:
ssh-keygen -t ed25519 -C "your_email@example.com"
ssh-copy-id username@your-server-ip

sudo nano /etc/ssh/sshd_config

Change these settings:

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes

Restart SSH:

sudo systemctl restart sshd

5. Configure Firewall (UFW)

# Default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow essential services
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https

# Enable firewall
sudo ufw enable
sudo ufw status verbose

6. Install Fail2Ban

sudo apt install fail2ban -y
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Configure /etc/fail2ban/jail.local:

[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 5

[sshd]
enabled = true
port = ssh
logpath = /var/log/auth.log
maxretry = 3

7. Set the Hostname

sudo hostnamectl set-hostname your-server-name
sudo nano /etc/hosts

Add: 127.0.1.1 your-server-name

8. Configure Timezone & NTP

sudo timedatectl set-timezone UTC
sudo apt install ntp -y

9. Disable IPv6 (If Not Needed)

sudo nano /etc/sysctl.conf

Add:

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

Apply: sudo sysctl -p

10. Secure Shared Memory

sudo nano /etc/fstab

Add:

tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0

Phase 2: Network Security

11. Change Default SSH Port

sudo nano /etc/ssh/sshd_config

Uncomment and change: Port 2222 (or any non-standard port)

12. Limit SSH Access by IP

sudo nano /etc/hosts.allow

Add:

sshd: YOUR_IP_ADDRESS : allow
sshd: ALL : deny

13. Install and Configure DDoS Protection

sudo apt install nginx -y

Configure rate limiting in /etc/nginx/nginx.conf:

limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;
limit_req zone=one burst=20 nodelay;

14. Set Up CloudFlare (Optional)

Create free CloudFlare account
Point your domain to CloudFlare
Enable “Under Attack Mode” during attacks
Configure firewall rules

15. Enable TCP SYN Cookies

sudo nano /etc/sysctl.conf

Add:

net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5

Phase 3: Application Security

16. Keep Software Updated

# Enable automatic security updates
sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure -plow unattended-upgrades

17. Use SSL/TLS Certificates

sudo apt install certbot python3-certbot-nginx -y
sudo certbot --nginx -d yourdomain.com

18. Secure File Permissions

# Restrict sensitive files
sudo chmod 600 ~/.ssh/authorized_keys
sudo chmod 700 ~/.ssh
sudo chmod 600 /etc/ssh/sshd_config

19. Disable Unused Services

# List all services
systemctl list-unit-files --type=service

# Disable unwanted services
sudo systemctl disable service-name
sudo systemctl stop service-name

20. Configure AppArmor

sudo apt install apparmor apparmor-utils -y
sudo aa-enforce /etc/apparmor.d/*

Phase 4: Monitoring & Logging

21. Enable Audit Logging

sudo apt install auditd -y
sudo systemctl enable auditd

22. Set Up Log Rotation

sudo nano /etc/logrotate.conf

Configure retention:

rotate 4
weekly
missingok
notifempty
compress
delaycompress

23. Install Monitoring Tools

# Install monitoring tools
sudo apt install htop iotop nethogs -y

# Install advanced monitoring
curl -sSL https://get.netdata.cloud | bash

24. Set Up Email Alerts

sudo apt install mailutils -y

Configure alerts for:

Disk space > 80%
RAM usage > 90%
High CPU load

sudo tail -f /var/log/auth.log

Look for suspicious activity patterns.

Phase 5: Backup & Recovery

26. Automated Backups

# Install rclone for cloud backups
curl https://rclone.org/install.sh | sudo bash

Create backup script /usr/local/bin/backup.sh:

#!/bin/bash
rsync -avz /var/www/ backup-user@backup-server:/backups/

Add to crontab:

sudo crontab -e

Add: 0 2 * * * /usr/local/bin/backup.sh

27. Database Backups

# For MySQL/MariaDB
mysqldump -u root -p --all-databases | gzip > backup.sql.gz

# For PostgreSQL
pg_dumpall -U postgres | gzip > backup.sql.gz

28. Test Recovery Procedure

Regularly test restoring from backups to ensure they work!

Phase 6: Advanced Hardening

29. Implement 2FA for SSH

sudo apt install libpam-google-authenticator -y

Configure /etc/pam.d/sshd:

auth required pam_google_authenticator.so

30. Use a VPN

Set up WireGuard for private server access:

sudo apt install wireguard -y

31. Implement Intrusion Detection

sudo apt install aide -y
sudo aide --init
sudo aide --check

32. Secure MySQL/MariaDB

sudo mysql_secure_installation

Follow prompts to:

Set root password
Remove anonymous users
Disallow root login remotely
Remove test database

33. Configure PostgreSQL Security

Edit /etc/postgresql/*/main/postgresql.conf:

listen_addresses = '127.0.0.1'
ssl = on

Phase 7: Ongoing Maintenance

Weekly Tasks

Check for security updates: sudo apt list --upgradable
Review logs for suspicious activity
Verify backups completed successfully
Monitor disk space usage
Check for unusual processes

Monthly Tasks

Quarterly Tasks

Security audit of installed packages
Review and update documentation
Test disaster recovery plan
Update all SSL certificates
Review and update security policies

Security Tools Summary

Tool	Purpose	Install Command
UFW	Firewall	`apt install ufw`
Fail2Ban	Brute-force protection	`apt install fail2ban`
ClamAV	Antivirus	`apt install clamav`
Rkhunter	Rootkit detection	`apt install rkhunter`
AIDE	File integrity	`apt install aide`
Logwatch	Log analysis	`apt install logwatch`
Tripwire	IDS	`apt install tripwire`

Quick Security Test Commands

# Check open ports
sudo ss -tulpn

# Check listening services
sudo netstat -tulpn

# Check failed SSH attempts
sudo grep "Failed password" /var/log/auth.log | wc -l

# Check for suspicious packages
sudo dpkg -l | grep -i "seed\|miner"

# Check for modified files in last 24h
sudo find /var/www/ -type f -mtime -1 -ls

# Check current users
who -a

# Check active SSH sessions
sudo ss -t | grep ssh

Security Resources

Common Security Mistakes to Avoid

❌ Using default SSH port 22 - Change it!
❌ Allowing password authentication - Use keys only
❌ Running everything as root - Create users!
❌ Ignoring updates - Enable automatic updates
❌ No backups - Backup before you need them!
❌ Exposing database ports - Bind to localhost only
❌ Hardcoding credentials - Use environment variables
❌ Forgotten test services - Clean up after development

Red Flags: Signs Your Server May Be Compromised

High CPU usage when idle
Unknown processes running
New user accounts you didn’t create
Modified system files in /etc/
Outbound connections to unknown IPs
Sudden spike in bandwidth usage
Login failures from unknown locations

If you see these signs:

Immediately disconnect from network
Review logs from known-good backup
Rebuild server from scratch
Restore data from clean backup
Change all credentials
Enable additional monitoring

Security Checklist Summary

Download this as a PDF or print it out:

[ ] Initial Setup Completed
[ ] SSH Keys Configured
[ ] Firewall Enabled
[ ] Fail2Ban Running
[ ] Auto-Updates Enabled
[ ] SSL Certificate Installed
[ ] Automated Backups Configured
[ ] Monitoring Tools Active
[ ] Recovery Procedure Tested
[ ] Documentation Updated

Need Help Securing Your VPS?

How to Secure Your VPS - Step-by-step guide
VPS Finder - Find secure VPS providers
Best Refund VPS - Providers with money-back guarantees

Remember: Security is an ongoing process, not a one-time setup. Stay vigilant, keep your systems updated, and always have a backup plan!