How to secure your KVM VPS

Estimated reading: 3 minutes 0 views

This guide provides some general tips for securing a Linux-based server.

1. Update your system regularly

The first thing you should do to secure your server is to update the local repositories, upgrade the operating system, and installed applications by applying the latest patches.

This update will take place in two steps:

  • Updating the package list
apt-get update
  • Updating the actual package
apt-get upgrade

2. Changing the default SSH port

By default, port 22 is used to establish an SSH connection. This port is automatically configured during the installation of your operating system, therefore server hacking attempts by robots will target this port. Modifying this setting by using a different port is a simple measure to protect your server against automated attacks

To do this, modify the service configuration file:

vi /etc/ssh/sshd_config

Find the following or similar lines:

Replace port 22 with a new port. Please do not enter a port number already used on your system!

Open the firewall port

Since each server, you will use a different firewall application. So please choose the corresponding applications below to open the port.

  • For servers using Firewalld

If you use Firewalld open the port and reload with the following command.

firewall-cmd --permanent --zone=public --add-port=NewPort
firewall-cmd --reload/tcp
  • For servers using ufw (UIbuntu/Debian)

If you use ufw enter the following command to change the port

ufw allow NewPort/tcp
  • For servers using iptables

With iptables, enter the following commands sequentially to open the port, start and check the opened port.

iptables -I INPUT -p tcp -m tcp --dport 'NewPort' -j ACCEPT
service iptables restart
iptables -L -n

Then restart your service.

systemctl restart sshd

To establish an SSH connection after this change, enter the following command:

ssh root@IP_address_of_the_server -p NewPort

3. Install Fail2ban

Fail2ban is an application that examines server logs looking for repeated or automated attacks.

You can install Fail2ban by typing:

apt-get install fail2ban

Then copy the included configuration file:

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.backup

And restart Fail2ban:

systemctl restart fail2ban

4. Utilize backups and test them regularly

Offsite backups are essential for Linux servers. In the event of an intrusion, these can ensure that critical data remains accessible. They are particularly valuable in the event of ransomware attacks.

The application rsync is a popular option for backing up data on Linux. It comes with a host of features that allows you to make daily backups or exclude certain files from being copied. It is extremely versatile, so it serves as a great option for Linux server security strategies. Feel free to use it on a local basis for backing up files.

To install rsync, use the command:

apt-get install rsync

Don’t forget to check up on the amount of storage space currently used as well as how much is still available.

Leave a Comment