Fresh VPS Hardening

Jul 7, 2025

Assumptions

Ubuntu LTS distribution
SSH connection already established
Root SSH keys already set up

Create a non-root user with sudo privileges

1adduser newusername
2usermod -aG sudo newusername

Set up SSH keys for new user

1mkdir -p /home/newusername/.ssh
2cp /root/.ssh/authorized_keys /home/newusername/.ssh/
3chown -R newusername:newusername /home/newusername/.ssh
4chmod 700 /home/newusername/.ssh
5chmod 600 /home/newusername/.ssh/authorized_keys

Harden SSH configuration

1nano /etc/ssh/sshd_config

Add/modify these lines:

PermitRootLogin no
PasswordAuthentication no
PermitEmptyPasswords no
Port 58923  # Change default SSH port
AllowUsers newusername

Restart SSH:

1systemctl disable --now ssh.socket
2systemctl enable --now ssh.service

Update system

1apt update && apt upgrade -y

Configure UFW firewall

1ufw default deny incoming
2ufw default allow outgoing
3ufw allow 58923/tcp  # SSH port you configured
4ufw allow 80/tcp    # HTTP (if needed)
5ufw allow 443/tcp   # HTTPS (if needed)
6ufw enable

Install fail2ban

1apt install fail2ban
2cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
3nano /etc/fail2ban/jail.local

Configure fail2ban:

Important note: There is already an sshd section enabled in the config. Do not enable the commented-out sshd section in the config.

[sshd]
enabled = true
port    = 58923
bantime = 3600
findtime = 600
maxretry = 5

Restart fail2ban:

1systemctl enable fail2ban
2systemctl restart fail2ban

Secure shared memory

Add to /etc/fstab:

tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0

Enable automatic security updates

1apt install unattended-upgrades
2dpkg-reconfigure -plow unattended-upgrades

Configure system-wide security settings

Edit /etc/sysctl.conf:

# Protect against SYN flood
net.ipv4.tcp_syncookies = 1

# Disable IP forwarding
net.ipv4.ip_forward = 0

# Disable IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Enable reverse path filtering
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable ICMP redirect acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

Apply changes:

1sysctl -p

Remove unnecessary services

1apt autoremove --purge

Reboot

Not necessary but recommended for all changes to take effect:

1reboot

#security

Reply to this post by email ↪