Securing your VPS

Level: Essential

SSH password access is the primary target for brute force attacks. The first step is to switch to public/private key authentication.

Step 1 — Generate your key pair on your local machine:

ssh-keygen -t ed25519 -C "your@email.com"
# Follow instructions and set a strong passphrase

Step 2 — Copy the public key to the VPS:

ssh-copy-id -i ~/.ssh/id_ed25519.pub root@your-vps-ip

Step 3 — Disable password authentication:

nano /etc/ssh/sshd_config

PasswordAuthentication no
PermitRootLogin no
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

systemctl restart sshd

⚠️ Test the connection with your key in a new terminal BEFORE closing the current session to avoid being locked out.

Level: Essential

Working as root exposes the entire system in case of compromise. Create a dedicated user with sudo privileges.

# Create a user
adduser admin_cloudstore

# Add to sudo group
usermod -aG sudo admin_cloudstore

# Copy SSH keys to the new account
rsync --archive --chown=admin_cloudstore:admin_cloudstore ~/.ssh /home/admin_cloudstore

💡 Choose a non-generic username (avoid "admin", "ubuntu", "user"). A custom name makes enumeration attacks more difficult.

Level: Essential

Port 22 is the first target for bots. Changing it to a non-standard port drastically reduces noise in your logs.

nano /etc/ssh/sshd_config

# Change the Port line:
Port 2222
# Choose a port between 1024 and 65535

systemctl restart sshd

📌 Don't forget to open this new port in your firewall before restarting SSH, and update your connection command: ssh -p 2222 user@ip

Level: Essential

UFW (Uncomplicated Firewall) is the recommended firewall solution on Ubuntu/Debian. Apply the principle of least privilege: block everything by default, only open what is necessary.

# Install UFW if missing
apt install ufw -y

# Default policy: block all incoming
ufw default deny incoming
ufw default allow outgoing

# Allow SSH on your new port
ufw allow 2222/tcp

# Allow HTTP/HTTPS if hosting a website
ufw allow 80/tcp
ufw allow 443/tcp

# Enable firewall
ufw enable

# Check status
ufw status verbose

💡 If you use a fixed IP to connect, you can restrict SSH to that IP only: ufw allow from YOUR_IP to any port 2222

Level: Essential

Fail2Ban monitors system logs and temporarily bans IPs that make too many failed authentication attempts.

apt install fail2ban -y

# Create a local configuration
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
nano /etc/fail2ban/jail.local

# Configure these parameters in [DEFAULT]:
bantime = 3600          # Ban duration (1 hour)
findtime = 600          # Observation window (10 min)
maxretry = 5            # Attempts before ban

# Configure SSH jail:
[sshd]
enabled = true
port = 2222
logpath = /var/log/auth.log

systemctl enable fail2ban && systemctl restart fail2ban
fail2ban-client status sshd

Level: Essential

Security updates fix known vulnerabilities. A rigorous update policy is essential.

# Update manually
apt update && apt upgrade -y && apt autoremove -y

# Enable automatic security updates
apt install unattended-upgrades -y
dpkg-reconfigure --priority=low unattended-upgrades

💡 Configure automatic updates only for security patches. For major updates (e.g., new PHP or MySQL version), schedule a maintenance window.

Level: Intermediate

Each active service is a potential entry point. Disable anything that is not strictly necessary.

# List active services
systemctl list-units --type=service --state=active

# Disable an unnecessary service (example)
systemctl disable bluetooth.service
systemctl stop bluetooth.service

# Check open ports
ss -tuln

• Disable desktop services (cups, avahi-daemon) on headless VPS.
• Only install strictly necessary software.
• Use ss -tuln regularly to audit open ports.

Level: Intermediate

Ransomware and human errors can end your service in seconds. Regular backups are non-negotiable.

• Enable automatic snapshots from your CLOUDSTORE.AFRICA dashboard
• Configure off-site backup on a second VPS or object storage
• Test backup restoration regularly (at least quarterly)
• Apply the 3-2-1 rule: 3 copies, 2 different media, 1 off-site
• Encrypt backups if they contain sensitive data

# MySQL backup with compression
mysqldump --all-databases | gzip > /backup/mysql_$(date +%Y%m%d).sql.gz

# Rsync to remote storage
rsync -avz --delete /var/www/ backup_user@backup-server:/backups/www/

Level: Intermediate

Proactive monitoring helps detect intrusions, resource overloads, and abnormal behavior.

# Install Netdata for real-time monitoring
bash <(curl -Ss https://my-netdata.io/kickstart.sh)

# Install logwatch for daily log reports
apt install logwatch -y
logwatch --output mail --mailto your@email.com --detail high

• Monitor CPU, RAM, and disk usage.
• Configure alerts on critical thresholds (CPU > 90%, disk > 80%).
• Regularly check /var/log/auth.log and /var/log/syslog.
• Use the built-in monitoring in your CLOUDSTORE.AFRICA dashboard.

Level: Advanced

If your VPS hosts web applications, apply these additional measures:

• Install an SSL/TLS certificate (free Let's Encrypt or commercial SSL via CLOUDSTORE.AFRICA)
• Configure HTTP to HTTPS redirection
• Enable HTTP security headers (HSTS, X-Frame-Options, CSP, X-Content-Type-Options)
• Regularly update WordPress, Joomla, and other CMS
• Install a WAF (Web Application Firewall) like ModSecurity with Nginx/Apache
• Disable PHP error display in production (display_errors = Off)
• Use strong passwords for databases and don't expose them publicly

Verify that you have completed each of these steps:

• ✅ SSH public key authentication (disable password)
• ✅ Non-root user account for administration
• ✅ SSH port changed (not 22)
• ✅ UFW firewall enabled with minimal rules
• ✅ Fail2Ban installed and configured
• ✅ System updated (automatic security updates)
• ✅ Unnecessary services disabled
• ✅ Automatic backups enabled and tested
• ✅ Monitoring in place
• ✅ SSL certificate installed for web services