If you have just rented a VPS server for your website, side project, or small business, securing it properly is one of the most important tasks you will handle. A VPS gives you power and flexibility, but it also makes you responsible for everything that happens on that machine. Attackers constantly scan the internet for misconfigured servers, weak passwords, and outdated software. The good news: with a simple checklist and a bit of discipline, even beginners can build a solid security baseline. In this guide, I will walk you through the same practical steps I use when preparing a new VPS for clients or personal projects – from first login to backups and ongoing maintenance – using clear explanations and copy‑paste‑friendly commands.
What Makes VPS Security So Critical?
A VPS (Virtual Private Server) behaves like a dedicated server: you get root access, full control over the operating system, and the ability to run almost any service. That freedom is exactly why security matters so much. A single weak point – an open port, a default password, or an unpatched application – can give attackers a way in.
Unlike shared hosting, where the provider manages most of the underlying security, a VPS puts you in the administrator’s seat. If you run a business website, an e‑commerce store, or even a personal blog, a compromised VPS can lead to data leaks, search engine penalties, or blacklisting of your IP address. Before you deploy applications or migrate your site (for example using a process like in this zero-downtime hosting migration guide), you should harden the server itself. Let’s do that step by step.
Step 1: Update and Secure the Base System
Most people log in to a fresh VPS and immediately start installing a web server or database. I strongly recommend starting with the operating system instead. Fresh images can still contain outdated packages or recently discovered vulnerabilities.
Update all packages
Log in as root (or the user your provider gave you) via SSH, then run:
# Debian/Ubuntu
apt update && apt upgrade -y # CentOS / Rocky / AlmaLinux
yum update -y # or: dnf update -y
This pulls the latest security patches for the kernel, system tools, and libraries. Reboot if the update suggests it:
rebootEnable automatic security updates (recommended)
On Debian/Ubuntu, install unattended upgrades:
apt install unattended-upgrades -y
dpkg-reconfigure --priority=low unattended-upgradesOn RHEL-based systems, you can use dnf-automatic:
dnf install dnf-automatic -y
systemctl enable --now dnf-automatic.timerAutomatic security updates are an easy win, especially if you are new to server administration and might forget to patch manually.
Step 2: Harden SSH Access
SSH is usually your main entry point to the VPS. That makes it the first thing attackers will probe. Hardening SSH significantly reduces your risk.
Create a new sudo user
Working directly as root is dangerous. Create a regular user with administrative rights:
# Replace "alice" with your desired username
adduser alice
usermod -aG sudo alice # Debian/Ubuntu
# or: usermod -aG wheel alice # RHEL-basedNow you can log in as this user and use sudo for administrator tasks instead of being root all the time.
Set up SSH keys instead of passwords
Passwords can be guessed or brute-forced. SSH keys are far more secure. On your local machine (not on the server), generate a key pair:
ssh-keygen -t ed25519 -C "your_email@example.com"Accept the default file location and set a passphrase. Then copy your public key to the server:
ssh-copy-id alice@your_server_ipIf ssh-copy-id is not available, you can manually append the contents of your ~/.ssh/id_ed25519.pub file to /home/alice/.ssh/authorized_keys on the server.
Disable password authentication and root login
Once key-based login works for your new user, lock down SSH. Edit the SSH configuration file:
sudo nano /etc/ssh/sshd_configFind and set the following options (uncomment them if necessary):
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yesSave the file, then restart SSH:
sudo systemctl restart sshdFrom now on, only users with valid SSH keys can log in, and root access over SSH is blocked. This alone removes a huge number of common attacks.
(Optional) Change the default SSH port
Changing the SSH port from 22 to something non‑standard is not a security silver bullet, but it reduces noise from automated scans. In /etc/ssh/sshd_config change:
Port 22to something like:
Port 2222Restart SSH and update your firewall rules accordingly (we will set up a firewall in the next step). Then connect using the new port:
ssh -p 2222 alice@your_server_ipStep 3: Configure a Simple, Strong Firewall
A firewall controls which network traffic can reach your VPS. The idea is simple: block everything by default, then explicitly allow only what you need (for example SSH, HTTP, and HTTPS).
Using UFW on Debian/Ubuntu
UFW (Uncomplicated Firewall) is beginner‑friendly and powerful enough for most small servers:
sudo apt install ufw -y # Allow SSH (use your actual port if you changed it)
sudo ufw allow 22/tcp # Allow HTTP and HTTPS
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp # Enable the firewall
sudo ufw enable
sudo ufw status verboseBe careful: always allow your SSH port before enabling UFW, otherwise you might lock yourself out.
Using firewalld on RHEL-based systems
On CentOS/Rocky/AlmaLinux, the default is often firewalld:
sudo systemctl enable --now firewalld sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https sudo firewall-cmd --reload
sudo firewall-cmd --list-allLater, when you add services (databases, monitoring, etc.), remember to keep your firewall rules minimal and only expose what truly needs to be public.
Step 4: Protect Against Brute-Force and Abuse
Even with SSH keys and a firewall, your VPS will still see connection attempts. Tools like Fail2ban help by blocking IPs that show suspicious behavior, such as repeated failed logins.
Install and configure Fail2ban
On Debian/Ubuntu:
sudo apt install fail2ban -yOn RHEL-based systems:
sudo yum install fail2ban -y # or: dnf install fail2ban -y
sudo systemctl enable --now fail2banCreate a local configuration file to override defaults:
sudo nano /etc/fail2ban/jail.localAdd something like:
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
bantime = 3600Adjust logpath if your distribution uses a different file (for example /var/log/secure). Restart Fail2ban:
sudo systemctl restart fail2banYou can check active jails and banned IPs with:
sudo fail2ban-client status
sudo fail2ban-client status sshdStep 5: Reduce Your Attack Surface
The more software you install, the larger the attack surface. Part of VPS security is simply not running what you don’t need.
Remove unused packages and services
List active services:
sudo systemctl list-unit-files --type=serviceDisable what you don’t use. For example, if you don’t need an FTP server:
sudo systemctl disable --now vsftpdSimilarly, remove unused software:
sudo apt remove --purge package-name
sudo apt autoremove -yor on RHEL-based systems:
sudo yum remove package-name -yClose unnecessary ports
Use ss or netstat to see which ports are open:
sudo ss -tulpnIf you see a service listening on the public interface that you don’t need (for example a database or internal admin panel), either bind it to 127.0.0.1 (localhost) or disable it completely.
Secure web traffic with HTTPS
If your VPS serves websites or APIs, encrypting traffic with HTTPS is a must. Beyond security, modern browsers and search engines expect it. For a deeper walkthrough on certificates and migration, see the guides on moving from HTTP to HTTPS without losing SEO and choosing the right SSL certificate type.
At a high level, you should:
- Obtain an SSL certificate (from a CA or your hosting provider such as DCHost)
- Configure your web server (Nginx/Apache) to serve HTTPS on port 443
- Redirect all HTTP traffic (port 80) to HTTPS
This prevents attackers from sniffing credentials or session cookies in transit.
Take DNS and email configuration seriously
Misconfigured DNS or email records can also open doors for phishing and spoofing. If your VPS is responsible for email, implement proper MX, SPF, DKIM, and DMARC records so others cannot easily impersonate your domain. For a step‑by‑step walkthrough, see the article on setting up professional email with MX, SPF, DKIM and DMARC. Understanding DNS basics through guides such as what DNS records like A, CNAME, MX and TXT do will also help you avoid configuration mistakes.
Step 6: Implement Backups and Recovery
Security is not only about preventing attacks; it is also about recovering quickly when something goes wrong. Mistyped commands, faulty updates, or compromised applications can all damage your data. Backups are your safety net.
Decide what to back up
At minimum, you should back up:
- Application code and configuration files
- Databases (MySQL, PostgreSQL, etc.)
- Important system configuration: web server configs, firewall rules, cron jobs
For strategic advice on this topic, you can review the guide on server backup strategies and practical tips.
Automate database and file backups
For example, to back up a MySQL/MariaDB database daily, create a simple script:
#!/bin/bash
BACKUP_DIR=/var/backups/mysql
DB_NAME=mydatabase
DATE=$(date +%F) mkdir -p "$BACKUP_DIR"
mysqldump "$DB_NAME" | gzip > "$BACKUP_DIR/${DB_NAME}_$DATE.sql.gz"Make it executable and schedule it with cron:
chmod +x /usr/local/bin/db-backup.sh
crontab -e
# Add:
0 2 * * * /usr/local/bin/db-backup.shStore backups on a different server or object storage when possible, not only on the VPS itself. Many providers (including DCHost) offer external backup or snapshot options that are worth enabling.
Step 7: Monitor, Log, and Maintain Your VPS
A secure VPS today can slowly become insecure if you never look at it again. Ongoing monitoring and maintenance are part of the game.
Review logs regularly
System logs tell you what is happening on your server. Key files include:
/var/log/auth.logor/var/log/secure– authentication attempts, sudo usage/var/log/nginx/or/var/log/apache2/– web server access and error logs/var/log/syslogor/var/log/messages– general system messages
Look out for repeated failed logins, strange user agents, or requests targeting /wp-admin and similar paths if you are not running those applications.
Apply updates on a regular schedule
Even if you have automatic security updates, plan a routine:
- Weekly: check for updates, review logs, verify backups
- Monthly: audit user accounts, SSH keys, firewall rules
- After major changes: test recovery from backups
For more high-level advice, you can also look at resources like server security essentials you need to know and general web hosting security recommendations to compare your setup against best practices.
Use a reliable VPS provider and data center
Your own hardening efforts work best when combined with a trustworthy infrastructure provider. Look for vendors with strong data center security, DDoS protection, and clear backup options. If you are still evaluating where to host your VPS, consider solutions from providers like DCHost, which focus on performance, network reliability, and security-focused features suitable for both beginners and advanced users.
Bringing It All Together
Securing a VPS can seem intimidating at first, but in practice it comes down to a sequence of clear, manageable steps. You start by updating the operating system, hardening SSH access, and enabling a basic firewall. Then you add layers of protection such as Fail2ban, careful service management, and HTTPS for your web traffic. Finally, you ensure resilience with backups, monitoring, and a simple maintenance routine. None of these steps require you to be a full-time system administrator; they just require patience and a willingness to follow a checklist.
If you work through the steps in this guide, your VPS will already be far more secure than the vast majority of unconfigured servers exposed on the internet. From there, you can build on this foundation with application-specific security, Web Application Firewalls, or more advanced monitoring as your projects grow. Whether you are hosting a WordPress blog, a small business site, or a personal lab environment, investing a bit of time now will save you many headaches later. When you are ready to scale up or launch new projects, choosing a solid provider like DCHost and combining it with the practices above will give your VPS a strong, professional security posture.
