VPS Security Hardening in 30 Minutes: A Practical Guide

Every minute your VPS is online, it is being scanned by bots looking for vulnerabilities. The good news? You can dramatically improve your server security in just 30 minutes with these proven techniques.

This guide covers the essential security hardening steps every VPS owner should take — whether you are hosting a WordPress site, a self-hosted application, or a development environment.

Recommended VPS Specifications

• CPU: 1-2 vCPU minimum
• RAM: 2GB minimum (4GB recommended)
• Storage: 30GB+ SSD
• OS: Ubuntu 22.04 LTS or 24.04 LTS
• Access: Root/sudo access and DNS control

Why VPS Security Matters

A compromised VPS can lead to:

• Data theft: Customer data, credentials, and proprietary information exposed
• Resource abuse: Your server used for crypto mining, spam, or DDoS attacks
• Ransomware: Data encrypted and held hostage
• Collateral damage: Your server used to attack others, damaging your reputation

The techniques in this guide follow the principle of defence in depth — multiple layers of security that work together to protect your server.

What You Will Need

For this guide, you will need:

• Root or sudo access to your VPS
• SSH access
• 15-30 minutes of time

We recommend a Cloud VPS with at least 1GB RAM for most applications. All commands in this guide are tested on Ubuntu 22.04/24.04.

Step 1: Update Everything (2 minutes)

Before making any security changes, ensure your system is fully updated:

sudo apt update && sudo apt upgrade -y
sudo apt autoremove -y

Enable automatic security updates:

sudo apt install -y unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades

Select “Yes” when prompted to automatically download and install security updates.

Step 2: Secure SSH Access (5 minutes)

SSH is your primary entry point — and the most common attack vector. Secure it properly.

Create a Non-Root User

Never log in directly as root. Create a dedicated user with sudo privileges:

# Create user
sudo adduser deploy

# Add to sudo group
sudo usermod -aG sudo deploy

Set Up SSH Key Authentication

On your local machine, generate an SSH key:

ssh-keygen -t ed25519 -C "your-email@example.com"

Copy the public key to your VPS:

ssh-copy-id -i ~/.ssh/id_ed25519.pub deploy@your-server-ip

Disable Root Login and Password Authentication

Edit the SSH configuration:

sudo nano /etc/ssh/sshd_config

Change or add these settings:

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
ChallengeResponseAuthentication no
UsePAM no

Restart SSH:

sudo systemctl restart sshd

Important: Keep your current SSH session open and test logging in from a new terminal before closing the original. If something breaks, you can still fix it.

Step 3: Install and Configure UFW Firewall (3 minutes)

UFW (Uncomplicated Firewall) provides a simple interface for managing iptables rules.

# Install UFW
sudo apt install -y ufw

# Allow SSH (CRITICAL - do this before enabling!)
sudo ufw allow OpenSSH
# If you changed SSH port: sudo ufw allow 2222/tcp

# Allow HTTP and HTTPS
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

# Enable firewall
sudo ufw enable

Verify status:

sudo ufw status verbose

Default policy should be: deny incoming, allow outgoing.

Step 4: Install Fail2Ban (5 minutes)

Fail2Ban automatically bans IPs that show malicious activity — like repeated failed login attempts.

sudo apt install -y fail2ban

Create a local configuration file:

sudo nano /etc/fail2ban/jail.local

Add this configuration:

[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 5
ignoreip = 127.0.0.1/8

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 86400

Start and enable Fail2Ban:

sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Check status:

sudo fail2ban-client status sshd

Step 5: Secure Shared Memory (2 minutes)

Some attacks exploit shared memory. Restrict it:

sudo nano /etc/fstab

Add this line at the end:

tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0

Remount:

sudo mount -o remount /run/shm

Step 6: Harden Kernel Parameters (3 minutes)

Network-level protections against common attacks:

sudo nano /etc/sysctl.conf

Add or uncomment these settings:

# Ignore ICMP ping requests
net.ipv4.icmp_echo_ignore_all = 1

# Ignore bogus ICMP errors
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Turn on SYN cookies for SYN flood protection
net.ipv4.tcp_syncookies = 1

# Turn off source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Enable reverse path filtering
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Do not send ICMP redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# Do not accept IP source route packets
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

Apply changes:

sudo sysctl -p

Step 7: Install a Host-Based Intrusion Detection System (5 minutes)

For continuous monitoring, install OSSEC or Wazuh. Here is a quick setup with OSSEC:

# Install dependencies
sudo apt install -y build-essential make zlib1g-dev libssl-dev libpcre2-dev

# Download OSSEC (check for latest version)
wget https://github.com/ossec/ossec-hids/releases/download/3.6.0/ossec-hids-3.6.0.tar.gz

tar -xzf ossec-hids-3.6.0.tar.gz
cd ossec-hids-3.6.0

# Run installer (select local installation)
sudo ./install.sh

Follow the prompts for a local installation. OSSEC will monitor file changes, rootkit detection, and log analysis.

Step 8: Configure Log Monitoring (2 minutes)

Ensure logs are being captured and rotated properly:

# Install logwatch for daily summaries
sudo apt install -y logwatch

# Configure daily email reports (optional)
sudo nano /etc/cron.daily/00logwatch

Or use a centralized logging solution if you manage multiple servers.

Step 9: Disable Unnecessary Services (2 minutes)

Review running services:

sudo ss -tulpn

Disable anything you do not need:

# Example: disable printing service if not needed
sudo systemctl stop cups
sudo systemctl disable cups

Step 10: Set Up Regular Backups (3 minutes)

Security is not just about prevention — it is also about recovery. Ensure you have automated backups.

For simple file backups:

sudo apt install -y restic

# Initialize a repository (local or S3/B2)
restic init -r /backup/repo

# Create a backup script
cat << 'EOF' | sudo tee /usr/local/bin/backup.sh
#!/bin/bash
restic -r /backup/repo backup /etc /home /var/www
restic -r /backup/repo forget --keep-daily 7 --keep-weekly 4
EOF

sudo chmod +x /usr/local/bin/backup.sh

# Add to cron (daily at 2 AM)
echo "0 2 * * * root /usr/local/bin/backup.sh" | sudo tee -a /etc/crontab

For full server backups, check if your VPS provider offers snapshot backups. Canadian Web Hosting Cloud VPS includes automated daily snapshots.

Verification Checklist

After completing the steps above, verify your setup:

• SSH: Can you log in with your key only (not password)?
• Firewall: Does sudo ufw status show only allowed ports?
• Fail2Ban: Is it running with sudo systemctl status fail2ban?
• Updates: Are automatic updates configured?
• Backups: Have you tested restoring from backup?

Additional Security Recommendations

For production servers, also consider:

• SSL/TLS: Use Let's Encrypt for all web services
• VPN: Use WireGuard or Tailscale for private services
• 2FA: Enable two-factor authentication for sensitive services
• Monitoring: Set up alerts for suspicious activity
• Containerization: Use Docker for application isolation

When to Consider Managed Hosting

If managing server security feels overwhelming, or if you are running production workloads that require high availability, consider Managed WordPress hosting where security patches, monitoring, and backups are handled for you.

Summary

In just 30 minutes, you have implemented:

1. Automatic security updates
2. Secure SSH with key-based authentication
3. Firewall protection with UFW
4. Intrusion prevention with Fail2Ban
5. Kernel-level hardening
6. Intrusion detection with OSSEC
7. Automated backups

Security is not a one-time task. Schedule monthly reviews to check for new vulnerabilities, update your tools, and verify your backups. Your future self will thank you.

Need a secure VPS to get started? Canadian Web Hosting Cloud VPS provides isolated environments with full root access and Canadian data centres.