How to secure your VPS

Unprotected VPS servers face constant scanning from automated attacks targeting default configurations and known vulnerabilities. A compromised server exposes your data, disrupts hosted websites and email services, and can be used to launch attacks on other systems.

You will secure your VPS by hardening SSH access, configuring firewall rules, enabling brute force protection and maintaining regular updates. These steps work across both cPanel and Plesk control panels, creating multiple layers of defence against common attack vectors.

Apply system updates

Outdated software contains known vulnerabilities that attackers actively exploit. You need to update your operating system, control panel and server software regularly to close these security gaps.

1. Connect to your VPS via SSH.
   Open your terminal application and connect using ssh root@your-server-ip, replacing your-server-ip with your actual server address.
2. Update the operating system.
   Run the following command to update AlmaLinux and all installed packages. This downloads and installs security patches and bug fixes.

dnf update -y

3. Update your control panel.
   For cPanel servers, run the update script to install the latest version and security patches.

/usr/local/cpanel/scripts/upcp

For Plesk servers, use the Plesk installer command instead:

plesk installer install-all-updates

4. Reboot if required.
   Some updates require a system restart to take effect. Check for messages indicating a reboot is needed, then run reboot to restart your VPS.

Your system now runs the latest security patches. Schedule regular updates weekly or enable automatic security updates to maintain protection without manual intervention.

Configure SSH key authentication

Password-based SSH authentication allows unlimited login attempts, making your server vulnerable to brute force attacks. SSH keys provide cryptographic authentication that cannot be guessed or cracked through repeated attempts.

1. Generate an SSH key pair on your local machine.
   Open your terminal and run ssh-keygen -t ed25519 -C "your-email@example.com", replacing the email with your actual address. This creates a secure key pair using the Ed25519 algorithm.
2. Save the key files.
   Press Enter to accept the default file location or specify a custom path. Enter a strong passphrase when prompted to add an extra layer of protection to your private key.
3. Copy your public key to the VPS.
   Run ssh-copy-id root@your-server-ip to transfer your public key to the server. Enter your current root password when prompted.
4. Test key-based authentication.
   Open a new terminal window and connect with ssh root@your-server-ip. You should log in without entering your password, using only your key passphrase if you set one.
5. Disable password authentication.
   Once key authentication works, edit the SSH configuration file with nano /etc/ssh/sshd_config. Find the line containing PasswordAuthentication and change it to PasswordAuthentication no.
6. Restart the SSH service.
   Apply your changes by running systemctl restart sshd. This prevents any password-based login attempts while preserving your key-based access.

Your SSH service now accepts only cryptographic key authentication. Keep your private key file secure and never share it. Our guide on adding SSH keys to your VPS covers additional configuration options.

Change the default SSH port

Automated attacks scan port 22 constantly because it is SSH’s default port. Moving SSH to a non-standard port reduces automated attack traffic and makes your server harder to find through basic port scans.

1. Choose a new port number.
   Select a port between 1024 and 65535 that is not used by other services. Avoid common alternatives like 2222 which attackers also scan. Port 2299 or 5522 are good choices.
2. Edit the SSH configuration.
   Open the SSH config file with nano /etc/ssh/sshd_config and find the line containing #Port 22. Remove the hash symbol and change 22 to your chosen port number.
3. Update your firewall rules.
   Before restarting SSH, allow connections on the new port. If using CSF, edit /etc/csf/csf.conf and add your new port to the TCP_IN list. For Plesk with Fail2Ban, add the port through the firewall interface.
4. Restart SSH.
   Apply the changes with systemctl restart sshd. Do not close your current SSH session until you verify the new port works.
5. Test the new port.
   Open a new terminal window and connect using ssh -p your-new-port root@your-server-ip, replacing your-new-port with the number you chose. If this works, your SSH port change is complete.

SSH now listens on your custom port instead of the default. Remember to specify the port number in all future SSH connections. Our detailed guide on changing your SSH port includes troubleshooting steps if you encounter connection issues.

Install and configure firewall protection

A properly configured firewall blocks unauthorised access attempts while allowing legitimate traffic to your services. The setup process differs between cPanel and Plesk servers.

For cPanel servers

ConfigServer Security & Firewall (CSF) provides advanced firewall management with connection tracking, port flood protection and login failure detection. It replaces cPanel’s basic firewall with a more robust security layer.

1. Download the CSF installation files.
   Connect via SSH and run the following commands to download and extract CSF.

cd /usr/src
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz

2. Run the installation script.
   Navigate to the CSF directory and execute the installer with cd csf followed by sh install.sh. This installs CSF and its web interface plugin for WHM.
3. Configure basic settings.
   Edit the main configuration file with nano /etc/csf/csf.conf. Change TESTING = "1" to TESTING = "0" to enable CSF in production mode.
4. Add your IP address to the allow list.
   Prevent accidentally blocking yourself by adding your IP to /etc/csf/csf.allow. Add one line containing your IP address, then save the file.
5. Restart CSF and LFD.
   Apply your configuration with csf -r to restart the firewall and systemctl restart lfd to restart the login failure daemon.

CSF now monitors your server for suspicious activity and blocks malicious connections. Access the CSF interface through WHM under Plugins to manage firewall rules and view blocked IPs.

For Plesk servers

Fail2Ban monitors log files for repeated failed login attempts and automatically bans offending IP addresses. Plesk includes Fail2Ban as an optional extension that integrates with the control panel interface.

1. Log in to Plesk.
   Access your Plesk control panel at https://your-server-ip:8443 using your administrator credentials.
2. Navigate to Extensions.
   Click Extensions in the left sidebar, then select Extensions Catalog from the submenu.
3. Install Fail2Ban.
   Search for “Fail2Ban” in the catalog, click the extension name, then click Install. Wait for the installation to complete.
4. Configure protection settings.
   After installation, click Extensions again and select Fail2Ban. Enable protection for SSH, Plesk panel, email services and any other services you want to monitor.
5. Set ban duration.
   Under Settings, configure how long IP addresses remain banned after triggering protection. We recommend starting with 3600 seconds (one hour) and adjusting based on your needs.

Fail2Ban now monitors your services and blocks IP addresses that exceed the failed login threshold. Review banned IPs regularly through the Fail2Ban interface to ensure legitimate users are not affected.

Enable brute force protection

Control panel logins face constant brute force attempts where attackers try thousands of password combinations. Built-in protection tools detect these patterns and block attacking IP addresses automatically.

For cPanel servers

1. Log in to WHM.
   Access Web Host Manager at https://your-server-ip:2087 using your root credentials.
2. Open cPHulk configuration.
   Type “cphulk” in the search box at the top left, then click cPHulk Brute Force Protection in the results.
3. Enable protection.
   Click the Enable button if cPHulk is currently disabled. This activates monitoring for cPanel, WHM, webmail, email and FTP services.
4. Configure failure thresholds.
   Set the number of failed login attempts before an IP is blocked. We recommend 5 failures within 5 minutes for most servers.
5. Add trusted IP addresses.
   Under Whitelist Management, add your office or home IP address to prevent accidentally locking yourself out during legitimate login attempts.

cPHulk now monitors login attempts across all cPanel services. While CSF provides more advanced features, cPHulk adds an extra layer of protection specifically for control panel access.

For Plesk servers

Fail2Ban handles brute force protection on Plesk servers. If you completed the Fail2Ban installation in the previous section, brute force protection is already active. Review the Jails section in the Fail2Ban interface to verify protection is enabled for Plesk panel logins.

Configure two-factor authentication

Two-factor authentication requires a time-based code in addition to your password, preventing unauthorised access even if your password is compromised. Both cPanel and Plesk support 2FA through authenticator apps.

For cPanel accounts

1. Log in to cPanel.
   Access your cPanel account at https://your-domain.co.uk:2083.
2. Open Two-Factor Authentication.
   Scroll to the Security section and click Two-Factor Authentication.
3. Set up your authenticator app.
   Click Set Up Two-Factor Authentication, then scan the QR code with Google Authenticator, Authy or another TOTP app on your phone.
4. Enter the verification code.
   Type the six-digit code from your authenticator app into cPanel to confirm the setup works correctly.
5. Save your recovery codes.
   cPanel displays backup codes you can use if you lose access to your authenticator app. Store these codes securely offline.

Your cPanel account now requires both your password and a time-based code for login. Each user account needs to configure 2FA separately.

For Plesk administrator accounts

1. Log in to Plesk.
   Access your Plesk control panel at https://your-server-ip:8443.
2. Open your profile settings.
   Click your username in the top right corner, then select Edit Profile from the dropdown menu.
3. Enable two-factor authentication.
   Scroll to the Two-Factor Authentication section and click Enable.
4. Scan the QR code.
   Use your authenticator app to scan the displayed QR code, then enter the generated code to verify the setup.
5. Save your changes.
   Click OK to activate 2FA for your administrator account.

Plesk now requires your authenticator code at every login. Configure 2FA for all administrator and customer accounts to maximise security.

Implement IP whitelisting for critical services

Restricting access to SSH and control panel logins by IP address prevents unauthorised connection attempts from unknown locations. This works best if you connect from a static IP address or a limited range of known addresses.

For CSF on cPanel

1. Edit the CSF allow list.
   Open /etc/csf/csf.allow with nano /etc/csf/csf.allow and add your trusted IP addresses, one per line.
2. Restrict SSH access.
   Edit /etc/csf/csf.conf and find the TCP_IN line. Remove the SSH port from this list, then add it to TCP_IN with your IP restriction in the format port[ip.address].
3. Restart CSF.
   Apply the changes with csf -r. Test SSH access from your allowed IP before closing your current session.

For Plesk firewall

1. Open firewall settings.
   In Plesk, navigate to Tools & Settings, then click Firewall under the Security section.
2. Add a custom rule.
   Click Add Custom Rule, set the action to Allow, specify your SSH port and enter your trusted IP address in the source field.
3. Modify the default SSH rule.
   Find the existing SSH rule, change its action to Deny and move your new allow rule above it in the rule list.
4. Apply the changes.
   Click Apply Changes to activate your IP restrictions.

SSH and control panel access now only accepts connections from your specified IP addresses. Update your whitelist whenever your IP address changes to maintain access.

Troubleshooting

Locked out after changing SSH settings

If you cannot connect via SSH after changing the port or disabling password authentication, you need console access to restore connectivity.

• Log in to your VPS control panel and access the emergency console.
• Edit /etc/ssh/sshd_config to restore the previous port or re-enable password authentication temporarily.
• Restart SSH with systemctl restart sshd and test your connection.
• Once you regain access, review your SSH configuration changes and reapply them carefully.

Firewall blocking legitimate traffic

Overly restrictive firewall rules can block services you need to access. If a service stops working after firewall changes, check the blocked connections log.

• For CSF, review /var/log/lfd.log to see recent blocks.
• For Plesk Fail2Ban, check the banned IPs list in the Fail2Ban interface.
• Add the blocked IP to your allow list if it represents legitimate traffic.
• Adjust your firewall rules to permit the required ports and protocols.

CSF or Fail2Ban not starting

Configuration errors prevent security services from starting. Check the service status and logs to identify the problem.

• Run systemctl status csf or systemctl status fail2ban to view error messages.
• Review the configuration file for syntax errors or invalid settings.
• Test your configuration with csf -t for CSF or fail2ban-client -t for Fail2Ban.
• Restore the default configuration file if you cannot identify the error, then reapply your changes incrementally.

Further reading on VPS security

Security extends beyond initial server hardening. Regular monitoring detects intrusions early, while proper backup procedures ensure you can recover from security incidents without data loss.

The CIS Benchmarks provide detailed security configuration guides for Linux servers, covering everything from file permissions to kernel parameters. These industry-standard recommendations help you identify additional hardening opportunities beyond the basics covered here.

Web application firewalls add another security layer by filtering HTTP traffic before it reaches your applications. ModSecurity is an open-source WAF that integrates with Apache and NGINX, protecting against common web attacks like SQL injection and cross-site scripting. Installing ModSecurity with the OWASP Core Rule Set provides immediate protection against known attack patterns.

Automated security scanning identifies vulnerabilities you might miss during manual configuration. Tools like Lynis perform comprehensive security audits, checking for weak passwords, outdated software, insecure permissions and configuration issues. Running regular scans helps you maintain security as your server configuration evolves.

Wrapping up

Your VPS now has multiple security layers protecting against common attacks. You configured SSH key authentication, changed default ports, installed firewall protection and enabled brute force detection. These measures significantly reduce your attack surface and block most automated threats.

Review your security logs weekly to identify attack patterns and adjust your firewall rules accordingly. Enable automatic security updates where possible and schedule manual updates for control panel software. Our managed VPS hosting includes proactive security monitoring and regular updates as standard.