How to Secure a VPS Server: A Complete Guide for Sun Servers Users
Deploying a VPS server opens a world of flexibility and control. However, with control comes responsibility securing that server should be your first priority. Unprotected servers are magnets for automated bots, malware, and opportunistic hackers scanning the internet 24/7.
This guide walks you through the essential steps to secure your VPS hosted with Sun Servers. Each step is battle-tested, based on years of hands-on experience managing production servers.
1. Harden SSH Access
SSH is the primary gateway to your server. Leaving it unsecured is akin to leaving your front door wide open.
- Change Default SSH Port:
Bots constantly scan port 22. Moving SSH to a non-standard port dramatically reduces automated attacks.
sudo nano /etc/ssh/sshd_config
# Change Port 22 to something like Port 2222
Then restart SSH:
sudo systemctl restart sshd
- Disable Root Login:
Block direct root access. Instead, use a regular user with sudo privileges.
PermitRootLogin no
- Use SSH Keys, Not Passwords:
Password logins are brute-force targets. SSH key pairs are vastly more secure. Generate a key pair locally:
ssh-keygen -t ed25519
Upload the public key:
ssh-copy-id user@your-server-ip
Disable password authentication entirely:
PasswordAuthentication no
- Use Fail2Ban:
Install Fail2Ban to automatically block IPs with too many failed login attempts.
sudo apt install fail2ban
2. Apply System Updates Immediately
Outdated software is the easiest attack vector.
- Update Regularly:
sudo apt update && sudo apt upgrade -y
- Enable Unattended Security Upgrades:
sudo apt install unattended-upgrades
sudo dpkg-reconfigure unattended-upgrades
This keeps security patches applied without manual intervention.
3. Configure a Firewall
A firewall is non-negotiable.
- Use UFW (Uncomplicated Firewall):
sudo apt install ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow [your ssh port]/tcp
For example, if SSH is on port 2222:
sudo ufw allow 2222/tcp
Enable it:
sudo ufw enable
Open only necessary ports for web servers, databases, or applications.
4. Protect Against DDoS Attacks
DDoS attacks can overwhelm your server and take it offline.
- Leverage Network-Level Protection:
Ensure your VPS provider, Sun Servers, includes basic DDoS mitigation. Use their filtering if available. - Install Local Rate Limiting with iptables:
Example to limit incoming HTTP connections:
sudo iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 20 -j DROP
- Use Cloud-Based WAF:
Tools like Cloudflare can absorb volumetric attacks and block malicious traffic before it reaches your VPS.
5. Secure User Accounts and Privileges
A mismanaged user account can become an attack vector.
- Minimal Users:
Only create users that are strictly necessary. - Least Privilege:
Avoid giving sudo access unless absolutely required. - Audit Regularly:
Check who has access:
cat /etc/passwd
Remove inactive accounts:
sudo deluser username
6. Enable Intrusion Detection
An Intrusion Detection System (IDS) monitors changes and alerts you to suspicious activity.
- Install AIDE (Advanced Intrusion Detection Environment):
sudo apt install aide
sudo aideinit
sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db
sudo aide --check
Schedule regular checks via cron.
7. Disable Unused Services
Every open port is an opportunity for attackers.
- List Running Services:
sudo ss -tuln
- Stop and Disable What’s Not Needed:
sudo systemctl stop service
sudo systemctl disable service
Common culprits: FTP, Telnet, SMTP (if not used), etc.
8. Use Kernel Hardening
Kernel-level protections block entire classes of vulnerabilities.
- Enable sysctl Protections:
Edit/etc/sysctl.confand add:
net.ipv4.ip_forward=0
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.conf.all.rp_filter=1
Apply:
sudo sysctl -p
- Install AppArmor or SELinux:
These provide mandatory access controls for applications.
For Ubuntu/Debian:
sudo apt install apparmor
sudo systemctl enable apparmor --now
9. Backup Relentlessly
Security isn’t just about preventing intrusion—it’s also about recovery.
- Automate Offsite Backups:
Use tools likersync,rclone, or integrated options from Sun Servers to back up to remote storage. - Test Restores:
A backup is worthless unless it works. Schedule periodic test restores to verify integrity.
10. Monitor and Log Everything
- Centralize Logs:
Usersyslogor a cloud log management service to collect and monitor logs. - Install Logwatch or Logcheck:
These tools scan logs and email you summaries of unusual activity. - Setup Resource Monitoring:
Installhtop,iotop, or use web-based tools like Netdata or Grafana to monitor CPU, RAM, disk, and bandwidth usage.
11. Web Server Hardening (If Applicable)
If running a web server like Apache or Nginx:
- Disable Directory Listing.
- Use HTTPS Only:
Use Let’s Encrypt for free SSL/TLS certificates. - Implement Security Headers:
HTTP headers likeContent-Security-Policy,X-Frame-Options, andStrict-Transport-Securityreduce attack surface. - Use Fail2Ban with Nginx/Apache:
Block IPs triggering 404s or other abnormal patterns.
12. Regular Security Audits
- Perform periodic scans with tools like:
lynis(local security audit)nmap(external port scan)
- Review:
- User accounts
- Open ports
- Failed login attempts
- File integrity changes
Conclusion
Securing a VPS on Sun Servers is not a one-time task; it’s an ongoing process. Each layer—from SSH to firewalls to monitoring—adds resilience. A well-secured server not only protects your data but also maintains your reputation, ensures uptime, and prevents being exploited as a launchpad for further attacks.
Category:VPS Hosting