Skip to main content

Security baseline

## Security baseline

New servers should be hardened before they are exposed to the public internet.  A good security baseline reduces the attack surface and makes it much harder for attackers to compromise your instance.  Below is a set of initial steps you should perform after provisioning a VPS or dedicated server.

### 1. Update the operating system
* **Install the latest patches.** Out‑of‑date software contains known vulnerabilities.  SSD Nodes explains that regular security updates keep your operating system, packages and applications patched against flaws【875361903370542†L109-L117】.  On Ubuntu/Debian, run `sudo apt update && sudo apt upgrade`; on Red Hat based systems, use `dnf`.
* **Update software installed via package managers.** If you run web apps with their own package managers (e.g., `npm` or `pip`), keep them up to date as well【875361903370542†L121-L164】.

### 2. Create a non‑root user and disable direct root login
* **Avoid logging in as the `root` user.** By default, most VPSes allow root SSH access.  Krystal Hosting notes that root access makes you a tempting target and recommends creating a new user with `sudo` privileges, then disabling root login in `/etc/ssh/sshd_config` by setting `PermitRootLogin no`【449167217387836†L292-L304】.
* **Use `sudo` for administrative tasks.** After creating the new user, ensure it belongs to the `sudo` group so you can still perform administrative tasks without enabling root logins.

### 3. Use SSH key authentication
* **Generate an SSH key pair.** According to SSD Nodes, SSH is secure by design but is stronger when you authenticate with keys.  Generate a key pair with `ssh-keygen` (or use PuTTYgen on Windows) and copy the public key to the server【875361903370542†L253-L279】.
* **Disable password authentication.** After verifying that key‑based login works, edit `/etc/ssh/sshd_config` to disable password‑based logins (`PasswordAuthentication no` and optionally `PermitRootLogin no`).  This helps prevent brute‑force attacks on SSH【875361903370542†L283-L297】.

### 4. Change the default SSH port (optional)
* Attackers and automated bots often scan port 22.  Krystal Hosting suggests changing the SSH listening port by editing the `Port` directive in `sshd_config` (for example, use `Port 1234`), then restarting the SSH service and testing the new port【449167217387836†L334-L360】.

### 5. Configure a firewall
* **Default‑deny policy.** SSD Nodes recommends configuring `nftables` or a wrapper such as `ufw` with a default‑drop rule so all incoming traffic is blocked unless explicitly allowed【875361903370542†L306-L343】.  For example, allow only SSH, HTTP and HTTPS, and optionally other ports your services require.
* **Use UFW or Firewalld.** Krystal notes that user‑friendly tools like UFW on Ubuntu or Firewalld on CentOS make it easier to define firewall rules and should be enabled early in your setup【449167217387836†L410-L441】.

### 6. Close unused ports and disable unnecessary services
* **Review open ports.** Perform a port scan using `ss` or `netstat` to identify services listening on the network.  Krystal advises creating a list of required ports and closing any others to reduce the attack surface【449167217387836†L379-L390】.
* **Disable services you don't need.** The Anyone Docs hardening guide recommends auditing running services with `systemctl list-units --type=service --state=running` and disabling unnecessary ones, such as `packagekit.service` or `snapd.service`, to reduce exposure【241203482276608†L110-L146】.

### 7. Install intrusion‑prevention tools (Fail2Ban)
* **Block brute‑force attacks.** SSD Nodes notes that Fail2Ban monitors logs for failed login attempts and automatically bans offending IPs via your firewall.  Install the package (`sudo apt install fail2ban` on Debian/Ubuntu or enable EPEL then install on RHEL) and enable the service.  It runs at boot and protects SSH and other services from automated attacks【875361903370542†L608-L647】.
* **Configure jails.** Create a `jail.local` file to customise settings like the number of retries (`maxretry`), findtime, and ban duration【875361903370542†L660-L710】.

### 8. Perform regular backups and monitor your server
* **Plan for failure.** SupportFly emphasises that data loss can occur at any time due to cyberattacks, hardware failures or human error, and that regular server backups are essential for business continuity【749248774351683†L193-L234】.  Without a backup strategy, recovery can be expensive or impossible.
* **Reduce downtime and comply with regulations.** Backups allow you to restore services quickly and minimise downtime costs; they also help meet compliance requirements for data retention and protection【749248774351683†L249-L267】.
* **Adopt a backup strategy.** Use automated backups on a schedule (daily is common for critical systems), store copies in multiple locations (e.g., offsite or cloud), and test your backups to ensure they can be restored when needed【749248774351683†L270-L324】.

### 9. Use strong passwords and two‑factor authentication
* While key‑based logins reduce the need for passwords, you should still enforce strong, unique passwords for all accounts.  SSD Nodes explains that attackers use brute‑force and dictionary attacks to guess passwords, so using complex passwords is crucial【875361903370542†L166-L178】.
* Enable two‑factor authentication (2FA) wherever supported (e.g., for your hosting control panel and client area) to add another layer of protection.

### 10. Monitor and review regularly
* **Watch for anomalies.** Set up monitoring to detect unusual login attempts, high resource usage or unexpected processes.  Logging tools and dashboards can alert you to suspicious activity.
* **Review logs and security settings.** Periodically review your firewall rules, SSH configuration and fail2ban logs to ensure they still fit your needs and haven’t been altered by an attacker.

Applying these baseline measures will help you harden your server and establish a secure foundation.  Remember that security is an ongoing process—stay vigilant by monitoring for new vulnerabilities, applying updates promptly and regularly reassessing your security posture.

Back to top