Security baseline

### Security baseline

New servers should be hardened before they are exposed to the public internet. A good security baseline reduces the attack surface and makes it much harder for attackers to compromise your instance. Below is a set of initial steps you should perform after provisioning a VPS or dedicated server.

##### 1. Update the operating system
* and software

- **Install the latest patches.*patches** Out‑of‑date– softwareUse containsyour knowndistribution’s vulnerabilities.package SSDmanager Nodes(`apt`, explains`dnf`, that`yum`, regularetc.) to update the OS and installed packages. Apply security updates keep your operating system, packages and applications patched against flaws【875361903370542†L109-L117】.  On Ubuntu/Debian, run `sudo apt update && sudo apt upgrade`; on Red Hat based systems, use `dnf`.regularly.
*- **Update application packages** – Keep software installed via package managers.** If you run web apps with their ownother package managers (e.g.,such as `npm` or `pip`), keep them upcurrent to datereduce as well【875361903370542†L121-L164】.vulnerabilities.

##### 2. Create a non‑root user and disable direct root login
*

- **Create a new user with sudo privileges** – Avoid logging in as the `root` user. Create a user account and grant it sudo privileges for administrative tasks.
- ** By default, most VPSes allowDisable root SSHlogins** access.– Krystal Hosting notes that root access makes you a tempting target and recommends creating a new user with `sudo` privileges, then disabling root login inEdit `/etc/ssh/sshd_config` byand settingset `PermitRootLogin no`【449167217387836†L292-L304】.
*, **Usethen `sudo` for administrative tasks.** After creatingrestart the newSSH user, ensure it belongs to the `sudo` group so you can still perform administrative tasks without enabling root logins.service.

##### 3. Use SSH key authentication
*

- **Generate an SSH key pair.*pair** According– to SSD Nodes, SSH is secure by design but is stronger when you authenticate with keys.  Generate a key pair withUse `ssh-keygen` (or use PuTTYgen on Windows) andto generate a key pair, then copy the public key to theyour server【875361903370542†L253-L279】.server. Keep your private key secure.
*- **Disable password authentication.*authentication** After– verifying that key‑based login works, editIn `/etc/ssh/sshd_config` toset disable password‑based logins (`PasswordAuthentication no` and optionallyrestart `PermitRootLoginSSH no`).to Thisenforce helpskey-based prevent brute‑force attacks on SSH【875361903370542†L283-L297】.logins.

##### 4. Change the default SSH port (optional)
*

Attackers

- and automated bots often scan port 22.  Krystal Hosting suggests changingChanging the SSH listening port byfrom editing`22` to another value can reduce automated scan noise. Edit the `Port` directive in `/etc/ssh/sshd_config` (for example, use `Port 1234`), then restartingrestart the SSH service and testingtest the new port【449167217387836†L334-L360】.port.

##### 5. Configure a firewall
*

- **Default‑deny policy.*policy** SSD– Nodes recommends configuring `nftables` orConfigure a wrapperfirewall such as `ufw` with a default‑drop rule so all incoming traffic is blocked unless explicitly allowed【875361903370542†L306-L343】.  For example, allow only SSH, HTTP and HTTPS, and optionally other ports your services require.
* **Use UFW or Firewalld.** Krystal notes that user‑friendly tools like(e.g., UFW on Ubuntu or Firewalldfirewalld on CentOSCentOS) makewith ita easierdefault‑deny torule defineso firewallonly rulesexplicitly allowed ports are open.
- **Open only required ports** – Allow essential services such as HTTP (80), HTTPS (443), SSH (your chosen port) and shouldany beother enabled early inports your setup【449167217387836†L410-L441】.applications require.

##### 6. Close unused ports and disable unnecessary services
*

**Review

- Audit open ports.**ports Performwith atools port scan usinglike `ss` or `netstat` toand identifystop services listeningyou ondon’t theneed network.using Krystal`systemctl`. advisesDisabling creatingunused aservices list of required ports and closing any others to reducereduces the attack surface【449167217387836†L379-L390】.
* **Disable services you don't need.** The Anyone Docs hardening guide recommends auditing running services with `systemctl list-units --type=service --state=running` and disabling unnecessary ones, such as `packagekit.service` or `snapd.service`, to reduce exposure【241203482276608†L110-L146】.surface.

##### 7. Install intrusion‑prevention tools

(Fail2Ban)
*

- Tools like **Block brute‑force attacks.*Fail2Ban** SSD Nodes notes that Fail2Ban monitorsmonitor logs for failed login attempts and automatically bansban offending IPs via your firewall.IPs. Install theand packageconfigure Fail2Ban (`sudo apt install fail2ban` on Debian/Ubuntu or enablea EPELsimilar thentool) installto on RHEL) and enable the service.  It runs at boot and protectsprotect SSH and other services from automated attacks【875361903370542†L608-L647】.
* **Configure jails.** Create a `jail.local` file to customise settings like the number of retries (`maxretry`), findtime, and ban duration【875361903370542†L660-L710】.services.

##### 8. Perform regular backups and monitor your server
*

- **Plan for failure.** SupportFly emphasises that data loss can occur at any time due to cyberattacks, hardware failures or human error, and that regular server backups are essential for business continuity【749248774351683†L193-L234】.  WithoutDevelop a backup strategy, recovery can be expensive or impossible.
strategy** **Reduce– downtimeSchedule and comply with regulations.** Backups allow you to restore services quickly and minimise downtime costs; they also help meet compliance requirements for data retention and protection【749248774351683†L249-L267】.
* **Adopt a backup strategy.** Use automatedregular backups on a schedule (daily is common for critical systems),and store copies in multiple locations (e.g., offsiteoff‑site or cloud),. Test restores periodically.
- **Monitor usage and testlogs** your– backupsUse monitoring tools to ensurewatch theyfor canunusual beactivity, restoredhigh whenresource needed【749248774351683†L270-L324】.usage or unexpected processes. Review logs and adjust settings as necessary.

##### 9. Use strong passwords and two‑factor authentication
*

While

- key‑based logins reduce the need for passwords, you should still enforceEnforce strong, unique passwords for all accounts.accounts SSD(including Nodesyour explainscontrol that attackers use brute‑forcepanel and dictionaryclient attacks to guess passwords, so using complex passwords is crucial【875361903370542†L166-L178】area).
*- Enable two‑factor authentication (2FA) wherever supported (e.g., for your hosting control panel and client area) to add anotheran extra layer of protection.

##### 10. MonitorReview and reviewupdate regularly
*

**Watch

Security foris anomalies.**an Setongoing up monitoring to detect unusual login attempts, high resource usage or unexpected processes.  Logging tools and dashboards can alert you to suspicious activity.
* **Review logs and security settings.**process. Periodically review your firewall rules, SSH configurationconfiguration, Fail2Ban policies and fail2ban logs to ensure they still fit your needs and haven’t been altered by an attacker.

Applying these baseline measures will help you harden your server and establish a secure foundation.  Remember thatother security issettings. an ongoing process—stay vigilant by monitoring for new vulnerabilities, applyingApply updates promptly and regularly reassessingreassess your security posture.posture to stay ahead of emerging threats.