⚠️ Unmanaged VPS Warning: Your Security Is Your Responsibility
If you are running an unmanaged or free VPS hosting instance, your server is exposed to the internet with minimal protection. Automated bots begin scanning port 22 (the default SSH port) the moment your server goes online. You must execute these hardening steps immediately upon deployment.
This checklist is structured into four critical phases. We recommend dedicating 30-45 minutes for completion.
🔒 Phase 1: Initial System Access & Preparation (Points 1–10)
These are the immediate, non-negotiable steps taken before installing any application.
| # | Action Required | Command/Instruction (Example: Ubuntu/Debian) | Rationale |
| 1. | Initial Root Login | ssh [email protected] |
Connect using the temporary root credentials provided by the host. |
| 2. | Update All Packages | sudo apt update && sudo apt upgrade -y |
Patch existing kernel and application vulnerabilities. |
| 3. | Create a New Standard User | sudo adduser [your_username] |
The principle of Least Privilege. Never operate as root. |
| 4. | Grant Sudo/Admin Privileges | sudo usermod -aG sudo [your_username] |
Allows your new user to elevate permissions when needed. |
| 5. | Secure Log-In as New User | Log out of root, log back in: ssh [your_username]@ip |
Confirms the new user and tests sudo access. |
| 6. | Set Server Time/NTP | sudo timedatectl set-timezone [Region/City] |
Critical for logging, log analysis, and SSL/TLS certificate validity. |
| 7. | Install Core Utilities | sudo apt install ufw fail2ban -y |
Essential tools for firewall management and intrusion prevention. |
| 8. | Remove Unused Services | sudo apt purge telnet netcat* -y |
Eliminates unnecessary open ports and reduces the attack surface. |
| 9. | Check Running Services | sudo ss -tuln |
Audit all listening ports to identify any default services that must be disabled. |
| 10. | Reboot After Major Updates | sudo reboot |
Applies any critical kernel updates to ensure stability. |
🛡️ Phase 2: Fortifying SSH and User Access (Points 11–25)
The Secure Shell (SSH) port is the most frequent target for automated brute-force attacks. Lock it down aggressively.
| # | Action Required | Command/Instruction (Example: Edit /etc/ssh/sshd_config) | Rationale |
| 11. | Generate SSH Key Pair | (Local machine) ssh-keygen -t rsa -b 4096 |
Replaces vulnerable passwords with cryptographic key authentication. |
| 12. | Copy Public Key to Server | ssh-copy-id [your_username]@ip |
Transfers the key, allowing secure login. |
| 13. | Change Default SSH Port | Change Port 22 to Port [5-digits, e.g., 22222] |
Obscures the service from basic, widespread bot scans. |
| 14. | Disable Root Login | Set PermitRootLogin to no |
Prevents the use of the highest-privilege account for remote login. |
| 15. | Disable Password Authentication | Set PasswordAuthentication to no |
CRITICAL. Forces key-only login (prevents brute-force). |
| 16. | Limit Login Attempts | Set MaxAuthTries to 3 |
Reduces the window for key/password guessing attempts. |
| 17. | Limit User Access | Add AllowUsers [your_username] |
Explicitly defines which users can log in via SSH. |
| 18. | Enforce Protocol Version 2 | Set Protocol to 2 |
Disables older, less secure SSH versions. |
| 19. | Save & Test SSH Config | sudo systemctl restart sshd (Wait 30s) |
CRITICAL: Log in with new settings before closing the existing session. |
| 20. | Remove Old Root Password | sudo passwd -l root |
Prevents local or console login as root (use sudo instead). |
| 21. | Configure TTY Logins | Add TMOUT=300 to /etc/profile |
Automatically logs out idle shell sessions after 5 minutes (300 seconds). |
| 22. | Set Secure File Permissions | sudo chmod 700 ~/.ssh/ |
Ensures the SSH directory is only accessible by the owner. |
| 23. | Enforce Strong Passwords | Edit /etc/login.defs (PASS_MAX_DAYS) |
Forces users to change passwords regularly (if passwords are enabled). |
| 24. | Harden /etc/sudoers |
sudo visudo and check requiretty is enforced |
Ensures users cannot execute sudo commands from non-terminal sessions. |
| 25. | Log out and Close Old Session | exit |
Closes the connection once the new, key-only connection is confirmed. |
🧱 Phase 3: Network Security & Intrusion Prevention (Points 26–40)
Establishing a robust firewall and actively monitoring for threats is the backbone of server security.
| # | Action Required | Command/Instruction | Rationale |
| 26. | Set Default UFW Policy | sudo ufw default deny incoming |
CRITICAL. Block all inbound traffic by default. |
| 27. | Allow New SSH Port | sudo ufw allow [your_new_port]/tcp |
Open only the port defined in Point 13. |
| 28. | Allow HTTP Traffic | sudo ufw allow http or sudo ufw allow 80/tcp |
Necessary for unencrypted web traffic. |
| 29. | Allow HTTPS/TLS Traffic | sudo ufw allow https or sudo ufw allow 443/tcp |
Necessary for secure web traffic (SSL/TLS). |
| 30. | Enable UFW Firewall | sudo ufw enable (Type y to confirm) |
Activates the ruleset. |
| 31. | Verify UFW Status | sudo ufw status verbose |
Check that the firewall is active and only essential ports are open. |
| 32. | Install/Configure Fail2Ban | (Already installed in Point 7) | Intrusion Prevention System (IPS) that scans logs and bans brute-forcers. |
| 33. | Verify Fail2Ban Status | sudo systemctl status fail2ban |
Ensure the service is running correctly. |
| 34. | Configure SSH in Fail2Ban | Check that sshd is enabled in /etc/fail2ban/jail.local |
Ensures brute-force attempts on your SSH port are banned. |
| 35. | Harden Kernel Settings | Edit /etc/sysctl.conf (e.g., net.ipv4.tcp_syncookies = 1) |
Prevents SYN Flood DDoS attacks and hardens network behavior. |
| 36. | Apply Kernel Changes | sudo sysctl -p |
Loads the new kernel hardening rules immediately. |
| 37. | Disable IPv6 (Optional) | Add net.ipv6.conf.all.disable_ipv6=1 to sysctl.conf |
Reduces the attack surface if you do not use IPv6. |
| 38. | Limit ICMP/Pings | Set net.ipv4.icmp_echo_ignore_all = 1 in sysctl.conf |
Prevents your server from responding to basic ping sweeps. |
| 39. | Install Rootkit Scanner | sudo apt install rkhunter -y |
Prepares the server to check for deep-level malicious software. |
| 40. | Perform Initial Rootkit Scan | sudo rkhunter --check |
Runs a baseline check on the freshly hardened system. |
💾 Phase 4: Maintenance, Logging, and Contingency (Points 41–50)
Security is an ongoing process. These steps ensure your server stays patched and data can be recovered.
| # | Action Required | Command/Instruction | Rationale |
| 41. | Set Up Unattended Upgrades | sudo dpkg-reconfigure unattended-upgrades |
CRITICAL. Automates the application of security patches weekly/daily. |
| 42. | Configure Logwatch | sudo apt install logwatch -y |
Sets up automated email summaries of log activity for security review. |
| 43. | Enable Log Rotation | Verify log files in /etc/logrotate.d/ |
Prevents logs from consuming all disk space over time. |
| 44. | Set Up Automated Backups | Install restic or duplicity and create a cron job |
Ensures data is encrypted and copied to secure, off-site storage (e.g., S3, Google Drive). |
| 45. | Test Backup/Restore Process | Simulate a recovery on a local machine. | CRITICAL. A backup is useless if the recovery process is flawed. |
| 46. | Secure Temporary Directories | sudo mount -o remount,noexec,nodev,nosuid /tmp |
Prevents execution of scripts and binaries in common attack targets. |
| 47. | Run System Integrity Check | sudo apt install aide -y followed by sudo aide --init |
Takes a cryptographic snapshot of system files for intrusion detection later. |
| 48. | Remove Installation Media | Delete any initial setup files or deployment scripts. | Cleans up system files and removes potential credential leaks. |
| 49. | Set Up Monitoring | Install htop or configure an external monitoring agent (e.g., Pingdom, UptimeRobot) |
Track resource usage (CPU/RAM/Disk) and receive uptime alerts. |
| 50. | Final Firewall Check (External) | Use a free external port scanner (e.g., Nmap or ShieldsUP) | Confirms that only your intended ports (e.g., 443 and your new SSH port) are visible to the outside world. |
Conclusion: Your Server Is Now Fortified
Congratulations! By completing this 50-point checklist, you have elevated your unmanaged free VPS from a vulnerable target to a highly hardened, production-ready environment. You have closed the most common attack vectors (password-based SSH and default ports) and established a critical foundation for maintenance.
Security is not a single event, but a continuous process. Your next steps should focus on deploying your application and maintaining your automated systems.
More: https://gratisvps.net/blog/install-secure-the-lemp-stack-nginx-mysql-php-on-your-hardened-linux-vps/