VPS Security Hardening: Complete Guide for Offshore Servers

SSH is the primary entry point to your server and therefore the most targeted service. Edit `/etc/ssh/sshd_config` to enforce key-only authentication. Set `PasswordAuthentication no`, `PermitRootLogin no`, and `PubkeyAuthentication yes`. Change the default port from 22 to a high port (e.g. 2222 or higher) to eliminate the vast majority of automated scanner noise - this is not a security measure by itself but dramatically reduces log spam. Restrict SSH access to specific users with `AllowUsers adminuser`. Limit authentication attempts with `MaxAuthTries 3` and set `LoginGraceTime 30` to close unauthenticated connections quickly. Enable `ClientAliveInterval 300` and `ClientAliveCountMax 2` to terminate idle sessions. After editing, test your config with `sshd -t` before restarting - a syntax error will lock you out of your own server. Consider implementing port knocking if you want an additional layer. Port knocking requires sending packets to a specific sequence of closed ports before the SSH port temporarily opens. Tools like `knockd` implement this easily. For most users, SSH keys plus fail2ban plus a non-standard port provides adequate protection without the operational complexity of port knocking.

A properly configured firewall is non-negotiable. Start with a default-deny policy: `ufw default deny incoming && ufw default allow outgoing`. Then explicitly allow only the services you actually run: `ufw allow 2222/tcp` for SSH (use your actual port), `ufw allow 80/tcp`, `ufw allow 443/tcp` for web. Enable with `ufw enable` and check with `ufw status verbose`. For more granular control, use iptables directly. Create a script at `/etc/iptables/rules.v4` that flushes existing rules, sets default drop policies on INPUT and FORWARD, allows ESTABLISHED and RELATED connections, permits loopback traffic, and then specifically allows your services. Rate-limit new SSH connections with `iptables -A INPUT -p tcp --dport 2222 -m state --state NEW -m recent --set && iptables -A INPUT -p tcp --dport 2222 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP`. Install `iptables-persistent` to make rules survive reboots. On Debian/Ubuntu: `apt install iptables-persistent` and save with `netfilter-persistent save`. For IPv6, apply equivalent rules via `ip6tables` - do not leave IPv6 open while IPv4 is locked down, as attackers increasingly target IPv6 addresses specifically because administrators forget to harden them.

fail2ban handles brute-force attacks, but you also need to detect successful intrusions. Install `rkhunter` (rootkit hunter) with `apt install rkhunter` and run an initial baseline scan with `rkhunter --update && rkhunter --propupd`. Schedule daily scans via cron: `0 3 * * * root rkhunter --check --skip-keypress --report-warnings-only | mail -s "rkhunter report" [email protected]`. AIDE (Advanced Intrusion Detection Environment) monitors file integrity. Install with `apt install aide`, initialize the database with `aide --init`, then copy the database: `cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db`. Schedule daily checks with `aideinit` and compare against baseline. Any modification to system binaries, configuration files, or libraries will be flagged. This is essential for detecting post-exploitation activity where an attacker has modified system files to maintain persistence. Review `/var/log/auth.log` regularly or set up log forwarding. Tools like `logwatch` generate daily email digests of security-relevant log events. For a more comprehensive solution, consider deploying `auditd` to track every system call, file access, and privilege escalation. Configure audit rules in `/etc/audit/rules.d/audit.rules` to monitor writes to `/etc/passwd`, `/etc/shadow`, and `/bin` - these are prime targets for attackers establishing persistence.

Linux kernel parameters can significantly improve security. Edit `/etc/sysctl.conf` to add: `net.ipv4.conf.all.rp_filter = 1` (prevent IP spoofing), `net.ipv4.icmp_echo_ignore_broadcasts = 1` (block Smurf attacks), `net.ipv4.tcp_syncookies = 1` (mitigate SYN flood), and `kernel.randomize_va_space = 2` (full ASLR). Apply with `sysctl -p`. Disable unused kernel modules that expand attack surface. If you do not use USB storage on a VPS, add `install usb-storage /bin/true` to `/etc/modprobe.d/blacklist.conf`. Similarly blacklist `cramfs`, `freevxfs`, `jffs2`, and other rarely-used filesystems. Mount `/tmp` with `noexec,nosuid` flags to prevent execution of malicious scripts dropped there by web application vulnerabilities. Enable AppArmor (Ubuntu/Debian) or SELinux (RHEL-based) for mandatory access control. AppArmor profiles restrict what individual applications can access on the filesystem and network, even if they are compromised. Check status with `aa-status` and enable enforcement mode with `aa-enforce /etc/apparmor.d/*`. These protections contain the blast radius of any successful exploit to just the compromised application rather than the full server.