How to Set Up a Secure Linux VPS for Hosting

Protect your websites and data with these essential Linux VPS security steps.

Introduction

Setting up a Virtual Private Server (VPS) is an excellent way to host websites, applications, and services with greater control than shared hosting offers. However, with this control comes responsibility—particularly when it comes to security. In 2025, with cyber threats more sophisticated than ever, properly securing your Linux VPS is not optional—it’s mandatory.

This guide walks you through the essential steps to set up and secure a Linux VPS, making it ready for reliable web hosting while protecting against common vulnerabilities.

Choosing the Right Linux Distribution

Your security journey begins with selecting the right distribution:

• Ubuntu Server: Great for beginners while offering robust security features
• Debian: Known for stability and thorough security testing
• Rocky Linux/AlmaLinux: Enterprise-grade security for those transitioning from CentOS
• Fedora Server: Cutting-edge security features with regular updates

For most hosting scenarios, Ubuntu Server LTS or Debian provide an excellent balance of security, support, and ease of use.

Initial Server Setup

Update Your System

First things first—update your system immediately after provisioning:

# For Ubuntu/Debian
sudo apt update && sudo apt upgrade -y

# For Rocky/Alma/Fedora
sudo dnf update -y

Set up automatic security updates to ensure you’re protected against newly discovered vulnerabilities:

# For Ubuntu/Debian
sudo apt install unattended-upgrades
sudo dpkg-reconfigure unattended-upgrades

# For Rocky/Alma/Fedora
sudo dnf install dnf-automatic
sudo systemctl enable --now dnf-automatic.timer

Create a Non-Root User

Never use the root account for daily operations. Create a regular user with sudo privileges:

# Create a new user
sudo adduser yourUsername

# Add to sudo group (Ubuntu/Debian)
sudo usermod -aG sudo yourUsername

# Add to wheel group (Rocky/Alma/Fedora)
sudo usermod -aG wheel yourUsername

Essential Security Measures

Secure SSH Access

SSH is the primary entry point to your server, making it a critical security component:

1. Change the Default Port: Edit /etc/ssh/sshd_config to change the port from 22 to something less targeted (between 1024-65535)

2. Disable Root Login:

   PermitRootLogin no
   

3. Use SSH Keys Instead of Passwords: Generate keys locally:

   ssh-keygen -t ed25519 -C "your_email@example.com"
   ssh-copy-id -i ~/.ssh/id_ed25519.pub yourUsername@your_server_ip
   

   Then disable password authentication in /etc/ssh/sshd_config:

   PasswordAuthentication no
   

4. Implement Fail2Ban:

   sudo apt install fail2ban
   sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
   

   Configure protection for SSH in /etc/fail2ban/jail.local:

   [sshd]
   enabled = true
   bantime = 3600
   findtime = 600
   maxretry = 3
   

Set Up a Firewall

Configure UFW (Uncomplicated Firewall) or firewalld depending on your distribution:

# For Ubuntu/Debian with UFW
sudo apt install ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow your_ssh_port/tcp
sudo ufw allow http
sudo ufw allow https
sudo ufw enable

# For Rocky/Alma/Fedora with firewalld
sudo dnf install firewalld
sudo systemctl enable --now firewalld
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload

Securing Your Web Server

Install and Configure Web Server Software

For most hosting needs, you’ll want either Nginx or Apache:

Nginx (Recommended for Performance)

sudo apt install nginx

# Secure configuration
sudo nano /etc/nginx/nginx.conf

Add these security headers to your Nginx configuration:

server {
    # Other configuration...
    
    # Security headers
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-XSS-Protection "1; mode=block";
    add_header Content-Security-Policy "default-src 'self'";
    add_header Referrer-Policy strict-origin-when-cross-origin;
    
    # Disable server version display
    server_tokens off;
}

Apache

sudo apt install apache2

# Secure configuration
sudo nano /etc/apache2/conf-available/security.conf

Key Apache security settings:

ServerTokens Prod
ServerSignature Off
TraceEnable Off

Set Up SSL/TLS with Let’s Encrypt

Secure your sites with free SSL certificates:

sudo apt install certbot
# For Nginx
sudo apt install python3-certbot-nginx
sudo certbot --nginx -d yourdomain.com

# For Apache
sudo apt install python3-certbot-apache
sudo certbot --apache -d yourdomain.com

Configure automatic renewal:

sudo systemctl enable certbot.timer
sudo systemctl start certbot.timer

Advanced Security Measures

Implement ModSecurity Web Application Firewall

For Nginx:

sudo apt install libmodsecurity3 libapache2-mod-security2
# Additional configuration required - see ModSecurity documentation

Set up Intrusion Detection with OSSEC

sudo apt install git build-essential
git clone https://github.com/ossec/ossec-hids.git
cd ossec-hids
sudo ./install.sh

Enable 2FA for SSH Access

Add an extra layer of security with Google Authenticator:

sudo apt install libpam-google-authenticator
google-authenticator

Add to /etc/pam.d/sshd:

auth required pam_google_authenticator.so

And in /etc/ssh/sshd_config:

ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive

Regular Maintenance Practices

Set Up Regular Backups

Using Restic (modern backup tool):

sudo apt install restic
# Initialize repository
restic init --repo /path/to/backup/repository
# Create backup
restic -r /path/to/backup/repository backup /data/to/backup

Enable Detailed Logging

Configure system logging with journald:

sudo nano /etc/systemd/journald.conf

Recommended settings:

[Journal]
Storage=persistent
Compress=yes
SystemMaxUse=2G

Implement a Log Monitoring Solution

Install Filebeat to ship logs to a central location:

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.x.y-amd64.deb
sudo dpkg -i filebeat-8.x.y-amd64.deb

Performance Optimization

While securing your VPS, also consider these performance improvements:

Enable PHP-FPM (if using PHP)

sudo apt install php-fpm

Configure for optimal performance:

pm = dynamic
pm.max_children = 25
pm.start_servers = 5
pm.min_spare_servers = 5
pm.max_spare_servers = 10

Configure Caching

For Nginx, install and configure FastCGI cache:

sudo nano /etc/nginx/conf.d/fastcgi-cache.conf

Add:

fastcgi_cache_path /var/cache/nginx levels=1:2 keys_zone=WORDPRESS:100m inactive=60m;
fastcgi_cache_key "$scheme$request_method$host$request_uri";

Conclusion

Securing a Linux VPS for hosting requires multiple layers of protection. By implementing these measures, you’ll have significantly hardened your server against common threats while maintaining good performance for your hosted websites and applications.

Remember that security is not a one-time setup but an ongoing process. Regularly update your systems, monitor logs for suspicious activity, and stay informed about new security best practices and vulnerabilities.

With these foundational security measures in place, your Linux VPS is now ready to host websites, applications, and services with confidence.

Resources

• Digital Ocean Security Best Practices
• Linux Server Security Guide
• CIS Benchmarks
• Mozilla SSL Configuration Generator