When you order your VPS, you can choose a distribution or operating system to pre-install. The server is therefore ready to use after delivery but it will be up to you as the administrator to implement measures which ensure the security and stability of your system.
This guide provides some general tips for securing a GNU/Linux-based server.
This guide is designed to help you with the most common tasks. Nevertheless, we recommend that you contact a specialized service provider if you have difficulties or doubts concerning the administration, usage or implementation of security measures on a server.
- A Virtual Private Server in your OVHcloud account
- Administrative access (root) via SSH to your server
Updating your system
Developers of distributions and operating systems offer frequent software package updates, very often for security reasons. Ensuring that your distribution or operating system is updated is a key point for securing your VPS.
This update will take place in two steps:
- Updating the package list
# apt-get update
- Updating the actual packages
# apt-get upgrade
This operation needs to be performed regularly to keep a system up-to-date.
Changing the default SSH listening port
One of the first things to do on your server is configuring the SSH service’s listening port. It is set to port 22 by default, therefore server hacking attempts by robots will target this port. Modifying this setting by using a different port is a simple measure to harden your server against automated attacks.
To do this, modify the service configuration file:
# nano /etc/ssh/sshd_config
nano is used as an example; you can also use
vim or any other command that allows you to edit configuration files.
You should find the following or similar lines:
# What ports, IPs and protocols we listen for
Replace the number 22 with the port number of your choice. Please do not enter a port number already used on your system. To be safe, use a number between 49152 and 65535.
Save and exit the configuration file.
Restart the service:
# systemctl restart sshd
This should be sufficient to apply the changes. Alternatively, reboot the VPS (
Remember that you will have to indicate the new port any time you request an SSH connection to your server, for example:
# ssh username@IPv4_of_your_VPS -p NewPortNumber
Changing the password associated with the user “root”
It is strongly recommended that you modify the password of the root user as to not leave it at default value on a new system.
Creating a user with restricted rights
In general, tasks that do not require root privileges should be performed via a standard user. You can create a new user with the following command:
# adduser CustomUserName
Then fill in the information requested by the system (password, name, etc.).
The new user will be allowed to log in via SSH. When establishing a connection, use the specified credentials.
Once you are logged in, type the following command to perform operations that require root permissions:
$ su root
Type the password when prompted and the active login will be switched to the root user.
Disabling server access via the root user
The root user is created by default on GNU/Linux systems. Root access means having the most permissions on an operating system. It is not advisable and even dangerous to leave your VPS accessible only via root, as this account can perform irreversibly damaging operations.
We recommend that you disable direct root user access via the SSH protocol. Remember to create another user before following the steps below.
You need to modify the SSH configuration file in the same way as described above:
# nano /etc/ssh/sshd_config
Locate the following section:
Replace yes with no on the line
For this modification to be taken into account, you need to restart the SSH service:
# systemctl restart sshd
Afterwards, connections to your server via root user (
ssh root@IPv4_of_your_VPS) will be rejected.
Fail2ban is an intrusion prevention software framework designed to block unknown IP addresses that are trying to penetrate your system. This software package is recommended, even essential, to guard against any brute force attacks on your services.
To install the software package, use the following command:
# apt-get install fail2ban
Once the software package is installed, you need to modify its configuration file to customize it to your usage. Before you make any changes, we recommend that you create a backup of the configuration file by entering the following command:
# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.backup
Then open and edit the file:
# nano /etc/fail2ban/jail.conf
Once you have completed these changes, restart the service using this command:
# /etc/init.d/fail2ban restart
For any additional information and recommendations concerning Fail2ban, please refer to the official documentation for this tool.
Configuring the internal firewall (iptables)
GNU/Linux distributions come with a firewall service named iptables. By default, this service does not have any active rules. You can verify this by typing the following command:
# iptables -L
It is recommended that you create and adjust firewall rules according to your needs. For more detailed information on the variety of manipulations that are possible, please refer to the relevant section in the official documentation of the distribution used.
Configuring the OVHcloud Network Firewall
OVHcloud solutions include the option of enabling a firewall at the entry point to the infrastructure, called the Network Firewall. Configuring it correctly allows connections to be blocked before they even arrive on your server.
Please refer to the Network Firewall guide if you would like to activate it.
Backing up your system and your data
The concept of security is not limited to protecting a system against attacks.
Securing your data is a key element, which is why OVHcloud offers you several backup options as a service:
Snapshotoption allows you to create a manual snapshot.
Automated Backupoption enables you to keep regular backups of your VPS (excluding additional disks).