Back to Insights
3/3/2026Blog Post

Linux Server Security: 6 Essential Steps to Harden Your VPS

Linux Server Security

Linux Server Security: 6 Essential Steps to Harden Your VPS

Setting up a Linux Virtual Private Server (VPS)—perhaps to run a self-hosted dashboard like Coolify—is an exciting step. However, the moment that server goes live, it is being scanned by automated bots looking for simple vulnerabilities.

Out of the box, most Linux distributions are relatively open. It is up to you to "harden" the system, closing the doors and windows to malicious actors. This guide ranks the most critical security steps, from fundamental protection to advanced defense.

1. SSH Hardening (The Front Door)

Most automated attacks target the SSH port. Securing this is your single highest priority. You must move away from password-based logins immediately.

A. Use SSH Key Authentication

Passwords can be brute-forced; a 4096-bit RSA key or an Ed25519 key cannot. Generate a key pair on your local machine and add the public key to the server.

B. Edit the SSH Configuration

Edit the critical configuration file:

sudo nano /etc/ssh/sshd_config

Make the following three changes (ensure they are uncommented):

SettingRecommendationWhy?PasswordAuthenticationnoStops password brute-force attacks. Only your key works.Port[Random High Port]Move SSH from 22 to, e.g., 2222. Eliminates 99% of bot scans.PermitRootLoginnoForces you to log in as a user and use sudo, protecting the root account.

Remember to restart the service: sudo service ssh restart

2. Implement a Network Firewall (UFW)

A firewall acts as a filter, deciding which traffic is allowed to enter or leave your server. On Ubuntu and many Debian-based systems, UFW (Uncomplicated Firewall) is the standard interface.

You should operate on a "deny by default" principle: close everything, then only open what you need.

Recommended Basic Rules:

Bash

# Set defaults
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow your custom SSH port (CRITICAL: Do this before enabling)
sudo ufw allow [YOUR_CUSTOM_SSH_PORT]/tcp

# Allow standard web traffic
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

# Enable the firewall
sudo ufw enable

3. Automated Defense with Fail2Ban

Even on a custom SSH port, sophisticated bots may find you. Fail2Ban is an essential service that monitors your system logs (like /var/log/auth.log) for suspicious activity, such as repeated failed login attempts.

When Fail2Ban detects an abusive IP address, it automatically updates the firewall (UFW) to temporarily reject all traffic from that IP. It’s an automated "banning" system that requires zero daily management.

4. Enable Unattended Security Upgrades

Security vulnerabilities are discovered in software daily. You don't want to wait until your next manual login to patch them. You must automate the application of security patches.

  • Install the package: sudo apt install unattended-upgrades

  • Verify it is active: sudo systemctl status unattended-upgrades

This ensures that critical security updates are downloaded and installed automatically every night, keeping your operating system resilient without requiring manual intervention.

5. Secure Shared Memory

For more advanced hardening, protecting how the system handles memory can prevent certain types of exploits (like buffer overflow attacks). This is done by restricting permissions on the shared memory device.

Add the following line to the end of your /etc/fstab file:

tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0

6. Docker and Coolify Security Best Practices

If you are reading this because you saw security warnings in your Coolify dashboard, your VPS is likely already running many applications within Docker containers. Docker security is a unique layer:

  • Internal Container Networking: Ensure your databases (Postgres, Redis, Mongo, etc.) are not exposed to the public internet via a public port. They should communicate with your applications (your web server) only through the internal, private Docker network. Coolify usually handles this correctly by default.

  • Resource Limits: Use Coolify’s application settings to set CPU and RAM limits for individual containers. This prevents a compromised or buggy application from consuming all your VPS resources and crashing the entire server (a form of resource-exhaustion Denial of Service).

Conclusion: Your Security Checklist Summary

Hardening your server is about defense in depth. Complete this checklist to ensure your VPS is secure:

  1. [ ] SSH Keys are generated and enabled.

  2. [ ] SSH Password Authentication is disabled (no).

  3. [ ] SSH Default Port 22 is changed to a custom high port.

  4. [ ] Root Login via SSH is disabled.

  5. [ ] UFW Firewall is active, with only essential ports (SSH, 80, 443) open.

  6. [ ] Fail2Ban is installed and running.

  7. [ ] Unattended Upgrades (Security Patches) are automated.