Deploy now

How to Secure Your VPS: Firewalls, SSH, and Best Practices

Simple, effective ways to secure your VPS. Learn how to lock down SSH, configure your firewall, keep your system updated, and set up safe backups.

Your VPS is only as secure as you make it.

Whether you’re hosting a small web app or running production services, taking time to lock down your environment can save you from serious headaches later. The good news is: it doesn’t take much. A few simple changes can block most automated attacks and make your VPS much harder to break into.

Here’s a clear, practical guide to getting it done… without overthinking it.

Step 1: Use SSH keys, not passwords

When you first deploy a VPS, you’ll typically access it via SSH. Most servers allow password authentication by default. That’s fine for testing, but it’s risky in the long run.

Why switch to SSH keys?

Password logins are vulnerable to brute force attacks. SSH keys are not. Even if someone knows your IP, they can’t get in without your private key.

How to set it up:

  1. On your local machine, run: ssh-keygen -t ed25519 -C "your_email@example.com" (Press Enter to accept the defaults.)
  2. Copy your public key to the VPS: ssh-copy-id user@your-server-ip
  3. Disable password auth on the VPS:
    • Edit the SSH config file: sudo nano /etc/ssh/sshd_config
    • Find and change: PasswordAuthentication no
    • Then restart SSH: sudo systemctl restart sshd

Now only your machine (or any device with the key) can access the server.

Tip: Keep a backup of your private key somewhere safe. If you lose it, you lose access.

Step 2: Configure your firewall

By default, most VPS instances have all ports open unless a firewall is in place. That means anyone can try connecting to any service: SSH, HTTP, MySQL, Redis, etc.

Closing unused ports is one of the fastest ways to improve security.

If you’re using ufw (Uncomplicated Firewall):

  1. Allow only what you need: sudo ufw allow ssh sudo ufw allow http sudo ufw allow https
  2. Enable the firewall: sudo ufw enable
  3. Check the status: sudo ufw status

You can also deny all traffic by default and whitelist only specific IPs or services.

If you’re on LumaDock:

Every VPS includes built-in firewall management in the control panel. You can create inbound rules to allow only certain IPs or ports — for example, locking SSH to your office IP.

Tip: If you’re not using a service like MySQL remotely, don’t expose it at all. Run it locally only.

Step 3: Keep your packages updated

Security patches are released regularly for most Linux distributions. Keeping your system up to date is one of the most overlooked (and important) habits.

For Debian/Ubuntu:

sudo apt update && sudo apt upgrade -y

For CentOS/AlmaLinux:

sudo dnf update -y

You can also enable unattended upgrades, but many users prefer manual control to avoid unexpected changes. Either way, don’t let months go by without patching.

Step 4: Change the default SSH port (optional)

Changing the SSH port won’t stop targeted attacks, but it reduces noise from bots scanning port 22.

To do this:

  1. Edit: sudo nano /etc/ssh/sshd_config
  2. Change: Port 2222
  3. Restart SSH: sudo systemctl restart sshd

You’ll now need to connect using:

ssh -p 2222 user@your-server-ip

Again, this is optional, but it can clean up your logs and reduce bot attempts.

Step 5: Set up automatic backups and snapshots

Security isn’t just about keeping attackers out. It’s also about recovering fast when something goes wrong: whether it’s an attack, bad update, or accidental deletion.

LumaDock tip:

All VPS plans include snapshot and backup options. Use them.

  • Schedule daily backups with 7-day retention
  • Take a manual snapshot before major changes
  • Store critical data offsite (use something like rclone to push to S3, for example)

If your VPS gets compromised, restoring a clean image is often faster and safer than trying to clean it up manually.

Step 6: Monitor your server activity

You don’t need a full SIEM to know something’s off.

Start simple:

  • Use fail2ban to block repeated login attempts
  • Install logwatch or logcheck for daily summaries
  • Use htop or iftop to spot abnormal CPU or network use

These lightweight tools can give you just enough visibility to catch problems early, without slowing down your system or flooding your inbox.

Final thoughts

Security doesn’t have to be complicated. Most attacks are automated and opportunistic. If your server isn’t an easy target, most bots will move on.

To recap:

  • Use SSH keys and disable passwords
  • Enable a firewall and only open what you use
  • Keep your system updated
  • Take backups, use snapshots
  • Monitor your logs and system activity

These six steps won’t make you invincible, but they’ll take you from “open target” to “not worth the effort” (and that’s a massive leap).

If you’re hosting with LumaDock, most of this comes built-in or just a click away. But no matter where you’re hosting, these basics matter.

Need help setting it up? Our support team’s real. Just ask.

Power your ideas with next-gen VPS hosting

Whether you’re building an app, training AI models, hosting a site, or running code, LumaDock gives you full control, serious performance, and simple pricing. No contracts. No confusion. Just powerful servers that scale with your succes.

Deploy in seconds

LumaDock offers fast, affordable VPS hosting for developers, businesses, and gamers, including GPU and Game Server Hosting, powered by NVMe storage and AMD EPYC.

LumaDock is a LifeinCloud LTD brand. London W1S 1HN, United Kingdom, registered in England and Wales, company No. 15844051

Linkedin Instagram Facebook X-twitter

Copyright © 2025 LumaDock | VPS hosting. All Rights Reserved.