How to Secure Your Linux VPS from Hackers (5 Security Tips)
Difficulty grade:
Beginner
33%
How to Secure Your Linux VPS from Hackers (5 Security Tips)
Difficulty grade:
Beginner
33%
Need help setting up your node?
Step-by-Step GUIDE
Disclaimer
The information provided in this guide is for general informational purposes only. By accessing or using this guide, you acknowledge and agree that the author and this website shall not be held responsible or liable for any errors, omissions, or outcomes resulting from the use of this material. This includes, without limitation, any direct, indirect, incidental, or consequential damages to hardware, software, data, or any other property. While reasonable efforts have been made to ensure the accuracy and reliability of the content, no warranties or guarantees are provided, either express or implied. Users assume full responsibility for the implementation of any instructions contained herein and are strongly advised to perform appropriate backups and due diligence before proceeding. For official support or the most up-to-date information, please consult the relevant project’s official documentation or support channels.
Section 1: Connecting to the VPS
To access your VPS, you have two options
- Built-in Console: Most providers (e.g., DigitalOcean) offer a web-based console in their dashboard — no setup required.
- SSH Method: Use PowerShell or PuTTY on Windows, or Terminal on macOS/Linux — most VPS use
rootas the default username.
Run this command:
ssh username@your_server_ipReplace username and your_server_ip with your actual VPS login credentials. You’ll be prompted to enter the password to complete the login.
Example: ssh root@192.0.2.123
Section 2: Installing and Running the Node
Think your server is safe because you’re the only one who knows the IP? Think again.
Every day, bots are scanning IP ranges looking for open ports, weak credentials, and misconfigured systems. If you’re running a crypto node, storing API keys, or even just hosting a portfolio site, leaving your VPS exposed is like leaving your front door unlocked in a sketchy neighborhood — and hackers don’t knock.
Let’s fix that. In this beginner-friendly guide, you’ll learn how to lock down your VPS in under an hour — step by step, with explanations before every command. You don’t need to be a Linux expert — just copy, paste, and understand.
🔄 Step 1: Change the Default SSH Port
Why it matters:
Port 22 is the default SSH port — and every bot knows it. Changing this to a non-standard port makes you less visible and cuts down on brute-force login attempts.
✅ Check which ports are in use
sudo ss -tulnWhat this does:
Lists all active TCP and UDP ports. This helps you choose a safe new port that doesn’t conflict with existing services.
✏️ Open the SSH config file
sudo nano /etc/ssh/sshd_configWhat this does:
Opens the SSH configuration file in a simple text editor (nano) so you can make changes.
🔁 Change the port number
Inside the file, look for this line:
Port 22…and change it to something like:
Port 4422What this does:
Instructs SSH to use port 4422 instead of the default 22. Choose any number between 1024–65535 that isn’t in use.
🔓 Allow the new port in the firewall
sudo ufw allow 4422/tcpWhat this does:
Tells your firewall to allow connections through port 4422 using TCP (the protocol SSH uses).
🔄 Restart the SSH service
sudo systemctl restart sshWhat this does:
Applies your changes by restarting the SSH service.
🧪 Test your new connection before closing your terminal
ssh your_username@your_server_ip -p 4422What this does:
Attempts to log in using the new SSH port. Don’t close your original session until this works!
🛑 Step 2: Disable Root Login (Safely)
Why it matters:
The root user has unlimited power — and hackers know it. Disabling direct root login and using a regular user with sudo privileges adds a critical layer of protection.
👤 Create a new user
adduser your_usernameWhat this does:
Creates a new user account with the name you choose.
🛠 Give the user sudo privileges
usermod -aG sudo your_usernameWhat this does:
Adds your user to the sudo group so they can use admin commands.
🔍 Test the new user
ssh your_username@your_server_ipWhat this does:
Tests your new user login to make sure everything is working before disabling root access.
🔐 Disable root login in SSH config
sudo nano /etc/ssh/sshd_configFind this line:
PermitRootLogin yes…and change it to:
PermitRootLogin noWhat this does:
Prevents the root user from logging in via SSH — even if they have the password.
🔁 Restart SSH again
sudo systemctl restart ssh
✅ Double-check your changes
grep PermitRootLogin /etc/ssh/sshd_config
🔐 Step 3: Set Up SSH Key Authentication (Using PuTTY + PuTTYgen on Windows)
Why it matters:
Passwords can be guessed or cracked. SSH keys use advanced encryption to authenticate you securely.
🛠 Download PuTTY and PuTTYgen
👉 Download the PuTTY installer
🔑 Generate your SSH key pair with PuTTYgen
Open PuTTYgen → Set type to RSA → 4096 bits → Click Generate and move mouse
Then:
- Copy the public key from the top box
- Click Save private key and store safely
- (Optional) Save public key as well
🚀 Add your public key to the VPS
mkdir -p ~/.ssh
nano ~/.ssh/authorized_keys
Paste your public key → Ctrl+O → Enter → Ctrl+X
🔐 Tell your VPS to only allow SSH key logins
sudo nano /etc/ssh/sshd_configEnsure these lines are set:
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
PubkeyAuthentication yes
PermitEmptyPasswords no
🔄 Restart SSH
sudo systemctl restart ssh
🔗 Connect using PuTTY and your private key
Open PuTTY → Enter IP → Go to Connection → SSH → Auth → Browse for .ppk file → Open
🚫 Disable password login on the server
sudo nano /etc/ssh/sshd_config
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
PubkeyAuthentication yes
PermitEmptyPasswords no
🔄 Restart SSH one more time
sudo systemctl restart ssh
✅ Confirm your key is in place
cat ~/.ssh/authorized_keys
🚫 Step 4: Install Fail2Ban
Why it matters:
Even with SSH keys, bots may still try and fail repeatedly. Fail2Ban monitors these attempts and bans IPs that try too many times.
🛠 Install Fail2Ban
sudo apt install fail2ban -y
🔄 Enable and start the service
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
⚙️ (Optional) Customize settings
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local
Change under [sshd]:
bantime = 1h
findtime = 10m
maxretry = 3
What this does:
bantime = how long to ban
findtime = how far back to check logs
maxretry = number of tries before ban
🔄 Restart Fail2Ban
sudo systemctl restart fail2ban
👁️ Check which IPs are banned
sudo fail2ban-client status sshd
🔥 Bonus: Enable a Firewall (UFW)
Why it matters:
A firewall blocks all unwanted traffic. You decide what gets through — and everything else stays out.
🔐 Set the default rules
sudo ufw default deny incoming
sudo ufw default allow outgoing
✅ Allow essential services
sudo ufw allow 4422/tcp # Replace with your SSH port
sudo ufw allow 80,443/tcp # Web traffic
🚀 Enable the firewall
sudo ufw enable
✅ Check current rules
sudo ufw status numbered
✅ Final Thoughts
You don’t need to be a Linux expert to defend your server — just a few smart moves go a long way.
By changing your SSH port, disabling root login, using SSH keys, enabling Fail2Ban, and activating UFW, you’ve made your VPS dramatically harder to compromise.
If this guide helped, share it with your community or team. And for more real-world node tutorials, check out DEPINspirationHUB — where we help node runners and crypto builders stay one step ahead.
