Security

Security Hardening

Best practices for hardening your SHC VPS beyond the default configuration.

Default Security

Every SHC VPS ships pre-hardened with:

  • SSH key-only authentication (password auth disabled)
  • fail2ban configured for SSH
  • UFW firewall with minimal open ports
  • Unattended security upgrades enabled

Additional Hardening

Change SSH Port

# Edit SSH config
sudo nano /etc/ssh/sshd_config

# Change to a non-standard port
Port 2222

# Restart SSH
sudo systemctl restart sshd

# Update firewall
sudo ufw allow 2222/tcp
sudo ufw delete allow 22/tcp

Restrict SSH Access

# Allow only specific IPs
sudo ufw allow from YOUR_IP to any port 2222

# Or use AllowUsers in sshd_config
AllowUsers yourusername@YOUR_IP

Enable Automatic Updates

Verify unattended-upgrades is active:

sudo dpkg-reconfigure -plow unattended-upgrades
sudo systemctl status unattended-upgrades

Install and Configure CrowdSec

For advanced intrusion detection:

curl -s https://install.crowdsec.net | sudo sh
sudo apt install crowdsec-firewall-bouncer-iptables
sudo systemctl enable --now crowdsec

Audit System Access

# View recent logins
last -20

# Check auth log
sudo tail -50 /var/log/auth.log

# List failed login attempts
sudo grep "Failed password" /var/log/auth.log

Regular Maintenance

  • Review firewall rules monthly: sudo ufw status verbose
  • Check for rootkits: sudo rkhunter --check
  • Review running services: systemctl list-units --type=service --state=running
  • Monitor open ports: sudo ss -tlnp

Start Building on Sovereign Infrastructure

Deploy on SHC-owned hardware with full root access, encrypted storage, and zero third-party dependencies.

Deploy NowContact Sales