PSB Hosting
How to secure a VPS so it doesn’t get enlisted in a botnet on day one

How to secure a VPS so it doesn’t get enlisted in a botnet on day one

  1. Home
  2. Blogs
  3. How to secure a VPS so it doesn’t get enlisted in a botnet on day one

Just a few seconds after launching a new VPS server, it immediately becomes a target for a huge number of automated attacker scanners. These are usually bots that scan various network ranges 24 hours a day, 7 days a week, 365 days a year, searching for fresh IP addresses with open ports. The goal of these bots is to find vulnerabilities in standard services (most commonly SSH, web servers, and control panels), followed by attempts to gain access via brute force (such as password guessing) or to deploy exploits for known vulnerabilities.

That is why cybersecurity specialists say that VPS protection should not start “tomorrow” or “in a month,” but within the very first hour of the server’s life. If a server is not secured immediately, within 1–2 days it can easily turn into a tool for cryptocurrency mining, spam distribution, or attacks on similar systems. At that point, restoring the server to a clean, standard state becomes extremely difficult.

What needs to be done in the first hour after receiving the server

The first hour after receiving a VPS is the most critical stage for any specialist. During this time, it is essential to implement strong protection against the basic attack vectors, without which compromising the server becomes nearly impossible.

The required actions include:

  • Firewall configuration — this must be done first;
  • Securing SSH access — this is usually the “front door” that gets attacked more often than any other component;
  • System updates — software developers regularly patch vulnerabilities in their products to reduce the risk of compromise. In unpatched software, these vulnerabilities continue to work against VPS owners;
  • Creating a backup (snapshot) — this is the ideal way to restore the server in case of problems or a successful intrusion attempt.

Each of these actions is described in more detail below.

Firewall configuration

Cybersecurity professionals recommend starting server protection with firewall configuration, as this is the first step toward a properly secured VPS.

The following actions should be taken:

  • Deny all incoming connections by default — the rule “everything that is not explicitly allowed is forbidden” is ideal here. This helps protect the server from unexpected external connections;
  • Allow only required ports — in most cases, SSH ports should be restricted (with additional protection applied later), and ports 80/443 used for web services should also be considered. If you do not need them, they should not be opened;
  • Use iptables/nftables or convenient wrappers such as UFW (Uncomplicated Firewall). For example, on Debian/Ubuntu Linux systems:
    sudo ufw default deny incoming
    sudo ufw allow 22/tcp
    sudo ufw enable

Once the firewall is configured, you can move on to the second step — securing SSH access.

Securing SSH access

SSH is the “front door” of any VPS server, and its protection requires special attention.

  • Change the default port — most botnet systems attempt brute force attacks on the standard SSH port (22). Changing it to a non-standard port (for example, 2345) significantly reduces such attempts. This can be done in /etc/ssh/sshd_config;
  • Disable root login — for daily operations and improved security, direct root login should be disabled, and a separate user with sudo privileges should be created. This can be done using:
    PermitRootLogin no
  • Use key-based authentication — this is far more secure than password-based login. Parameters such as PubkeyAuthentication yes should be enabled, while password authentication should be disabled;
  • Use additional tools — the most popular utility for protecting SSH access is Fail2ban, which blocks IP addresses after multiple failed login attempts.

After securing the server’s “front door,” you can proceed to system updates and backups.

System updates and backups

Most VPS compromises occur due to vulnerabilities in outdated software. That is why automatic security updates should be configured, and immediately after server deployment, the following command should be run (for Debian or Ubuntu):

sudo apt update

This ensures all applications are updated to their latest versions.

It is also strongly recommended to create a server backup stored on separate infrastructure. This allows you to restore the server in case of errors or a successful attack. After the initial setup, backing up the VPS every few weeks is advisable.

Monitoring and detection: how to make sure protection works

After configuring the system, regular monitoring is essential.

  • Log monitoring — useful commands include:
    sudo tail -f /var/log/auth.log
    sudo journalctl -xe
    These logs help identify failed login attempts, unknown processes, and suspicious activity.
  • Installing a simple HIDS (Host-based Intrusion Detection System) — tools such as AIDE and Tripwire monitor file integrity, while Rkhunter and Lynis scan for rootkits and configuration vulnerabilities.

Monitoring should be performed regularly, ideally every few days.

Actions during an alert: signs of compromise and the “rescue plan”

Complete security is impossible, so you must be prepared for incidents. Signs of compromise include:

  • Unexplained high CPU load (check with top or htop);
  • Unknown processes, services, or users;
  • Changes to system files or unusual outbound connections (checked via HIDS, netstat -tanp, or ss -tulp).

If any of these signs appear, immediately follow the rescue plan:

  1. Do not panic, but do not shut down the server unless absolutely necessary;
  2. Disconnect the server from the network via the hosting provider’s control panel;
  3. Connect via a recovery console or backup access channel;
  4. Analyze processes, network connections, and startup files, and collect logs;
  5. Decide whether to repair the system or restore it from a clean snapshot;
  6. Change all compromised passwords and SSH keys.

After recovery, analyze the attack vector and strengthen weak points.

What’s next? A long-term security improvement plan

  • Regularly update applications, especially web applications;
  • Apply the principle of least privilege to user permissions;
  • Run regular security audits using Lynis;
  • Centralize log collection on a separate, well-protected server.

The key takeaway

Protecting a VPS server from being taken over by botnets is entirely achievable. It requires discipline and speed rather than deep expert knowledge.

The “golden hour” after receiving a server is critical: start with firewall configuration, then secure SSH, update the system, and set up backups. Continuous monitoring and a clear incident response plan are just as important.

Security is not a one-time task — it is an ongoing process. Start with the basics to ensure your VPS is no longer an easy target and reliably serves your goals.