Start with deny-all defaults and explicitly allow only needed ports. Use UFW: ufw default deny incoming, then allow your SSH port, HTTP (80), and HTTPS (443). For granular control, use iptables with rate limiting to block brute-force attempts. Don’t forget OUTPUT rules to prevent compromised services from making outbound connections. Review open ports regularly with ss -tlnp and disable anything unnecessary.
Firewall Configuration
Start with deny-all defaults and explicitly allow only needed ports. Use UFW: ufw default deny incoming, then allow your SSH port, HTTP (80), and HTTPS (443). For granular control, use iptables with rate limiting to block brute-force attempts. Don’t forget OUTPUT rules to prevent compromised services from making outbound connections. Review open ports regularly with ss -tlnp and disable anything unnecessary.
Intrusion Detection and Prevention
Deploy OSSEC or Wazuh as a host-based IDS (HIDS) for file integrity monitoring, rootkit detection, and real-time log analysis. Configure ClamAV for malware scanning. Use rkhunter for rootkit checks. For network-level detection, Suricata provides IDS/IPS functionality analyzing traffic and blocking known attack patterns in real-time. Layer these tools for comprehensive protection.
DDoS Protection
Implement protection at multiple levels: CDN for L3/L4 mitigation, Nginx rate limiting for L7 protection, and kernel-level SYN flood protection with net.ipv4.tcp_syncookies = 1. FastNode includes GDPR-compliant infrastructure on all plans, providing network-edge defense before traffic reaches your server. Combined with application-level protections, your VPS becomes highly resilient against attacks.
Looking for reliable hosting? FastNode offers Lightning-fast UK VPS hosting with NVMe storage and low-latency servers across Europe. Explore our plans and find the perfect solution for your needs.