Intermediate
How to secure VPS configuration on Contabo
Quick Answer
Secure your Contabo VPS by enabling 2FA on CCP and SSH, configuring restrictive firewall rules for SSH/HTTP/HTTPS from trusted IPs, using key-based authentication, disabling unnecessary services, and applying regular patches. Follow the principle of least privilege to minimize attack surface. Regularly review logs and backup configurations.
Prerequisites
- Access to Contabo Customer Control Panel (CCP)
- SSH or RDP access to your VPS
- Smartphone for 2FA apps like Google Authenticator
- Basic Linux/Windows admin knowledge
- Root/admin privileges on VPS
1
Enable 2FA on Contabo CCP
Log in to the Contabo Customer Control Panel (CCP) and navigate to 'Customer details' to enable Two-Factor Authentication (2FA) for account protection. Use apps like Google Authenticator, Authy, or Microsoft Authenticator on your smartphone. This adds a second verification layer to prevent unauthorized access to your VPS management.
2
Set Up SSH Key-Based Authentication
Replace password-based SSH login with key-based authentication for enhanced security. Generate SSH keys on your local machine, copy the public key to
~/.ssh/authorized_keys on the VPS, and disable password authentication in /etc/ssh/sshd_config by setting PasswordAuthentication no. Restart SSH with sudo systemctl restart sshd. Refer to Contabo's 'How to Use SSH Keys with Your Server' guide.Tip
Disable root login by setting
PermitRootLogin no in sshd_config.3
Configure Restrictive Firewall Rules
Access firewall settings in your VPS or Contabo dashboard and enable the host firewall like iptables or UFW. Allow SSH (
port 22) only from trusted IP addresses, HTTP/HTTPS (ports 80/443) for web services, and block all other inbound traffic by default. Example: iptables -A INPUT -p tcp --dport 22 -s <trusted_ip> -j ACCEPT
iptables -P INPUT DROPTip
Specify source IPs and destination ports explicitly.
4
Enable 2FA for SSH Access
Install a 2FA app and configure SSH for multi-factor authentication. Edit
/etc/ssh/sshd_config to enable ChallengeResponseAuthentication yes and AuthenticationMethods publickey,keyboard-interactive. Install Google Authenticator with sudo apt install libpam-google-authenticator, run google-authenticator, and restart SSH service. You'll be prompted for a time-based code on login.5
Disable Unnecessary Services
Minimize attack surface by identifying and stopping unneeded services. Use
systemctl list-units --type=service on Linux to list services, then disable with sudo systemctl disable <service_name> && sudo systemctl stop <service_name>. Scan exposed ports with tools like Shodan, Censys, or nmap to confirm only required services are running.Tip
Focus on single-role configuration for your VPS.
6
Enable Firewall Logging and Backups
Turn on logging for firewall activity to monitor attempts: add
-j LOG to rules before DROP. Review logs regularly with journalctl or /var/log/syslog. Backup rules before changes using iptables-save > firewall_backup.rules and restore with iptables-restore to prevent misconfigurations.Tip
Set up alerts for suspicious log entries.
7
Keep System Updated and Patched
Regularly update your OS and software to close vulnerabilities. On Ubuntu/Debian:
sudo apt update && sudo apt upgrade -y. Schedule maintenance, test updates in staging, and monitor vendor security patches. This mitigates risks from known exploits.Tip
Automate updates with unattended-upgrades.
8
Configure RDP 2FA (Windows VPS)
For Windows VPS using RDP, install third-party 2FA like Duo Security or Okta Verify since native RDP lacks it. Follow provider instructions to integrate with RDP login, requiring app verification code after password.
9
Implement Data Encryption
Encrypt VPS disks for data protection. On Linux, use LUKS:
cryptsetup luksFormat /dev/sdX and open with cryptsetup luksOpen. Review encryption settings periodically to ensure confidentiality against breaches.Tip
Backup encryption keys securely.
10
Install Fail2Ban for Brute-Force Protection
Protect against brute-force attacks by installing Fail2Ban:
sudo apt install fail2ban. Configure jails for SSH and other services in /etc/fail2ban/jail.local to ban IPs after failed attempts. It monitors logs and updates iptables dynamically.Troubleshooting
Locked out after firewall changes
Use Contabo VNC console in CCP to access VPS, revert rules with
iptables -F, or restore from backup.SSH 2FA not prompting
Verify
pam_google_authenticator.so in /etc/pam.d/sshd and ChallengeResponseAuthentication yes in sshd_config; restart sshd.Exposed services detected by scans
Disable unnecessary services with systemctl, reconfigure firewall to block ports, rescan with nmap.
Cannot restore iptables rules
Ensure
iptables-persistent is installed and rules saved; reboot may reset if not persistent.Fail2Ban not banning IPs
Check
fail2ban-client status sshd, review logs in /var/log/fail2ban.log, adjust maxretry in jail.local.Ready to get started with Contabo?
Put this tutorial into practice. Visit Contabo and follow the steps above.
Visit Contabo →