Secure your Vultr Cloud Instances with essential best practices, updates, firewalls, and monitoring.
Vultr Cloud Instances provide flexible, high-performance virtual machines (VMs) that run on Linux and Windows operating systems. Instances are available in both Shared and Dedicated plans, giving you the ability to choose based on your performance, workload isolation, and scalability needs. For workloads that require direct access to physical hardware, Vultr Bare Metal Instances deliver top-tier performance, zero virtualization overhead, and complete resource control across our globally distributed data centers. Vultr also offers Cloud GPU Instances optimized for machine learning, AI inference, rendering, and GPU-intensive workloads. Depending on your chosen configuration, instances can be deployed within a Vultr VPC to enable private and isolated communication between servers for enhanced security and performance.
Vultr provides a backup service that allows you to automatically create periodic, system-level backups of your Cloud Instances. These backups ensure you can restore your instance to a previous state in case of accidental deletion, misconfiguration, hardware failure, or other unexpected issues, helping to minimize downtime and protect your data. For detailed instructions, refer to the Vultr Docs for enabling backups. To take an instant backup using snapshots, refer to the guide: How to Take a Snapshot and Redeploy a Vultr Compute Instance.
Vultr Firewalls provide a stateful, network-level security layer to manage inbound traffic to your instances. They allow you to define custom rules for allowed IP addresses, ports, and protocols, protecting your resources before traffic reaches your server. For detailed instructions, refer to the Vultr Docs for Firewall Management.
Keeping your operating system (OS) and application packages up to date is essential for security, stability, and performance. Regular upgrades deliver the latest security patches, protect against vulnerabilities, and improve system reliability. They also ensure compatibility with modern software and enhance resource efficiency. This practice is vital for maintaining secure and resilient Vultr instances.
To upgrade your OS and verify its current state, follow the steps below.
To update all installed packages to their latest available versions:
$ sudo apt update && sudo apt upgrade -y
$ sudo dnf update --refresh -y
$ sudo dnf needs-restarting -r
After upgrading the packages, perform a full system upgrade to update core components and ensure system consistency.
$ sudo apt dist-upgrade -y
Auditd (the audit daemon) is a core component of the Linux Auditing System that collects and records security-relevant events, such as file accesses, user logins, system calls, and configuration changes. Enabling and configuring auditd helps improve system visibility, strengthen security monitoring, and support compliance requirements. For more details, refer to the Auditd documentation.
Follow the steps below to install and configure auditd on your Vultr instance.
Install Auditd.
$ sudo apt update
$ sudo apt install auditd audispd-plugins -y
$ sudo dnf update -y
$ sudo dnf install audit audispd-plugins -y
Enable and Start auditd service.
$ sudo systemctl enable auditd
$ sudo systemctl start auditd
Verify the status of auditd service.
$ sudo systemctl status auditd
Output:
● auditd.service - Security Auditing Service
Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; preset: enabled)
Active: active (running) since Tue 2025-10-07 16:10:59 UTC; 2h 7min agoAudit system operates on a set of rules that define what activities are captured in the log files. The following types of Audit rules can be specified:
Add a temporary rule.
$ sudo auditctl -w /etc/passwd -p wa -k passwd_changes
In the command above:
-w /etc/passwd: watch file /etc/passwd-p wa: log write and attribute changes-k passwd_changes: key name for the ruleAdd a persistent rule.
Edit the audit.rules file.
$ sudo nano /etc/audit/rules.d/audit.rules
Add the following rule:
-w /etc/passwd -p wa -k passwd_changes
Reload to apply the newly added rules.
$ sudo augenrules --load
Verify that the rules are displayed.
$ sudo auditctl -l
For more information on defining audit rules and understanding audit record types, refer to the official Red Hat documentation:
Defining Audit Rules and Controls, Learn how to configure and manage audit rules in the audit.rules file.
Audit Record Types, Review the complete list of audit record types supported by the Linux auditing system.
SSH (Secure Shell) is a cryptographic network protocol that allows secure access and management of remote servers. SSH key-based authentication offers a stronger and more secure alternative to password-based login, protecting against brute-force attacks, credential theft, and unauthorized access. SSH keys consist of two components, a public key stored on the server and a private key stored securely on your local machine. Authentication succeeds only when both keys match, eliminating the need to transmit passwords over the network. For more details, refer to the Vultr SSH Keys documentation.
Follow these steps to create, configure, and verify SSH key authentication on your Vultr instance.
On your local machine, generate a new SSH key pair.
$ ssh-keygen -t ed25519 -C "email@example.com"
When prompted, choose a secure passphrase for added protection.
View your public key.
$ cat ~/.ssh/id_ed25519.pub
Copy the output of the above command.
Follow the official guide: How to Add Vultr SSH Keys to add the key to your Vultr account.
While provisioning a new instance, select the desired SSH key under the SSH Keys section to enable key-based authentication.
After your SSH key authentication is confirmed, disable password-based login for enhanced security.
Log in to your Vultr instance using your SSH key.
$ ssh -i ~/.ssh/id_ed25519 username@your-instance-ip
Edit the SSH server configuration file.
$ sudo nano /etc/ssh/sshd_config
Update the existing values or add the following lines and set them to no.
PasswordAuthentication no
ChallengeResponseAuthentication no
Save and exit the file.
Restart the SSH service.
$ sudo systemctl restart sshd
Open a new terminal and test the SSH connection to confirm you can still connect using the key.
For additional security, restrict direct SSH access to the root account and log in with a non-root user instead.
$ sudo nano /etc/ssh/sshd_config
PermitRootLogin and update it as follows.
PermitRootLogin no
$ sudo systemctl reload sshd
sudo privileges.SSH keys are cryptographic key pairs used to authenticate to SSH servers as an alternative to password-based logins. SSH (Secure Shell) is a network protocol that enables encrypted communication for securely accessing and managing servers. SSH keys improve security by removing the dependency on passwords, which are prone to brute-force attacks, phishing, and credential theft. Removing unused or outdated SSH keys is essential to maintain a secure environment and ensure that only authorized users can access your servers.
In this section, we guide you through the process of removing unused or old SSH keys from your Vultr account and instances.
Log in to your Vultr Customer Portal, go to Orchestration, select SSH Keys, and identify the keys you want to remove.
Follow this guide to delete the SSH Key from Your Vultr Account This removes the key from your Vultr account so it can no longer be used for provisioning new instances.
SSH into each affected instance and remove the key from the authorized keys file.
$ sudo nano /home/<username>/.ssh/authorized_keys
Delete the line containing the unused key, save, and exit the file.
If the key belonged to a user account that should no longer exist, delete the account.
$ sudo deluser <username>
If the removed key had root access, and direct root login is enabled, update the root password.
$ sudo passwd root
When prompted, enter a strong alphanumeric password of at least 16 characters twice to confirm the change.
Password rotation is a critical security practice that requires system users to update their passwords periodically. This reduces the risk of long-term credential compromise by limiting the window in which a stolen or leaked password can be exploited. Regular rotation also enforces better password hygiene, encouraging users to adopt stronger and unique passwords over time. By configuring password rotation policies at the system level, administrators can ensure compliance with security best practices and regulatory requirements.
Follow these steps to configure system-wide password rotation and enforce strong password rules.
Open the password configuration file /etc/login.defs using a text editor such as nano.
$ sudo nano /etc/login.defs
Locate the following section in the file.
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
These settings mean that passwords will not expire (PASS_MAX_DAYS set to 99999) and users receive a warning 7 days before expiration (PASS_WARN_AGE).
Modify the settings to enforce password rotation and extend warning periods.
PASS_MAX_DAYS 60
PASS_WARN_AGE 14
PASS_MAX_DAYS: Limits the maximum number of days a password remains valid to 60 days.PASS_WARN_AGE: Sets a warning period of 14 days before password expiry.
Save and close the file.Edit the password quality configuration file.
$ sudo nano /etc/security/pwquality.conf
Add the following directives at the end of the file.
minlen = 8
minclass = 4
maxrepeat = 0
These settings enforce:
Vultr's native DDoS mitigation system provides an additional layer of security to ensure your hosting infrastructure remains online and functional during potential Distributed Denial of Service (DDoS) attacks. This automatic service protects your websites and applications by continuously monitoring network traffic. Upon detecting a DDoS attack, traffic is rerouted to Vultr’s attack mitigation system, typically within 60 seconds, minimizing disruption.
Follow these steps to enable Vultr DDoS protection for your instance.
Fail2Ban is an open‑source intrusion prevention framework that protects servers from brute‑force attacks by monitoring log files for suspicious activity and banning offending IP addresses. It works with firewalls such as ufw, firewalld, or iptables to dynamically block malicious IPs.
For more details, refer to the Fail2Ban documentation.
Follow the steps below to install, configure, and verify Fail2Ban for SSH protection.
Install Fail2Ban on your instance.
$ sudo apt update && sudo apt install fail2ban -y
$ sudo dnf install fail2ban -y
Enable and Start Fail2Ban Service.
$ sudo systemctl enable fail2ban
$ sudo systemctl start fail2ban
Create a new SSH jail configuration file.
$ sudo nano /etc/fail2ban/jail.d/sshd.conf
Add the following content:
[sshd]
enabled = true
port = 22
findtime = 5m
bantime = 2h
maxretry = 3
ignoreip = 127.0.0.1/8 ::1
Reload Fail2Ban service to apply changes.
$ sudo systemctl reload fail2ban
Verify SSH Jail Configuration.
$ sudo fail2ban-client status sshd
Output:
Status for the jail: sshd
|- Filter
| |- Currently failed: 8
| |- Total failed: 48
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
|- Currently banned: 3
|- Total banned: 4
`- Banned IP list: 192.2.0.19 192.2.0.53 192.2.0.66Private connectivity allows secure and direct communication between cloud environments without exposing traffic to the public internet. Establishing a private link between your Vultr infrastructure and other cloud providers helps reduce latency, enhance security, and maintain data privacy.
Headscale is an open-source, self-hosted implementation of Tailscale’s control server that provides full control over authentication, coordination, and network policies within your own infrastructure. Tailscale is a mesh VPN service built on the WireGuard protocol, enabling devices to form secure, peer-to-peer connections across networks without the need for a centralized VPN gateway. Together, they enable organizations to build hybrid or multi-cloud networks with:
To configure private connections between Vultr and other cloud providers using Tailscale and Headscale, refer to the following guides:
Implementing these security best practices ensures your Vultr Cloud Instances remain protected, reliable, and resilient. Regular maintenance, timely updates, and proactive configurations are key to safeguarding your infrastructure against evolving threats. Adopting a layered security approach helps minimize risks and strengthens overall system integrity. Consistent application of these practices fosters a robust, secure, and compliant cloud environment.