Security Best Practices Guide for Vultr Cloud Instances

Secure your Vultr Cloud Instances with essential best practices, updates, firewalls, and monitoring.

Vultr Cloud Instances provide flexible, high-performance virtual machines (VMs) that run on Linux and Windows operating systems. Instances are available in both Shared and Dedicated plans, giving you the ability to choose based on your performance, workload isolation, and scalability needs. For workloads that require direct access to physical hardware, Vultr Bare Metal Instances deliver top-tier performance, zero virtualization overhead, and complete resource control across our globally distributed data centers. Vultr also offers Cloud GPU Instances optimized for machine learning, AI inference, rendering, and GPU-intensive workloads. Depending on your chosen configuration, instances can be deployed within a Vultr VPC to enable private and isolated communication between servers for enhanced security and performance.

Enable and Configure Backups

Vultr provides a backup service that allows you to automatically create periodic, system-level backups of your Cloud Instances. These backups ensure you can restore your instance to a previous state in case of accidental deletion, misconfiguration, hardware failure, or other unexpected issues, helping to minimize downtime and protect your data. For detailed instructions, refer to the Vultr Docs for enabling backups. To take an instant backup using snapshots, refer to the guide: How to Take a Snapshot and Redeploy a Vultr Compute Instance.

Create and Configure a Firewall

Vultr Firewalls provide a stateful, network-level security layer to manage inbound traffic to your instances. They allow you to define custom rules for allowed IP addresses, ports, and protocols, protecting your resources before traffic reaches your server. For detailed instructions, refer to the Vultr Docs for Firewall Management.

How to Link a Vultr Firewall Group to an Instance
How to Create Vultr Firewall Rules
How to Delete Vultr Firewall Groups and Rules If you need to configure host-based firewalls directly within your instance’s operating system, refer to these guides:
How to Set Up Firewall Policies using Uncomplicated Firewall (UFW)
How to Set Up Firewall Policies using Iptables
How to Set Up Firewall Policies using Firewalld After applying or updating your firewall configuration, test connectivity to confirm that authorized services remain accessible while unauthorized traffic is blocked.

Note

Do not configure firewall rules directly in a production environment unless you are 100% certain of their effect. Always test firewall rules thoroughly in a development or staging environment before applying them in production, as misconfigurations can lead to downtime and service disruption. If no firewall is configured or existing rules are misconfigured, refer to the following guides to create and link Vultr Firewall Groups:

Upgrade the Operating System to the Latest Version

Keeping your operating system (OS) and application packages up to date is essential for security, stability, and performance. Regular upgrades deliver the latest security patches, protect against vulnerabilities, and improve system reliability. They also ensure compatibility with modern software and enhance resource efficiency. This practice is vital for maintaining secure and resilient Vultr instances.

To upgrade your OS and verify its current state, follow the steps below.

Upgrade Packages

To update all installed packages to their latest available versions:

Debian/Ubuntu.

console

$ sudo apt update && sudo apt upgrade -y

CentOS/Rocky Linux/AlmaLinux/Fedora.

console

$ sudo dnf update --refresh -y
$ sudo dnf needs-restarting -r

Upgrade Server (Major Version Upgrade)

After upgrading the packages, perform a full system upgrade to update core components and ensure system consistency.

Debian/Ubuntu.
console
```
$ sudo apt dist-upgrade -y
```
CentOS/Rocky Linux/AlmaLinux/Fedora. Each Red Hat‑based distribution has its own major‑version upgrade procedure. Always refer to the official upgrade documentation for your OS to ensure a safe and supported upgrade. After upgrading your instance, consider rebooting the server to apply all changes and ensure that updated packages and security patches are fully loaded and active.

Note

Avoid performing OS updates directly in a production environment without first testing them in a replicated environment. Create a snapshot of your current production instance, redeploy it as a standalone server, and perform the upgrade steps there first. Without proper testing, updates may introduce incompatibilities that can break your live applications or cause unexpected downtime.

Install and Configure Audit Logging (auditd)

Auditd (the audit daemon) is a core component of the Linux Auditing System that collects and records security-relevant events, such as file accesses, user logins, system calls, and configuration changes. Enabling and configuring auditd helps improve system visibility, strengthen security monitoring, and support compliance requirements. For more details, refer to the Auditd documentation.

Follow the steps below to install and configure auditd on your Vultr instance.

Install Auditd.

Ubuntu/Debian.

console

$ sudo apt update
$ sudo apt install auditd audispd-plugins -y

Rocky Linux/CentOS/AlmaLinux/Fedora.

console

$ sudo dnf update -y
$ sudo dnf install audit audispd-plugins -y

Enable and Start auditd service.

console

$ sudo systemctl enable auditd
$ sudo systemctl start auditd

Verify the status of auditd service.

console

$ sudo systemctl status auditd

Output:

● auditd.service - Security Auditing Service
    Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; preset: enabled)
    Active: active (running) since Tue 2025-10-07 16:10:59 UTC; 2h 7min ago

Configure Audit Rules

Audit system operates on a set of rules that define what activities are captured in the log files. The following types of Audit rules can be specified:

Control rules: Modify the behavior and configuration of the Audit system.
File system rules: Audit access to specific files or directories (also known as file watches).
System call rules: Log system calls made by specific programs or processes.

Note

Improper configuration of auditd can cause high CPU, memory, or disk usage. Excessive logging may consume disk space and affect server performance if not managed correctly. Always tailor audit rules to your specific needs and monitor resource usage. Audit rules define what activity is logged. Rules can be temporary (reset after reboot) or persistent (loaded at boot).

Add a temporary rule.
console
```
$ sudo auditctl -w /etc/passwd -p wa -k passwd_changes
```
In the command above:
- -w /etc/passwd: watch file /etc/passwd
- -p wa: log write and attribute changes
- -k passwd_changes: key name for the rule
Add a persistent rule.
1. Edit the audit.rules file.
  console
  $ sudo nano /etc/audit/rules.d/audit.rules
  Add the following rule:
  ini
  -w /etc/passwd -p wa -k passwd_changes
2. Reload to apply the newly added rules.
  console
  $ sudo augenrules --load
3. Verify that the rules are displayed.
  console
  $ sudo auditctl -l
  For more information on defining audit rules and understanding audit record types, refer to the official Red Hat documentation:
Defining Audit Rules and Controls, Learn how to configure and manage audit rules in the audit.rules file.
Audit Record Types, Review the complete list of audit record types supported by the Linux auditing system.

Use SSH Keys for Authentication

SSH (Secure Shell) is a cryptographic network protocol that allows secure access and management of remote servers. SSH key-based authentication offers a stronger and more secure alternative to password-based login, protecting against brute-force attacks, credential theft, and unauthorized access. SSH keys consist of two components, a public key stored on the server and a private key stored securely on your local machine. Authentication succeeds only when both keys match, eliminating the need to transmit passwords over the network. For more details, refer to the Vultr SSH Keys documentation.

Follow these steps to create, configure, and verify SSH key authentication on your Vultr instance.

On your local machine, generate a new SSH key pair.
console
```
$ ssh-keygen -t ed25519 -C "email@example.com"
```
When prompted, choose a secure passphrase for added protection.
View your public key.
console
```
$ cat ~/.ssh/id_ed25519.pub
```
Copy the output of the above command.
Follow the official guide: How to Add Vultr SSH Keys to add the key to your Vultr account.
While provisioning a new instance, select the desired SSH key under the SSH Keys section to enable key-based authentication.

Note

Storing private keys insecurely or without a passphrase can compromise security. Always protect private keys with proper file permissions and a strong passphrase.

Create SSH Keys

Disable Password Authentication (After Provisioning)

After your SSH key authentication is confirmed, disable password-based login for enhanced security.

Log in to your Vultr instance using your SSH key.
console
```
$ ssh -i ~/.ssh/id_ed25519 username@your-instance-ip
```
Edit the SSH server configuration file.
console
```
$ sudo nano /etc/ssh/sshd_config
```
Update the existing values or add the following lines and set them to no.
ini
```
PasswordAuthentication no
ChallengeResponseAuthentication no
```
Save and exit the file.
Restart the SSH service.
console
```
$ sudo systemctl restart sshd
```
Open a new terminal and test the SSH connection to confirm you can still connect using the key.

For additional security, restrict direct SSH access to the root account and log in with a non-root user instead.

Edit the SSH configuration file again.
console
```
$ sudo nano /etc/ssh/sshd_config
```
Find the line beginning with PermitRootLogin and update it as follows.
ini
```
PermitRootLogin no
```
Save and reload the SSH service.
console
```
$ sudo systemctl reload sshd
```
Verify access by logging in as a non-root user with sudo privileges.

Remove Unused or Old SSH Keys

SSH keys are cryptographic key pairs used to authenticate to SSH servers as an alternative to password-based logins. SSH (Secure Shell) is a network protocol that enables encrypted communication for securely accessing and managing servers. SSH keys improve security by removing the dependency on passwords, which are prone to brute-force attacks, phishing, and credential theft. Removing unused or outdated SSH keys is essential to maintain a secure environment and ensure that only authorized users can access your servers.

In this section, we guide you through the process of removing unused or old SSH keys from your Vultr account and instances.

Log in to your Vultr Customer Portal, go to Orchestration, select SSH Keys, and identify the keys you want to remove.
Follow this guide to delete the SSH Key from Your Vultr Account This removes the key from your Vultr account so it can no longer be used for provisioning new instances.
SSH into each affected instance and remove the key from the authorized keys file.
console
```
$ sudo nano /home/<username>/.ssh/authorized_keys
```
Delete the line containing the unused key, save, and exit the file.
If the key belonged to a user account that should no longer exist, delete the account.
console
```
$ sudo deluser <username>
```
If the removed key had root access, and direct root login is enabled, update the root password.
console
```
$ sudo passwd root
```
When prompted, enter a strong alphanumeric password of at least 16 characters twice to confirm the change.

Enforce Password Rotation

Password rotation is a critical security practice that requires system users to update their passwords periodically. This reduces the risk of long-term credential compromise by limiting the window in which a stolen or leaked password can be exploited. Regular rotation also enforces better password hygiene, encouraging users to adopt stronger and unique passwords over time. By configuring password rotation policies at the system level, administrators can ensure compliance with security best practices and regulatory requirements.

Follow these steps to configure system-wide password rotation and enforce strong password rules.

Configure Password Rotation Policy

Open the password configuration file /etc/login.defs using a text editor such as nano.
console
```
$ sudo nano /etc/login.defs
```
Locate the following section in the file.
ini
```
PASS_MAX_DAYS   99999
PASS_MIN_DAYS   0
PASS_WARN_AGE   7
```
These settings mean that passwords will not expire (PASS_MAX_DAYS set to 99999) and users receive a warning 7 days before expiration (PASS_WARN_AGE).
Modify the settings to enforce password rotation and extend warning periods.
ini
```
PASS_MAX_DAYS   60
PASS_WARN_AGE   14
```
- PASS_MAX_DAYS: Limits the maximum number of days a password remains valid to 60 days.
- PASS_WARN_AGE: Sets a warning period of 14 days before password expiry. Save and close the file.

Enforce Minimum Password Strength

Edit the password quality configuration file.
console
```
$ sudo nano /etc/security/pwquality.conf
```
Add the following directives at the end of the file.
ini
```
minlen = 8
minclass = 4
maxrepeat = 0
```
These settings enforce:
- minlen: Minimum password length of 8 characters.
- minclass: Password must include at least four character classes (lowercase, uppercase, symbols, digits).
- maxrepeat: Prevents repeating characters in the password. Save and close the file.

Enable Vultr DDoS Protection

Vultr’s native DDoS mitigation system provides an additional layer of security to ensure your hosting infrastructure remains online and functional during potential Distributed Denial of Service (DDoS) attacks. This automatic service protects your websites and applications by continuously monitoring network traffic. Upon detecting a DDoS attack, traffic is rerouted to Vultr’s attack mitigation system, typically within 60 seconds, minimizing disruption.

Follow these steps to enable Vultr DDoS protection for your instance.

Enable DDoS Protection

Log in to the Vultr Customer Portal.
Navigate to Compute under Products and select your Vultr Instance.
Go to the DDOS tab.
Click Enable DDoS Protection.
Confirm the action. DDoS protection will be enabled within approximately 5 minutes. After enabling, the system will automatically monitor and mitigate attacks for the selected instance. For more details, refer to the Vultr DDoS Protection Guide.

Configure Fail2Ban to Protect SSH

Fail2Ban is an open‑source intrusion prevention framework that protects servers from brute‑force attacks by monitoring log files for suspicious activity and banning offending IP addresses. It works with firewalls such as ufw, firewalld, or iptables to dynamically block malicious IPs. For more details, refer to the Fail2Ban documentation.

Follow the steps below to install, configure, and verify Fail2Ban for SSH protection.

Install Fail2Ban on your instance.

Ubuntu/Debian:

console

$ sudo apt update && sudo apt install fail2ban -y

RHEL/CentOS/Fedora:
console
```
$ sudo dnf install fail2ban -y
```

Enable and Start Fail2Ban Service.

console

$ sudo systemctl enable fail2ban
$ sudo systemctl start fail2ban

Create a new SSH jail configuration file.

console

$ sudo nano /etc/fail2ban/jail.d/sshd.conf

Add the following content:

ini

[sshd]
enabled = true
port = 22
findtime = 5m
bantime = 2h
maxretry = 3
ignoreip = 127.0.0.1/8 ::1

Reload Fail2Ban service to apply changes.
console
```
$ sudo systemctl reload fail2ban
```

Verify SSH Jail Configuration.

console

$ sudo fail2ban-client status sshd

Output:

Status for the jail: sshd
|- Filter
|  |- Currently failed: 8
|  |- Total failed:     48
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned: 3
   |- Total banned:     4
   `- Banned IP list:   192.2.0.19 192.2.0.53 192.2.0.66

Configure Private Connections Between Clouds

Private connectivity allows secure and direct communication between cloud environments without exposing traffic to the public internet. Establishing a private link between your Vultr infrastructure and other cloud providers helps reduce latency, enhance security, and maintain data privacy.

About Headscale and Tailscale

Headscale is an open-source, self-hosted implementation of Tailscale’s control server that provides full control over authentication, coordination, and network policies within your own infrastructure. Tailscale is a mesh VPN service built on the WireGuard protocol, enabling devices to form secure, peer-to-peer connections across networks without the need for a centralized VPN gateway. Together, they enable organizations to build hybrid or multi-cloud networks with:

End-to-end encrypted communication between nodes across clouds.
Decentralized connectivity without routing traffic through a central VPN server.
Simplified network management using machine keys and ACLs.
Scalability and automation through tools like Terraform and Ansible for repeatable deployments.

Reference Guides

To configure private connections between Vultr and other cloud providers using Tailscale and Headscale, refer to the following guides:

Establish Private Connection Between Vultr Regions Using Headscale
Establish Private Connection Between Vultr and Amazon Web Services (AWS)
Establish Private Connection Between Vultr and Google Cloud Platform (GCP)
Establish Private Connection Between Vultr and OVH

Conclusion

Implementing these security best practices ensures your Vultr Cloud Instances remain protected, reliable, and resilient. Regular maintenance, timely updates, and proactive configurations are key to safeguarding your infrastructure against evolving threats. Adopting a layered security approach helps minimize risks and strengthens overall system integrity. Consistent application of these practices fosters a robust, secure, and compliant cloud environment.

Cobra Softwares Blog