Distributed Denial-of-Service (DDoS) attacks aim to overwhelm a VPS with malicious traffic, disrupting services. This guide outlines practical steps to protect your VPS, incorporating VPS.DO elements for context.
Prerequisites
- A VPS with root access (e.g., VPS.DO’s 1H2G plan with Ubuntu or CentOS).
- Basic SSH and server administration knowledge.
Protection Steps
1. Keep Software Updated
Regular updates patch vulnerabilities that attackers exploit:
ssh root@your_vps_ip sudo apt update && sudo apt upgrade -y # Ubuntu/Debian sudo yum update -y # CentOS
2. Configure a Firewall
Use a firewall like UFW to restrict traffic:
sudo apt install ufw -y sudo ufw allow 22,80,443/tcp # Allow SSH, HTTP, HTTPS sudo ufw deny 20,21/tcp # Block FTP unless needed sudo ufw enable
Only allow essential ports to reduce attack surfaces.
3. Enable Rate Limiting
Limit connection rates to mitigate floods. For Nginx:
sudo nano /etc/nginx/nginx.conf
Add to the http block:
limit_req_zone $binary_remote_addr zone=mylimit:10m rate=10r/s;
In your site config:
limit_req zone=mylimit burst=20;
Restart: sudo systemctl restart nginx.
4. Use Fail2Ban
Install Fail2Ban to block malicious IPs:
sudo apt install fail2ban -y sudo systemctl enable fail2ban
Configure jail settings:
sudo nano /etc/fail2ban/jail.local
Add:
[sshd] enabled = true maxretry = 5 bantime = 3600
Restart: sudo systemctl restart fail2ban.
5. Leverage a CDN
Use a CDN like Cloudflare to filter traffic and absorb DDoS attacks. Sign up, point your DNS to their nameservers, and enable DDoS protection in their dashboard.
6. Monitor Resources
Track CPU, RAM, and network usage to detect anomalies. VPS.DO’s SolusVM panel provides real-time monitoring. Alternatively, use:
sudo apt install htop -y htop
Investigate spikes that may indicate an attack.
7. Harden SSH
Secure SSH to prevent brute-force attacks:
- Change the default port:
sudo nano /etc/ssh/sshd_config
Set Port 2222 (or another non-standard port). - Disable root login:
PermitRootLogin no
Restart: sudo systemctl restart sshd.
8. Back Up Regularly
Schedule backups to recover from attacks:
rsync -av /important/data backup@remote:/backup/
VPS.DO’s 24/7 support can assist with snapshot setup via SolusVM.
9. Consider DDoS Protection Services
If your VPS provider lacks built-in DDoS protection, subscribe to services like Sucuri or AWS Shield for advanced mitigation.
Conclusion
Securing a VPS against DDoS attacks involves updating software, configuring firewalls, rate limiting, and monitoring. VPS.DO’s KVM virtualization and SolusVM panel aid in maintaining a secure environment. Combine these measures with a CDN and backups for robust protection.
