C Contabo

How to secure VPS configuration on Contabo

intermediate 8 min read Updated 2026-03-13
Quick Answer

Secure your Contabo VPS by enabling 2FA on CCP and SSH, configuring restrictive firewall rules for SSH/HTTP/HTTPS from trusted IPs, using key-based authentication, disabling unnecessary services, and applying regular patches. Follow the principle of least privilege to minimize attack surface. Regularly review logs and backup configurations.

Prerequisites

  • Access to Contabo Customer Control Panel (CCP)
  • SSH or RDP access to your VPS
  • Smartphone for 2FA apps like Google Authenticator
  • Basic Linux/Windows admin knowledge
  • Root/admin privileges on VPS

Step-by-Step Instructions

1

Enable 2FA on Contabo CCP

Log in to the Contabo Customer Control Panel (CCP) and navigate to 'Customer details' to enable Two-Factor Authentication (2FA) for account protection. Use apps like Google Authenticator, Authy, or Microsoft Authenticator on your smartphone. This adds a second verification layer to prevent unauthorized access to your VPS management.
2

Set Up SSH Key-Based Authentication

Replace password-based SSH login with key-based authentication for enhanced security. Generate SSH keys on your local machine, copy the public key to ~/.ssh/authorized_keys on the VPS, and disable password authentication in /etc/ssh/sshd_config by setting PasswordAuthentication no. Restart SSH with sudo systemctl restart sshd. Refer to Contabo's 'How to Use SSH Keys with Your Server' guide.
Disable root login by setting <code>PermitRootLogin no</code> in sshd_config.
3

Configure Restrictive Firewall Rules

Access firewall settings in your VPS or Contabo dashboard and enable the host firewall like iptables or UFW. Allow SSH (port 22) only from trusted IP addresses, HTTP/HTTPS (ports 80/443) for web services, and block all other inbound traffic by default. Example: 
iptables -A INPUT -p tcp --dport 22 -s <trusted_ip> -j ACCEPT
iptables -P INPUT DROP
Apply the principle of least privilege.
Specify source IPs and destination ports explicitly.
4

Enable 2FA for SSH Access

Install a 2FA app and configure SSH for multi-factor authentication. Edit /etc/ssh/sshd_config to enable ChallengeResponseAuthentication yes and AuthenticationMethods publickey,keyboard-interactive. Install Google Authenticator with sudo apt install libpam-google-authenticator, run google-authenticator, and restart SSH service. You'll be prompted for a time-based code on login.
5

Disable Unnecessary Services

Minimize attack surface by identifying and stopping unneeded services. Use systemctl list-units --type=service on Linux to list services, then disable with sudo systemctl disable <service_name> && sudo systemctl stop <service_name>. Scan exposed ports with tools like Shodan, Censys, or nmap to confirm only required services are running.
Focus on single-role configuration for your VPS.
6

Enable Firewall Logging and Backups

Turn on logging for firewall activity to monitor attempts: add -j LOG to rules before DROP. Review logs regularly with journalctl or /var/log/syslog. Backup rules before changes using iptables-save > firewall_backup.rules and restore with iptables-restore to prevent misconfigurations.
Set up alerts for suspicious log entries.
7

Keep System Updated and Patched

Regularly update your OS and software to close vulnerabilities. On Ubuntu/Debian: sudo apt update && sudo apt upgrade -y. Schedule maintenance, test updates in staging, and monitor vendor security patches. This mitigates risks from known exploits.
Automate updates with unattended-upgrades.
8

Configure RDP 2FA (Windows VPS)

For Windows VPS using RDP, install third-party 2FA like Duo Security or Okta Verify since native RDP lacks it. Follow provider instructions to integrate with RDP login, requiring app verification code after password.
9

Implement Data Encryption

Encrypt VPS disks for data protection. On Linux, use LUKS: cryptsetup luksFormat /dev/sdX and open with cryptsetup luksOpen. Review encryption settings periodically to ensure confidentiality against breaches.
Backup encryption keys securely.
10

Install Fail2Ban for Brute-Force Protection

Protect against brute-force attacks by installing Fail2Ban: sudo apt install fail2ban. Configure jails for SSH and other services in /etc/fail2ban/jail.local to ban IPs after failed attempts. It monitors logs and updates iptables dynamically.

Common Issues & Troubleshooting

Locked out after firewall changes

Use Contabo VNC console in CCP to access VPS, revert rules with <code>iptables -F</code>, or restore from backup.

SSH 2FA not prompting

Verify <code>pam_google_authenticator.so</code> in <code>/etc/pam.d/sshd</code> and <code>ChallengeResponseAuthentication yes</code> in sshd_config; restart sshd.

Exposed services detected by scans

Disable unnecessary services with systemctl, reconfigure firewall to block ports, rescan with nmap.

Cannot restore iptables rules

Ensure <code>iptables-persistent</code> is installed and rules saved; reboot may reset if not persistent.

Fail2Ban not banning IPs

Check <code>fail2ban-client status sshd</code>, review logs in <code>/var/log/fail2ban.log</code>, adjust maxretry in jail.local.

Limited Time

Affiliate link. We may earn a commission at no extra cost to you.

Visit Contabo View Contabo Pricing