Infomaniak provides a clean operating system on its VPS offers, but secure operations still need to be built on the customer side. For SMEs, the goal is rarely "perfect security"; it is establishing a coherent hardening baseline and operating it consistently over time.
Context: VPS Lite vs VPS Cloud
With VPS Lite, you get a provider-managed firewall layer in the Manager. VPS Cloud gives you a rawer system with more flexibility, but also stronger security ownership. In both models, the delivered OS is only a starting point: controls such as fail2ban, strict SSH access patterns, and full audit logging are not fully in place by default.
Operating principle
A managed provider firewall helps reduce exposure, but it does not replace host hardening. Use layered controls with defense in depth.
Security baseline controls
1) SSH jump host
Instead of broad direct SSH access, enforcing a jump host (bastion) improves traceability and reduces direct exposure. In practice: SSH key-only authentication, remove the default ubuntu user for human access, create one named user per approved access, keep sudo rights minimal, and remove stale accounts quickly.
2) UFW (host firewall)
UFW enforces explicit inbound and outbound traffic policy at server level. A practical baseline is default deny for inbound traffic, then allow only required ports (typically 22, 80, 443). This remains useful even when provider firewall rules are configured.
3) Bind internal services to localhost
Bind internal components (databases, private APIs, admin tools) to 127.0.0.1 or a private network instead of exposing them publicly.
4) Automatic security updates
Enable unattended upgrades and schedule regular maintenance windows. The goal is to reduce the exposure window between patch publication and production rollout.
5) fail2ban (brute-force and abuse)
fail2ban monitors logs (especially SSH) and automatically blocks IPs that repeatedly trigger suspicious authentication patterns. It is a lightweight control that significantly reduces day-to-day attack noise.
6) auditd with offloaded logs
auditd records sensitive events (SSH, sudoers, critical file changes). Best practice is to offload logs to a separate machine or dedicated service so forensic evidence remains available even if the main VPS is compromised.
Additional best practices
- Tested backups — validate restore procedures, not only backup job success.
- Monitoring and alerting — track service health, disk pressure, app errors, and network anomalies.
- MFA on provider account — secure Infomaniak Manager access with mandatory MFA.
- Incident runbook — maintain a short procedure (detect, contain, recover, communicate) and drill it periodically.
- SSHD hardening — disable SSH root login, restrict allowed users, and enforce stricter idle timeouts.
- Egress filtering — restrict outbound traffic to required destinations to reduce exfiltration paths.
- Time synchronization — enforce NTP/chrony for reliable log correlation and investigations.
Priority checklist
Day 0
Reduce exposure immediately
Enable UFW, restrict public ports, enforce SSH keys, disable risky access paths, install fail2ban.
Week 1
Build evidence and resilience
Deploy auditd, offload logs, verify backup restores, implement monitoring and alerting.
Ongoing
Maintain security posture
Run periodic access reviews, patching cycles, restore drills, firewall reviews, and hardening improvements.
Need help securing your VPS?
We help Swiss SMEs design, harden, and operate robust VPS infrastructure: access control, firewalling, audit, monitoring, backups, and operational runbooks.
If you want to secure your VPS infrastructure pragmatically, contact d-side solutions.
Luc Demierre
Founder & IT Engineer — d-side solutions Sàrl, Bulle
Builds and secures Linux infrastructure for Swiss SMEs, with a focus on pragmatic operations and incident resilience.