Guides5 min read

VPS Security Hardening for Bot Hosting

Essential security measures to protect your VPS and AI chatbot. Cover SSH hardening, firewalls, updates, and best practices for secure bot hosting.

Published: 27/01/2025

Why Security Matters

An unsecured VPS is a target for:

  • Cryptocurrency miners hijacking your CPU
  • Bot networks using your server for attacks
  • Data theft (API keys, user data)
  • Service disruption

This guide covers essential security hardening for bot hosting.

Step 1: Update Everything

Always start with updates:

sudo apt update && sudo apt upgrade -y
sudo apt autoremove -y

Enable automatic security updates:

sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure -plow unattended-upgrades

Step 2: Create Non-Root User

Never run bots as root.

# Create user
sudo adduser botuser

# Add to sudo group
sudo usermod -aG sudo botuser

# Switch to new user
su - botuser

Step 3: SSH Hardening

Change SSH Port

sudo nano /etc/ssh/sshd_config

Change:

Port 2222  # Choose a port between 1024-65535

Disable Root Login

PermitRootLogin no

Disable Password Authentication

First, ensure you have SSH keys set up:

# On your local machine
ssh-keygen -t ed25519

# Copy to server
ssh-copy-id -p 22 user@your-server

Then disable passwords:

PasswordAuthentication no
PubkeyAuthentication yes

Restart SSH

sudo systemctl restart sshd

Keep your current session open and test new connection before closing!

Step 4: Configure Firewall (UFW)

# Install UFW
sudo apt install ufw -y

# Default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH (use your custom port)
sudo ufw allow 2222/tcp

# Allow bot health check port (if used)
sudo ufw allow 3001/tcp

# Enable firewall
sudo ufw enable

# Check status
sudo ufw status verbose

Step 5: Install Fail2Ban

Fail2Ban blocks repeated failed login attempts.

sudo apt install fail2ban -y

Create custom config:

sudo nano /etc/fail2ban/jail.local

[DEFAULT]
bantime = 1h
findtime = 10m
maxretry = 5

[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 24h

Start Fail2Ban:

sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Check banned IPs:

sudo fail2ban-client status sshd

Step 6: Secure Environment Variables

Never store secrets in code.

Use .env Files

# Create with restricted permissions
touch .env
chmod 600 .env

Example .env

ANTHROPIC_API_KEY=sk-ant-xxxxx
DISCORD_TOKEN=xxxxx
DATABASE_URL=postgres://user:pass@localhost/db

Add to .gitignore

echo ".env" >> .gitignore

Step 7: Protect API Keys

Rotate Keys Regularly

  • Change API keys every 3-6 months
  • Immediately rotate if exposed

Use Separate Keys

  • Development vs Production
  • Per-service keys when possible

Monitor Usage

Check API dashboards for unusual activity:

  • Anthropic Console
  • Discord Developer Portal

Step 8: Set Up Automatic Backups

Simple Backup Script

#!/bin/bash
# /opt/scripts/backup.sh

BACKUP_DIR="/opt/backups"
DATE=$(date +%Y%m%d)
BOT_DIR="/opt/your-bot"

mkdir -p $BACKUP_DIR

# Backup bot config (not node_modules)
tar -czf $BACKUP_DIR/bot-$DATE.tar.gz \
    --exclude='node_modules' \
    --exclude='.git' \
    $BOT_DIR

# Keep only last 7 days
find $BACKUP_DIR -name "*.tar.gz" -mtime +7 -delete

Schedule daily:

chmod +x /opt/scripts/backup.sh
crontab -e
# Add:
0 3 * * * /opt/scripts/backup.sh

Step 9: Monitor for Intrusions

Install and Configure Logwatch

sudo apt install logwatch -y

Get daily email reports:

sudo nano /etc/cron.daily/00logwatch

Check Auth Logs

# Recent login attempts
sudo tail -100 /var/log/auth.log

# Failed attempts
sudo grep "Failed" /var/log/auth.log

Step 10: Process Isolation

Run your bot with limited permissions:

# Create dedicated user
sudo useradd -r -s /bin/false botservice

# Set ownership
sudo chown -R botservice:botservice /opt/your-bot

# Run via PM2 with user
sudo -u botservice pm2 start index.js --name your-bot

Security Checklist

  • [ ] System updated
  • [ ] Non-root user created
  • [ ] SSH port changed
  • [ ] Root login disabled
  • [ ] Password auth disabled
  • [ ] UFW firewall enabled
  • [ ] Fail2Ban installed
  • [ ] .env file secured (chmod 600)
  • [ ] API keys in environment variables
  • [ ] Backups configured
  • [ ] Log monitoring set up

Common Security Mistakes

| Mistake | Risk | Solution | |---------|------|----------| | Running as root | Full system compromise | Use dedicated user | | Default SSH port | Easy target for bots | Change to random port | | Passwords in code | Key exposure in Git | Use .env files | | No firewall | Open to all attacks | Configure UFW | | No updates | Known vulnerabilities | Enable auto-updates |

What to Do If Compromised

  1. Disconnect - Block all access
  2. Assess - Check logs for what happened
  3. Rotate - Change ALL credentials
  4. Rebuild - Consider fresh install
  5. Report - Notify affected services

Related Guides

Security Included

Our maintenance plans include security hardening, regular updates, and monitoring. Contact us for a security audit.

Need a VPS for Your Bot?

We recommend Hostinger KVM 2 VPS - reliable, fast, and perfect for AI chatbots. Get started with our recommended setup.

Get Hostinger VPS

Need Help With Setup?

Got your VPS? Let us handle the technical work. Professional setup and maintenance for OpenClaw (formerly Clawd.bot).

View PricingContact Us

Related Articles