Skip to Content
DocumentationSecurity & maintenanceVPS security

VPS security considerations

If you intend to self-host Runtipi on a VPS (Virtual Private Server), you need to understand the security implications and take proper precautions.

Important: When you install Runtipi on a VPS, it is immediately accessible via the internet through its public IP address. This makes it vulnerable to attacks if not properly secured.

Why VPS hosting requires extra care

Unlike a home server behind your router:

  • No firewall by default: Your VPS is directly exposed to the internet
  • Public IP address: Anyone can find and access your server
  • Known targets: Cloud IPs are continuously scanned by bots
  • Higher risk: Common attacks include brute force, port scanning, and DDoS

You’ll be essentially running a public-facing server, so you must harden it against attacks.

Before you install

1. Choose a secure VPS provider

Look for providers that offer:

  • DDoS protection
  • Built-in firewall
  • Snapshot/backup functionality
  • SSH key authentication
  • Two-factor authentication for account access

2. Initial server hardening

Must-do steps before installing Runtipi:

Complete guide: Initial Ubuntu Server Setup 

Quick checklist:

  • ✅ Create a non-root user with sudo privileges
  • ✅ Disable root login via SSH
  • ✅ Set up SSH key authentication
  • ✅ Disable password authentication
  • ✅ Configure a firewall (UFW or iptables)
  • ✅ Enable automatic security updates
  • ✅ Change default SSH port (optional but recommended)

Firewall Configuration

Using UFW (Ubuntu)

1. Install and enable UFW:

sudo apt update
sudo apt install ufw
sudo ufw enable

2. Allow SSH (critical - do this FIRST or you’ll lock yourself out!):

sudo ufw allow 22/tcp
# Or if you changed SSH port:
sudo ufw allow YOUR_SSH_PORT/tcp

3. For Runtipi, you need to decide on your access strategy:

Option A: VPN access only (Most secure)

# Only allow SSH
sudo ufw allow 22/tcp
 
# Do NOT open ports 80/443
# Access Runtipi through VPN only

Then install a VPN like Tailscale  or WireGuard  on your VPS and devices.

Option B: Cloudflare Tunnel (Secure)

# Only allow SSH
sudo ufw allow 22/tcp
 
# Do NOT open ports 80/443
# Use Cloudflare Tunnel for app access

Guide: Expose Apps with Cloudflare Tunnels

Option C: Direct exposure (Less Secure)

# Allow SSH
sudo ufw allow 22/tcp
 
# Allow HTTP and HTTPS
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

With Option C, your Runtipi dashboard will be accessible to anyone on the internet. You MUST:

  • Use a very strong password (20+ characters)
  • Enable two-factor authentication if available
  • Consider IP whitelisting (only allow specific IPs)
  • Monitor logs regularly for suspicious activity

4. Check firewall status:

sudo ufw status verbose

SSH Hardening

1. Use SSH Keys Only

Generate a key pair on your local machine:

ssh-keygen -t ed25519 -C "your_email@example.com"

Copy to your server:

ssh-copy-id username@your-server-ip

Test it works, then disable password authentication:

sudo nano /etc/ssh/sshd_config

Find and change:

PasswordAuthentication no
PermitRootLogin no

Restart SSH:

sudo systemctl restart sshd

2. Change Default SSH Port (Optional)

This reduces automated attacks:

sudo nano /etc/ssh/sshd_config

Change:

Port 22

To:

Port 2847  # Choose any port 1024-65535

Update firewall:

sudo ufw allow 2847/tcp
sudo ufw delete allow 22/tcp
sudo systemctl restart sshd

Connect with:

ssh -p 2847 username@your-server-ip

IP Whitelisting

If you have a static IP at home/work, whitelist only those IPs:

# Remove general rules
sudo ufw delete allow 80/tcp
sudo ufw delete allow 443/tcp
 
# Allow only your IP
sudo ufw allow from YOUR_HOME_IP to any port 80
sudo ufw allow from YOUR_HOME_IP to any port 443

Most home connections have dynamic IPs that change. This method won’t work if your IP changes frequently.

Fail2Ban - Automatic banning

Fail2Ban monitors logs and automatically bans IPs with too many failed login attempts.

Install:

sudo apt install fail2ban

Configure:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

Enable SSH protection:

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600

Start fail2ban:

sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Check banned IPs:

sudo fail2ban-client status sshd

Monitoring & alerts

1. Install Uptime Monitoring

Use a service like:

2. Monitor SSH login attempts

Check auth logs regularly:

sudo tail -f /var/log/auth.log

See failed login attempts:

sudo grep "Failed password" /var/log/auth.log | tail -20

Regular maintenance

Weekly tasks

  • Check auth logs for suspicious activity
  • Review fail2ban banned IPs
  • Verify backups are running
  • Check disk space usage

Monthly tasks

  • Update system packages: sudo apt update && sudo apt upgrade
  • Update Runtipi: sudo ./runtipi-cli update latest
  • Review user accounts and access
  • Test backup restoration

How to use a VPN

The most secure way to access Runtipi on a VPS is through a VPN. This keeps Runtipi completely private while still allowing remote access.

Tailscale (Easiest)

1. Install on VPS:

curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up

2. Install on your devices (phone, laptop, etc.)

3. Access Runtipi via Tailscale IP:

http://100.x.x.x

No need to open ports 80/443 to the public!

WireGuard

WireGuard setup guide 

If you’re already compromised

Signs your server might be compromised:

  • Unknown processes running
  • Unexpected high CPU/network usage
  • Files modified
  • Unknown user accounts
  • SSH login from unknown IPs

Immediate actions:

  1. Take server offline or isolate it
  2. Create a snapshot/backup
  3. Review all logs
  4. Consider rebuilding from scratch
Last updated on
OverviewServer hardening