I recently purchased a VPS, although I have no prior experience using it and have only used regular hosting in the past.

However, today the hosting provider notified me that my server was under attack and they had to temporarily shut it down for security reasons.

I would appreciate any advice on how to protect myself against such attacks. I understand that this is a common type of attack where addresses are scanned and brute force methods are used, but my knowledge of Linux is limited and I'm struggling to defend against it.

Regarding the server setup:

    The website can be accessed via the IP address from the Internet.
    SSH connection is possible by using "ssh root@xx.xx.xхx.xхx" (using login/password, without keys).
    There are multiple domains available for SSH connection as well, such as "ssh root@example.com" (using login/password, without keys).
    There is only one IP address assigned to the machine.

Is it possible to restrict SSH connection to specific IP addresses and reserve one of the domains exclusively for that purpose? Can the connection for the root user be restricted to password authentication, so that the hosting provider does not suspend the server along with all my projects/sites?

Furthermore, what are the essential steps to secure the server in general?

I'm not an expert in server security, but I can provide some general advice that might help you secure your VPS. Keep in mind that it's always a good idea to consult with professionals or research further for specific guidance.

1. Restrict SSH Access: Yes, you can restrict SSH access to specific IP addresses to enhance security. You can configure your firewall or use tools like iptables to allow SSH connections only from trusted IP addresses.

2. Disable Root Login: It's generally recommended to disable direct root logins since it is a common target for attackers. Instead, create a new user with administrative privileges and use that account to log into the server. This helps reduce the risk of unauthorized access.

3. Use Key-based Authentication: Key-based authentication is more secure than password authentication. Generate an SSH key pair, upload the public key to the server, and then disable password authentication. This adds an extra layer of security to your SSH connection.

4. Update and Patch Regularly: Keep your server's operating system, software, and applications up to date with the latest security patches. Regular updates help protect against known vulnerabilities that attackers may exploit.

5. Install a Firewall: Implement a firewall to control incoming and outgoing network traffic. This can help block unauthorized access attempts and protect your server from various types of attacks.

6. Secure Web Applications: If you are running web applications, make sure to follow best practices for securing them. This includes setting strong passwords, keeping applications updated, and using secure protocols such as HTTPS.

7. Monitor and Log Activities: Configure logging and monitoring systems to keep an eye on system activities and detect any suspicious behavior. This can help you identify potential attacks and respond proactively.

Remember, server security is an ongoing process. Regularly review and improve your security measures, stay informed about new threats, and consider seeking professional assistance to ensure the highest level of protection for your VPS.

From the very beginning of your post, I could tell that you were dealing with a dishonest hosting provider. I've encountered a similar situation twice. Whenever you try to close ports and fix any vulnerabilities, they will come up with claims of excessive server load and pressure you to upgrade to a more expensive plan. If you do switch to a higher tariff, they will then accuse you of copyright infringement for using certain images on your site. This cycle continues, accompanied by frequent and unexpected server shutdowns.

 It's important to remember that a reputable host will never shut down your server without prior notification via email, explaining the reasons behind it (such as maintenance in the data center). The uptime of a good hosting or server is a crucial factor, and reliable providers strive to maintain it at 100%. Any downtime means lost profits for the customer, often in real monetary terms. If you come across a host that randomly disconnects your servers without warning, it's best to request a refund and find a better option.

As for your specific question, if you are experiencing such problems within just two days of usage, it's also the fault of the host. Why would the Linux distribution they provide for installation come with such poor initial setup that it includes a hacker Trojan-bruteforcer right out of the box? I am certain that the hoster themselves planted this malicious software, for the reasons I outlined earlier. It's possible that there wasn't even a hacking attempt and the logs they provided were fake.

Falling victim to scammers is unfortunately quite common. In my knowledge, there are only three legitimate reasons for a server to be spontaneously disabled (assuming you haven't engaged in any illegal activity like hacking or distributing torrents): an incident in the data center (or a severe DDoS attack affecting the entire data center subnet), a DMCA complaint for copyright infringement, or abnormal traffic consumption by your server that significantly exceeds the permitted limits (such as using an entire month's worth of traffic in just one day). In any other case, any sudden server shutdown should be seen as the host's dishonesty or an attempt at fraud.

If your server is causing havoc in the world around you, the first step is to request the hoster to disable outgoing TCP connections on your server's port 22.

Interestingly, it is peculiar that the hoster decided to shut down the entire server instead of just blocking outgoing calls.

Afterward, examine the processes running on your server. It appears that someone has injected a persistent process that constantly consumes memory and bombards neighboring servers with brute-force requests. Take note of the processes that establish TCP connections.

In theory, a hacker cannot execute an additional process, but they can inject their own code into an existing program that should operate continuously, thereby intensifying the damage.

Furthermore, consider which outgoing TCP ports are truly necessary. I believe that you will find very few essential ports. Closing unnecessary ports, both at the hoster level and on your server, will enhance security. However, if your server is compromised, the hacker might be capable of bypassing the port blocking implemented by your server, but only if they have root privileges.

Ideally, the hoster should provide a web interface through which clients can manage the opening and closing of ports according to their needs. By default, ports commonly exploited by hackers should be closed.

steps you can take to secure your VPS from malicious intrusions:

1. Enable Fail2Ban: Fail2Ban is a popular intrusion prevention tool that scans log files and bans IP addresses that show signs of malicious activity, such as failed login attempts. It can help protect against brute force attacks by automatically blocking IP addresses attempting to gain unauthorized access to your server.

2. Set up Two-Factor Authentication (2FA): Implementing 2FA adds an extra layer of security to your server. It requires users to provide a second form of authentication, such as a temporary code sent to their mobile device, in addition to their regular username and password.

3. Secure File Permissions: Review and set appropriate file permissions for your server's files and directories. Make sure critical system files are only accessible by the root user or specific administrative users. Restrict write permissions wherever possible to prevent unauthorized modification of important files.

4. Implement DDoS Protection: Distributed Denial of Service (DDoS) attacks can overwhelm your server and cause service disruptions. Consider using a DDoS protection service or installing DDoS mitigation software to filter out malicious traffic and ensure uninterrupted server availability.

5. Regularly Monitor and Analyze Logs: Keep an eye on your server's log files for any suspicious activities. Monitoring logs can help you identify potential security breaches or patterns of unauthorized access attempts. Tools like log analyzers can simplify the task of parsing and analyzing log data.

6. Use Strong Passwords: Encourage good password practices for both yourself and any users on your server. Ensure passwords are complex, unique, and regularly updated. Avoid using common or easily guessable passwords.

7. Harden Your Web Applications: If you're running web applications or content management systems, make sure they are up to date with the latest security patches. Remove any unnecessary plugins or themes and follow best practices for securing web applications.

8. Regularly Scan for Vulnerabilities: Use vulnerability scanning tools to regularly scan your server and web applications for any known vulnerabilities. Address any identified weaknesses promptly by applying patches or configuration changes.

9. Implement SSL/TLS Certificates: Use an SSL/TLS certificate to encrypt data transmitted between your server and client browsers. This helps protect sensitive information, such as login credentials or personal details, from eavesdropping and interception.

10. Educate Yourself and Your Users: Stay informed about the latest security threats, techniques, and best practices. Educate yourself and your users about potential risks and train them on how to identify and avoid common security pitfalls, such as phishing attacks or social engineering scams.

few more steps to enhance the security of your VPS:

1. Use a Web Application Firewall (WAF): A WAF can provide an additional layer of protection by filtering and blocking malicious traffic before it reaches your server. It helps defend against common web-based attacks, such as cross-site scripting (XSS) and SQL injection.

2. Disable Unused Services: Review the services running on your VPS and disable any that are not necessary. By reducing the number of exposed services, you minimize potential entry points for attackers.

3. Implement IP Whitelisting: Configure your firewall to only allow incoming connections from trusted IP addresses. This restricts access to your server and reduces the attack surface.

4. Enable Automatic Security Updates: Many Linux distributions offer automatic security updates. Enable this feature to ensure that your VPS receives timely patches for known vulnerabilities.

5. Regularly Change SSH Port: By changing the default SSH port from 22 to a non-standard port, you can reduce the number of automated scans targeting your server. However, bear in mind that this alone does not provide strong security; it should be used in conjunction with other measures.

6. Secure Database Access: If you're running a database server, restrict remote access and ensure that databases are properly secured with strong passwords and limited privileges.

7. Harden PHP Configuration: If your VPS runs PHP, strengthen its security by disabling dangerous functions, configuring open_basedir restrictions, and implementing input validation and output escaping in your application code.

8. Implement Network Intrusion Detection/Prevention Systems (NIDS/NIPS): These systems monitor network traffic for suspicious patterns and can help identify and block sophisticated attacks.

9. Regularly Perform Security Audits: Conduct regular security audits of your VPS infrastructure to identify vulnerabilities and misconfigurations. Tools like OpenVAS or Nessus can assist in scanning for potential weaknesses.

10. Backup Off-Site: Ensure that you maintain regular backups of your VPS data and store them in a separate off-site location. This protects your data in case of server compromise or catastrophic events.

To restrict SSH connections to specific IP addresses, you can use the AllowTcpForwarding and PermitRootLogin directives in the /etc/ssh/sshd_config file. For example, you can add the following lines: AllowTcpForwarding no and PermitRootLogin without-password. This will allow only password authentication for the root user and restrict SSH connections to specific IP addresses.

To reserve one of the domains exclusively for SSH connections, you can create a new file in the /etc/hosts.allow directory with the following format: sshd: example.com. This will allow SSH connections only from the example.com domain.