How to Secure Your VPS: Firewall, SSH Hardening, Fail2ban
Within minutes of going online, every public server starts receiving automated attacks — password guesses, port scans, exploit probes. None of it is personal, and almost all of it is defeated by three layers: a strict firewall, hardened SSH, and fail2ban.
Layer 1: A Default-Deny Firewall
The principle: everything is closed unless you explicitly open it.
On Ubuntu with UFW:
On CentOS/Alma/Rocky with firewalld:
Common mistakes to avoid:
- Leaving database ports (3306, 5432, 6379, 27017) open to the world. Bind them to
127.0.0.1or restrict by source IP. - Forgetting that Docker bypasses UFW by writing its own iptables rules — published container ports are public unless you bind them to localhost (
-p 127.0.0.1:8080:80).
Layer 2: SSH Hardening
SSH is the front door, so make it key-only. Generate a modern key locally:
Copy it with ssh-copy-id, then edit /etc/ssh/sshd_config:
Restart sshd, but verify you can still log in from a second terminal before closing your session.
Optional extras: moving SSH to a non-standard port reduces log noise (not real security), and for high-value servers consider two-factor authentication via pam_google_authenticator, or restricting SSH to a VPN/WireGuard interface only.
Layer 3: Fail2ban Against Brute Force
Create /etc/fail2ban/jail.local:
Fail2ban tails your logs and firewalls-off IPs that keep failing. It also has jails for Nginx auth, WordPress login endpoints, and mail services. Check its work with fail2ban-client status sshd.
The Layers People Forget
- Automatic security updates:
unattended-upgrades(Ubuntu) ordnf-automatic(CentOS). Most real-world compromises exploit patches that existed for months. - Least privilege: run apps as their own unprivileged users, never as root. Use sudo for administration.
- Remove what you don't use: every installed service is attack surface.
ss -tlnpshows what's listening — if you can't explain a line, investigate it. - Backups off the server: ransomware and rm -rf don't care how good your firewall is. Keep versioned backups somewhere the server itself can't delete.
- Monitoring: even simple uptime and login alerts mean you find out about problems from a notification, not from customers.
Summary
Firewall everything, allow only what you serve. Make SSH key-only with root login disabled. Let fail2ban handle the bots, and let automatic updates close known holes. These four habits stop the overwhelming majority of attacks a VPS will ever face — and they take less than an hour to set up.