How to Secure Your VPS: Firewall, SSH Hardening, Fail2ban

How to Secure Your VPS: Firewall, SSH Hardening, Fail2ban

Within minutes of going online, every public server starts receiving automated attacks — password guesses, port scans, exploit probes. None of it is personal, and almost all of it is defeated by three layers: a strict firewall, hardened SSH, and fail2ban.

Layer 1: A Default-Deny Firewall

The principle: everything is closed unless you explicitly open it.

On Ubuntu with UFW:

ufw default deny incoming
ufw default allow outgoing
ufw allow OpenSSH
ufw allow 80/tcp
ufw allow 443/tcp
ufw enable

On CentOS/Alma/Rocky with firewalld:

firewall-cmd --permanent --add-service={ssh,http,https}
firewall-cmd --reload

Common mistakes to avoid:

  1. Leaving database ports (3306, 5432, 6379, 27017) open to the world. Bind them to 127.0.0.1 or restrict by source IP.
  2. Forgetting that Docker bypasses UFW by writing its own iptables rules — published container ports are public unless you bind them to localhost (-p 127.0.0.1:8080:80).

Layer 2: SSH Hardening

SSH is the front door, so make it key-only. Generate a modern key locally:

ssh-keygen -t ed25519

Copy it with ssh-copy-id, then edit /etc/ssh/sshd_config:

PermitRootLogin no
PasswordAuthentication no
KbdInteractiveAuthentication no
MaxAuthTries 3
AllowUsers deploy

Restart sshd, but verify you can still log in from a second terminal before closing your session.

Optional extras: moving SSH to a non-standard port reduces log noise (not real security), and for high-value servers consider two-factor authentication via pam_google_authenticator, or restricting SSH to a VPN/WireGuard interface only.

Layer 3: Fail2ban Against Brute Force

apt install fail2ban # or dnf install fail2ban

Create /etc/fail2ban/jail.local:

[DEFAULT]
bantime = 1h
findtime = 10m
maxretry = 5

[sshd]
enabled = true

Fail2ban tails your logs and firewalls-off IPs that keep failing. It also has jails for Nginx auth, WordPress login endpoints, and mail services. Check its work with fail2ban-client status sshd.

The Layers People Forget

  1. Automatic security updates: unattended-upgrades (Ubuntu) or dnf-automatic (CentOS). Most real-world compromises exploit patches that existed for months.
  2. Least privilege: run apps as their own unprivileged users, never as root. Use sudo for administration.
  3. Remove what you don't use: every installed service is attack surface. ss -tlnp shows what's listening — if you can't explain a line, investigate it.
  4. Backups off the server: ransomware and rm -rf don't care how good your firewall is. Keep versioned backups somewhere the server itself can't delete.
  5. Monitoring: even simple uptime and login alerts mean you find out about problems from a notification, not from customers.

Summary

Firewall everything, allow only what you serve. Make SSH key-only with root login disabled. Let fail2ban handle the bots, and let automatic updates close known holes. These four habits stop the overwhelming majority of attacks a VPS will ever face — and they take less than an hour to set up.

Deploy your server ← Back to blog