Secure Your VPS

A step-by-step guide to hardening a fresh virtual private server. Lorem ipsum dolor sit amet, consectetur adipiscing elit — quisque vel nibh vitae risus pellentesque gravida.

Initial Setup

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque vel nibh vitae risus pellentesque gravida. Before anything else, bring all installed packages up to date so that known security vulnerabilities are patched immediately.

bash 
$ sudo apt update && sudo apt upgrade -y

Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam. Create a dedicated non-root user with sudo privileges immediately after first login — never operate as root day-to-day.

bash 
$ adduser deploy
$ usermod -aG sudo deploy

SSH Hardening

At vero eos et accusamus et iusto odio dignissimos ducimus qui blanditiis praesentium voluptatum deleniti atque. Disable root login and password-based authentication — only SSH key pairs should be accepted.

⚠ Important: Copy your SSH public key to the server before disabling password authentication. If you skip this step you will lock yourself out completely.
bash — local machine 
$ ssh-copy-id -i ~/.ssh/id_ed25519.pub deploy@YOUR_SERVER_IP

Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit. Edit /etc/ssh/sshd_config to disable root login and password authentication, then reload the SSH daemon.

bash 
$ sudo sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
$ sudo sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
$ sudo systemctl restart sshd

Firewall with UFW

Quis autem vel eum iure reprehenderit qui in ea voluptate velit esse quam nihil molestiae consequatur, vel illum qui dolorem eum. Enable UFW (Uncomplicated Firewall) and allow only the ports your services actually require — deny everything else by default.

bash 
$ sudo ufw default deny incoming
$ sudo ufw default allow outgoing
$ sudo ufw allow ssh
$ sudo ufw allow 80/tcp
$ sudo ufw allow 443/tcp
$ sudo ufw enable

Ut labore et dolore magnam aliquam quaerat voluptatem. Verify the rules are active with the following command:

bash 
$ sudo ufw status verbose

Fail2Ban — Brute-Force Protection

Nam libero tempore cum soluta nobis est eligendi optio cumque nihil impedit quo minus id quod maxime placeat facere possimus. Fail2Ban scans log files and bans IP addresses that show malicious signs such as repeated failed login attempts.

bash 
$ sudo apt install fail2ban -y
$ sudo systemctl enable fail2ban
$ sudo systemctl start fail2ban

Temporibus autem quibusdam et aut officiis debitis aut rerum necessitatibus saepe eveniet. Check that the SSH jail is active and review currently banned addresses:

bash 
$ sudo fail2ban-client status sshd