Find us on social media

Client area
SecurityFail2banSSH7 min read

Basic VPS security

Implement essential security measures: SSH keys, Fail2Ban, firewall, and automatic updates.

Securing your VPS is essential to prevent unauthorized access, brute-force attacks and data breaches. Follow these steps after initial setup.

Step 1 — Use SSH keys instead of passwords

Generate a key pair on your local machine:

bash
ssh-keygen -t ed25519 -C "your-email@example.com"

Copy the public key to your VPS:

bash
ssh-copy-id deploy@YOUR_VPS_IP

Step 2 — Disable password authentication

Edit SSH config:

bash
sudo nano /etc/ssh/sshd_config

Set:

terminal
PasswordAuthentication no
PubkeyAuthentication yes
PermitRootLogin no
PermitEmptyPasswords no

Restart SSH:

bash
sudo systemctl restart sshd

Step 3 — Install fail2ban

fail2ban blocks IPs after repeated failed login attempts:

bash
sudo apt install fail2ban -y

Create a local configuration:

bash
sudo nano /etc/fail2ban/jail.local

Content:

ini
[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 3

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log

Start fail2ban:

bash
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Check banned IPs:

bash
sudo fail2ban-client status sshd

Step 4 — Change the SSH port (optional)

Edit /etc/ssh/sshd_config:

terminal
Port 2222

Update firewall and restart:

bash
sudo ufw allow 2222/tcp
sudo ufw delete allow 22/tcp
sudo systemctl restart sshd

Step 5 — Keep the system updated

bash
sudo apt update && sudo apt upgrade -y

Enable automatic security updates (see "Update the operating system" guide).

Step 6 — Configure the firewall

See the "Configure firewall with UFW" guide for detailed instructions.

Step 7 — Disable unused services

bash
sudo systemctl list-units --type=service --state=running
sudo systemctl disable --now service_name

Additional recommendations

  • Use strong, unique passwords for all services
  • Enable two-factor authentication where possible
  • Regularly audit open ports: sudo ss -tuln
  • Monitor login attempts: sudo lastb | head -20
  • Keep backups on a separate system

Note

Your Baires Host VPS includes network-level DDoS protection. These steps complement that protection at the operating system level for comprehensive security.

Was this guide helpful?
← Back to Linux