How to Harden Your VPS Security: SSH Keys, Firewall, Fail2ban & SSL Checklist

How to Harden Your VPS Security: SSH Keys, Firewall, Fail2ban & SSL Checklist

A freshly provisioned VPS is not secure by default. The default SSH configuration accepts password-based logins, no firewall rules are enforced, and the system is exposed on all ports to the public internet. Attackers use automated bots that scan IP ranges continuously — a new VPS can receive its first brute-force login attempts within minutes of provisioning. This guide provides a complete, actionable VPS security hardening checklist that you can implement in under an hour.

Why VPS Security Hardening Matters

Unprotected servers are compromised regularly, even when running no significant traffic or data. Attackers look for:

  • Compute resources — To run cryptocurrency mining, spam campaigns, or DDoS attacks
  • Network bandwidth — To amplify DDoS attacks using your server as a relay
  • Data access — To exfiltrate customer data, credentials, or proprietary code
  • Persistence — To establish a backdoor for future use

The good news: implementing the following measures reduces your attack surface by more than 95% and makes opportunistic attacks infeasible.

The Complete VPS Security Hardening Checklist

1. Generate and Deploy SSH Key Pairs

Password-based SSH authentication is the single biggest security vulnerability on new VPS instances. SSH key pairs use asymmetric cryptography — your private key never leaves your local machine, making remote password guessing impossible.

Generate a key pair on your local machine:

ssh-keygen -t ed25519 -C "admin@yourcompany.com"

Ed25519 is preferred over RSA for new keys due to smaller key size and stronger security. Copy the public key to your VPS:

ssh-copy-id -i ~/.ssh/id_ed25519.pub username@YOUR_VPS_IP

Test key-based login before disabling passwords:

ssh -i ~/.ssh/id_ed25519 username@YOUR_VPS_IP

✅ Confirm you can log in with the key before proceeding to disable passwords.

2. Disable Password Authentication and Root Login

Edit the SSH daemon configuration:

sudo nano /etc/ssh/sshd_config

Set these values (change if they exist, add if missing):

PasswordAuthentication no
PermitRootLogin no
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
X11Forwarding no
AllowTcpForwarding no

Optionally, change the default SSH port from 22 to a high port (e.g., 2222 or 49200) to reduce automated scan traffic:

Port 49200

Restart SSH:

sudo systemctl restart sshd

⚠️ Keep your current SSH session open. Open a new terminal window and test the new configuration before closing the existing session.

3. Enable UFW Firewall

UFW (Uncomplicated Firewall) provides a simple interface over iptables. Configure it with a deny-by-default policy:

sudo ufw default deny incoming
sudo ufw default allow outgoing

Allow only the services you actually need:

# If you changed SSH port, use your custom port number
sudo ufw allow 49200/tcp comment 'SSH'
sudo ufw allow 80/tcp comment 'HTTP'
sudo ufw allow 443/tcp comment 'HTTPS'

Enable the firewall:

sudo ufw enable

Verify the rules:

sudo ufw status verbose

✅ Only the ports you explicitly opened should show as ALLOW.

4. Install and Configure Fail2ban

Fail2ban monitors log files and bans IP addresses that show malicious patterns — too many failed login attempts, port scanning, etc.

sudo apt install fail2ban -y

Create a local configuration file (safer than editing the default):

sudo nano /etc/fail2ban/jail.local

Add this configuration:

[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 3
ignoreip = 127.0.0.1/8

[sshd]
enabled = true
port = 49200
logpath = %(sshd_log)s
backend = %(sshd_backend)s

[nginx-http-auth]
enabled = true

[nginx-botsearch]
enabled = true

Start and enable Fail2ban:

sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Monitor the ban list:

sudo fail2ban-client status sshd

5. Enable Automatic Security Updates

Manual patch management is a common failure point. Enable unattended-upgrades to automatically install security patches:

sudo apt install unattended-upgrades apt-listchanges -y
sudo dpkg-reconfigure -plow unattended-upgrades

Verify the configuration:

sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

Ensure Unattended-Upgrade::Allowed-Origins includes the security origin for your distribution. The default Ubuntu configuration already includes this.

6. Install SSL/TLS Certificate

HTTPS is mandatory for any public-facing service. Use Certbot for automatic Let’s Encrypt certificate management:

sudo apt install certbot python3-certbot-nginx -y
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

Certbot sets up automatic renewal. Verify renewal works:

sudo certbot renew --dry-run

Additionally, enforce strong TLS settings in your Nginx configuration:

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_session_cache shared:SSL:10m;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

7. Configure Security Headers

HTTP security headers protect against common web vulnerabilities. Add to your Nginx server block:

add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;

8. Secure Shared Memory

Shared memory can be exploited to attack running processes. Mount it with restrictions:

sudo nano /etc/fstab

Add this line:

tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0

9. Install and Configure a Rootkit Scanner

Rkhunter scans for rootkits, backdoors, and suspicious local exploits:

sudo apt install rkhunter -y
sudo rkhunter --update
sudo rkhunter --check --sk

Run weekly scans by adding a cron job:

sudo crontab -e

Add:

0 3 * * 0 /usr/bin/rkhunter --check --sk --quiet 2>&1 | mail -s "rkhunter Report" admin@yourcompany.com

10. Configure Log Monitoring and Alerts

Set up logwatch to send daily log summaries:

sudo apt install logwatch -y
sudo logwatch --output mail --mailto admin@yourcompany.com --detail high

For real-time monitoring, consider installing Netdata (free) or integrating with a monitoring service like UptimeRobot, Datadog, or Grafana Cloud.

11. Disable Unused Services

Identify and disable services you do not need:

sudo systemctl list-unit-files --state=enabled

Common services that can often be safely disabled on a minimal VPS:

sudo systemctl disable --now bluetooth.service
sudo systemctl disable --now avahi-daemon.service

Research each service before disabling to ensure it is not a dependency for your stack.

12. Implement File Integrity Monitoring

AIDE (Advanced Intrusion Detection Environment) detects unauthorized changes to system files:

sudo apt install aide -y
sudo aideinit
sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

Run checks to detect changes:

sudo aide --check

Security Hardening Verification Checklist

After completing the steps above, verify your hardening with this checklist:

  • ☐ SSH key authentication working and password authentication disabled
  • ☐ Root SSH login disabled
  • ☐ SSH port changed from default 22 (optional but recommended)
  • ☐ UFW firewall active with only required ports open
  • ☐ Fail2ban active and protecting SSH
  • ☐ Automatic security updates enabled
  • ☐ SSL/TLS certificate installed and auto-renewal configured
  • ☐ Security headers configured on web server
  • ☐ No unnecessary services running
  • ☐ Log monitoring configured with alerts

Ongoing Security Maintenance

Security hardening is not a one-time task. Establish these regular practices:

  • Monthly: Review Fail2ban logs for attack patterns, check system user accounts for unauthorized additions
  • Quarterly: Review open firewall ports, audit installed packages and remove unused ones, test backup restoration
  • When deploying new applications: Review the application’s security requirements and open only the minimum necessary ports and permissions

Start with a Secure Foundation

Security hardening is significantly easier when starting with a quality VPS from a provider that includes baseline DDoS protection and operates secure data center infrastructure. If you are setting up a new server, USA VPS plans at VPS.DO and Hong Kong VPS plans come with KVM virtualization, clean Ubuntu/Debian base images, and DDoS protection included — giving you a solid foundation to apply the hardening steps above.

Conclusion

VPS security hardening is a systematic process that eliminates the most common attack vectors in under an hour. By implementing SSH key authentication, disabling password logins, enabling a strict firewall, installing Fail2ban, and keeping the system automatically updated, you transform a vulnerable default installation into a server that resists the vast majority of automated attacks. Follow the checklist above on every new VPS provisioning and you will build a consistent, secure server infrastructure.

Fast • Reliable • Affordable VPS - DO It Now!

Get top VPS hosting with VPS.DO’s fast, low-cost plans. Try risk-free with our 7-day no-questions-asked refund and start today!

Contact Us

VPS.DO offers reliable, cost-effective KVM VPS hosting as a robust Cloud-as-a-Service solution worldwide. We DO our best to power your success with unbeatable VPS value.

Copyright © 2026 VPS.DO

Services
Information
Account