luxIA/๐Ÿ‘จโ€๐Ÿณ cooking
๐Ÿ›ก๏ธ

Secure VPS: UFW + fail2ban

๐Ÿ‘จโ€๐Ÿณ Chefโฑ๏ธ 45 minutes

๐Ÿ“‹ Suggested prerequisites

  • โ€ขVPS with Ubuntu/Debian
  • โ€ขSSH root access

What you'll build

A secure VPS with UFW firewall configured, fail2ban protecting SSH from brute force attacks, and authentication only via SSH keys.

After this tutorial, your server will:

  • Block all traffic except SSH, HTTP and HTTPS
  • Automatically ban IPs attempting brute force
  • Only accept login with SSH key (no passwords)
  • Have automatic security updates

Step 1: Connect to your VPS

ssh root@YOUR_IP

Step 2: Update the system

apt update && apt upgrade -y

Step 3: Create non-root user

# Create user
adduser youruser

# Give sudo
usermod -aG sudo youruser

# Copy SSH keys
mkdir -p /home/youruser/.ssh
cp ~/.ssh/authorized_keys /home/youruser/.ssh/
chown -R youruser:youruser /home/youruser/.ssh
chmod 700 /home/youruser/.ssh
chmod 600 /home/youruser/.ssh/authorized_keys

Step 4: Configure UFW (Firewall)

# Install UFW
apt install ufw -y

# Default policy: block all incoming
ufw default deny incoming
ufw default allow outgoing

# Allow SSH (IMPORTANT BEFORE ENABLING!)
ufw allow ssh

# Allow HTTP and HTTPS
ufw allow 80/tcp
ufw allow 443/tcp

# Enable
ufw enable

# Verify
ufw status verbose

You should see:

Status: active
To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
80/tcp                     ALLOW       Anywhere
443/tcp                    ALLOW       Anywhere

Step 5: Install fail2ban

apt install fail2ban -y

# Create local config
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Edit /etc/fail2ban/jail.local:

[DEFAULT]
bantime = 1h
findtime = 10m
maxretry = 5
banaction = ufw

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 24h

# Restart
systemctl restart fail2ban
systemctl enable fail2ban

# Verify
fail2ban-client status sshd

Step 6: SSH Hardening

Edit /etc/ssh/sshd_config:

# Disable password
PasswordAuthentication no

# Disable root login
PermitRootLogin no

# Only your user
AllowUsers youruser

# Limits
MaxAuthTries 3

# Restart SSH
systemctl restart sshd

Step 7: Automatic updates

apt install unattended-upgrades -y
dpkg-reconfigure -plow unattended-upgrades

Select "Yes" to enable automatic updates.

Step 8: Verify everything

# Firewall active
ufw status

# fail2ban running
fail2ban-client status sshd

# SSH configured
grep -E "PasswordAuth|PermitRoot" /etc/ssh/sshd_config

# Test login from another terminal BEFORE closing this one
ssh youruser@YOUR_IP

Troubleshooting

ProblemSolution
Can't connect SSHUse VPS provider's web console
fail2ban banned mefail2ban-client set sshd unbanip YOUR_IP
UFW blocked everythingWeb console โ†’ ufw disable

Final checklist

  • UFW active with only 22, 80, 443
  • fail2ban protecting SSH
  • Login only with SSH key
  • Root login disabled
  • Automatic updates

Next step

โ†’ SSL with Let's Encrypt