*Cube-Host– full cloud services!!

get a consultation

Linux VPS Security: SSH Keys, UFW, and Fail2Ban

A VPS exposed to the internet will be scanned and attacked automatically within minutes. The fastest way to reduce risk is to harden SSH access, enable a default-deny firewall, and block brute-force attempts. This guide shows a proven baseline setup for Ubuntu/Debian (with notes for RHEL-based systems).

Security also depends on stability and control: start with a clean, reliable Linux VPS, then apply these steps immediately after deployment.

Before You Start (Avoid Lockouts)

Keep one SSH session open while editing SSH configuration.
Ensure you have console/VNC/serial access from the provider panel (emergency access is a lifesaver).
If you plan to change the SSH port, open the new port in UFW first, then switch the SSH config.

1) Update the System

Start by applying security updates.

Debian/Ubuntu:

sudo apt update && sudo apt -y upgrade

RHEL-based (AlmaLinux/Rocky/CentOS):

sudo dnf -y update || sudo yum -y update

2) Create an Admin User (No Root Work)

Working under root is risky. Create a normal user with sudo privileges and use it for daily administration.

Ubuntu/Debian

sudo adduser admin
sudo usermod -aG sudo admin

RHEL-based (AlmaLinux/Rocky/CentOS)

sudo useradd -m -s /bin/bash admin
sudo passwd admin
sudo usermod -aG wheel admin

Optional (recommended): restrict SSH logins to a dedicated group (example: sshusers).

sudo groupadd sshusers || true
sudo usermod -aG sshusers admin

3) SSH Keys: Generating and Adding

Important: only the public key (.pub) is copied to the server. The private key stays on your local machine and must never be shared.

Generate a key locally (Windows/macOS/Linux)

ssh-keygen -t ed25519 -a 64

Press Enter to accept the default location (~/.ssh/id_ed25519) and set a passphrase if possible.

Copy the public key to the server

Recommended method (ssh-copy-id):

ssh-copy-id -i ~/.ssh/id_ed25519.pub admin@SERVER_IP

Manual method (if ssh-copy-id is not available):

sudo -u admin mkdir -p /home/admin/.ssh
sudo -u admin chmod 700 /home/admin/.ssh
sudo -u admin nano /home/admin/.ssh/authorized_keys
sudo -u admin chmod 600 /home/admin/.ssh/authorized_keys

Test key login now (before changing SSH settings):

ssh admin@SERVER_IP

4) Strengthen SSH: Disable Passwords and Root Login

Edit SSH daemon configuration. The file is usually /etc/ssh/sshd_config.

sudo nano /etc/ssh/sshd_config

Set (or ensure) these directives exist. Adjust port if you use a custom one.

# Optional: change SSH port (remember to allow it in firewall first)
# Port 2222

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes

# Disable interactive auth methods if not needed
KbdInteractiveAuthentication no
ChallengeResponseAuthentication no

# Optional: restrict who can SSH (recommended)
AllowGroups sshusers

# Reasonable brute-force limits (helps even without Fail2Ban)
MaxAuthTries 3
LoginGraceTime 30

Validate config syntax (safe check):

sudo sshd -t

Restart/reload SSH service:

Ubuntu/Debian:

sudo systemctl reload ssh

RHEL-based:

sudo systemctl reload sshd

Critical: verify you can log in with the key before you log out of the existing session. Otherwise you can lock yourself out.

5) UFW: “Closed by Default” Firewall

UFW is the simplest firewall for Ubuntu/Debian. The goal is: deny all incoming, allow only what your services need.

Install and configure UFW (Ubuntu/Debian):

sudo apt update && sudo apt install -y ufw

# Defaults
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH (important: adjust if you changed the port)
sudo ufw allow OpenSSH

# Common web ports (optional)
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

# Enable and check status
sudo ufw enable
sudo ufw status verbose

If you use a custom SSH port (example 2222), add it explicitly before enabling/disabling anything:

sudo ufw allow 2222/tcp

Note for RHEL-based systems: UFW is not standard there. Most use firewalld (firewall-cmd) instead.

6) Fail2Ban: Installation and Protection for SSH

Fail2Ban watches logs and bans IPs that show malicious patterns (like repeated failed logins). This reduces brute-force noise and prevents many basic attacks.

Install and enable Fail2Ban:

sudo apt install -y fail2ban || sudo dnf install -y fail2ban
sudo systemctl enable --now fail2ban

Create jail.local for sshd

Create or edit:

sudo nano /etc/fail2ban/jail.local

Minimal recommended config:

[DEFAULT]
bantime  = 1h
findtime = 10m
maxretry = 5

# If you use UFW, this integrates cleanly on Ubuntu/Debian
banaction = ufw

[sshd]
enabled = true
port    = ssh
logpath = %(sshd_log)s

Restart Fail2Ban:

sudo systemctl restart fail2ban

Tip: you can also protect Nginx auth endpoints and aggressive bots with additional jails later, but start with SSH first.

7) Checking Operation and Logs

Check Fail2Ban status and active bans:

sudo fail2ban-client status
sudo fail2ban-client status sshd

View logs:

sudo tail -n 200 /var/log/fail2ban.log

How to test a ban (safe method): from another machine, make 5–6 incorrect SSH login attempts. Then re-check fail2ban-client status sshd — your IP should appear under banned IPs.

Unban a specific IP (if needed):

sudo fail2ban-client set sshd unbanip 203.0.113.50

Security Checklist

Key-based SSH login works, password auth disabled, root login disabled.
Firewall is “deny incoming / allow outgoing,” only required ports are open.
Fail2Ban protects sshd, bans are confirmed, logs are monitored.
You have emergency console access and documentation of ports/users.

Secure Your Linux VPS from Day One

Deploy a clean server, lock SSH down to keys, allow only what you need in the firewall, and let Fail2Ban handle brute-force noise. Start on a reliable Linux VPS and apply this baseline security immediately after provisioning.