A fresh VPS gets 1,000+ SSH brute-force attempts per day from botnets. This 10-minute setup blocks them all. Tested on Ubuntu 22.04/24.04 — the default OS for Hostiger VPS Hosting.
1. Create a non-root user (2 min)
adduser deploy
usermod -aG sudo deploy
mkdir -p /home/deploy/.ssh
chmod 700 /home/deploy/.ssh
# copy your public key
echo "ssh-ed25519 AAAA... you@laptop" > /home/deploy/.ssh/authorized_keys
chmod 600 /home/deploy/.ssh/authorized_keys
chown -R deploy:deploy /home/deploy/.ssh
2. Disable password login and root SSH (2 min)
Edit /etc/ssh/sshd_config:
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
X11Forwarding no
ClientAliveInterval 300
Then restart SSH — but keep the current session open in another terminal in case you locked yourself out:
systemctl restart ssh
Test login as deploy in a NEW terminal before closing the original.
3. Enable ufw firewall (1 min)
ufw default deny incoming
ufw default allow outgoing
ufw allow 22/tcp # SSH
ufw allow 80/tcp # HTTP
ufw allow 443/tcp # HTTPS
ufw enable
ufw status verbose
4. Install fail2ban (2 min)
Fail2ban watches auth logs and auto-bans IPs after failed login attempts.
apt install fail2ban -y
# Custom config — don't edit jail.conf, use jail.local
cat > /etc/fail2ban/jail.local << EOF
[DEFAULT]
bantime = 24h
findtime = 10m
maxretry = 5
[sshd]
enabled = true
EOF
systemctl restart fail2ban
fail2ban-client status sshd
5. Automatic security updates (2 min)
apt install unattended-upgrades -y
dpkg-reconfigure --priority=low unattended-upgrades
Answer "Yes" to enable. Only security updates install automatically — never major version changes.
6. Change default SSH port (optional, 1 min)
Doesn't add real security but reduces log spam. In sshd_config:
Port 2222
Then update ufw: ufw allow 2222/tcp && ufw delete allow 22/tcp. Connect with ssh -p 2222 deploy@ip.
Verify everything works
ss -tlnp— should only show services you expectfail2ban-client status sshd— should show "Currently failed" and "Total banned"ufw status— should show your allowed portstail -f /var/log/auth.log— watch live SSH attempts
What we haven't covered
For deeper defense: rootkit scanning (rkhunter), file integrity monitoring (AIDE), intrusion detection (OSSEC), and a WAF at the reverse proxy layer (Cloudflare, ModSecurity). Not required for most workloads but worth reading about.
If security is high-priority, consider Hostiger Dedicated Servers — full hardware isolation with no shared hypervisor.