Security

How to secure your VPS in 10 minutes: fail2ban, ufw, SSH hardening

Complete VPS security checklist: SSH key-only login, disable root, fail2ban, ufw firewall, automatic security updates. Ubuntu 22.04/24.04 tested.

Published 2026-07-15· 6 min read· Hostiger Editorial

A fresh VPS gets 1,000+ SSH brute-force attempts per day from botnets. This 10-minute setup blocks them all. Tested on Ubuntu 22.04/24.04 — the default OS for Hostiger VPS Hosting.

1. Create a non-root user (2 min)

adduser deploy
usermod -aG sudo deploy
mkdir -p /home/deploy/.ssh
chmod 700 /home/deploy/.ssh
# copy your public key
echo "ssh-ed25519 AAAA... you@laptop" > /home/deploy/.ssh/authorized_keys
chmod 600 /home/deploy/.ssh/authorized_keys
chown -R deploy:deploy /home/deploy/.ssh

2. Disable password login and root SSH (2 min)

Edit /etc/ssh/sshd_config:

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
X11Forwarding no
ClientAliveInterval 300

Then restart SSH — but keep the current session open in another terminal in case you locked yourself out:

systemctl restart ssh

Test login as deploy in a NEW terminal before closing the original.

3. Enable ufw firewall (1 min)

ufw default deny incoming
ufw default allow outgoing
ufw allow 22/tcp       # SSH
ufw allow 80/tcp       # HTTP
ufw allow 443/tcp      # HTTPS
ufw enable
ufw status verbose

4. Install fail2ban (2 min)

Fail2ban watches auth logs and auto-bans IPs after failed login attempts.

apt install fail2ban -y

# Custom config — don't edit jail.conf, use jail.local
cat > /etc/fail2ban/jail.local << EOF
[DEFAULT]
bantime = 24h
findtime = 10m
maxretry = 5

[sshd]
enabled = true
EOF

systemctl restart fail2ban
fail2ban-client status sshd

5. Automatic security updates (2 min)

apt install unattended-upgrades -y
dpkg-reconfigure --priority=low unattended-upgrades

Answer "Yes" to enable. Only security updates install automatically — never major version changes.

6. Change default SSH port (optional, 1 min)

Doesn't add real security but reduces log spam. In sshd_config:

Port 2222

Then update ufw: ufw allow 2222/tcp && ufw delete allow 22/tcp. Connect with ssh -p 2222 deploy@ip.

Verify everything works

What we haven't covered

For deeper defense: rootkit scanning (rkhunter), file integrity monitoring (AIDE), intrusion detection (OSSEC), and a WAF at the reverse proxy layer (Cloudflare, ModSecurity). Not required for most workloads but worth reading about.

If security is high-priority, consider Hostiger Dedicated Servers — full hardware isolation with no shared hypervisor.

Ready to try Hostiger? Deploy a VPS in under 60 seconds.

View VPS plans