Why Harden Immediately?
A public VPS is typically probed by automated scanners within 5-10 minutes of boot. Services like Shodan and Censys continuously index every open port on the internet. If your SSH still listens on port 22 with password auth, you're hanging the key on the doorknob.
⚠️ Real data: An unpatched Ubuntu VPS sees an average of 2,000+ SSH brute-force attempts per day, with ~80% originating from automated botnet IP ranges.
Layer 1: UFW Firewall
UFW (Uncomplicated Firewall) is the default firewall frontend on Ubuntu/Debian. It wraps iptables with a minimal syntax.
Layer 2: fail2ban Against Brute Force
fail2ban watches logs and auto-bans IPs with repeated failed logins. It's the most effective tool against SSH brute force.
Layer 3: SSH Port & Auth Hardening
Three punches: change port, disable passwords, restrict users.
Advanced: DDOS & Port Scan Defense
- Cloudflare in front: Point your domain to Cloudflare and enable Under Attack mode. CF absorbs L3/L4 DDOS; restrict origin traffic to CF IP ranges only.
- SYN cookies: `sudo sysctl -w net.ipv4.tcp_syncookies=1` mitigates SYN Flood attacks.
- Port knocking: Use knockd to keep SSH invisible until a correct knock sequence is sent. Scanners won't even see the port.
- Automatic security updates: `sudo apt install unattended-upgrades` keeps the system patched automatically.
Hardening Checklist
- ✅ UFW enabled, only business ports allowed
- ✅ fail2ban running, sshd jail active
- ✅ SSH port changed from 22
- ✅ Password auth disabled, key-only
- ✅ Direct root login disabled
- ✅ unattended-upgrades configured for security patches
- ✅ Cloud security group matches UFW rules
- ✅ sshd_config backed up, rescue mode access known