[ Back to log ]

Securing a Linux server: UFW, SSH, and Fail2Ban

Security

The moment you spin up a new Linux server, bots start scanning it. If you leave it with default settings, it’s only a matter of time before someone tries to brute-force their way in. You need to lock it down immediately.

Here are three things you should do on every new server.

1. Generate and copy SSH keys

Password logins are a massive security risk. SSH keys are much safer, but you have to set them up before you disable passwords, or you’ll lock yourself out of your own server.

Step 1: Generate a key pair

On your local machine (not the server), generate a strong RSA key pair:

ssh-keygen -t rsa -b 4096

(Press Enter to accept the default file location, and add a passphrase if you want extra security).

Step 2: Copy the public key to the VPS

Send your new public key to your server:

ssh-copy-id user@your_server_ip

(Swap user with your server username and your_server_ip with the IP address. You’ll need to type your server password one last time).

Test it by running ssh user@your_server_ip. If it logs you in without asking for a password, you’re good to go.

2. Configure the firewall (UFW)

Raw iptables rules are a headache. The Uncomplicated Firewall (UFW) makes it simple to block everything except the ports you actually need: SSH (22), HTTP (80), and HTTPS (443).

sudo apt install ufw -y
sudo ufw allow 22
sudo ufw allow 80
sudo ufw allow 443
sudo ufw logging off
sudo ufw enable
sudo ufw status

3. Disable SSH password login

Now that your keys work, turn off password authentication entirely.

Warning: Double-check that your SSH key works before doing this.

Edit the SSH daemon configuration:

sudo nano /etc/ssh/sshd_config

Find these lines and change them to no (add them if they’re missing):

PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no

Save and exit. Restart the SSH service:

sudo systemctl restart sshd

Don’t close your terminal yet. Open a new terminal window and make sure you can still log in.

4. Setup Fail2Ban

Even with keys and a firewall, bots will still hammer your SSH port. Fail2Ban watches your logs and automatically blocks IPs that fail to log in too many times.

Install Fail2Ban

sudo apt update
sudo apt install fail2ban -y

Create a local config file

Don’t edit the default jail.conf file. Package updates will overwrite it. Copy it to a .local file instead:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Customize settings

Open your new config file:

sudo nano /etc/fail2ban/jail.local

Find the [DEFAULT] section. You probably want to whitelist your own IP so you don’t accidentally ban yourself:

[DEFAULT]
# Whitelist your own IP addresses. Separate with spaces.
ignoreip = 127.0.0.1/8 ::1 192.168.1.100

# Ban time in seconds (1h = 3600)
bantime = 3600

# The time window for counting failures
findtime = 600

# Number of failures before a ban
maxretry = 5

Enable the SSH jail

Scroll down to the [sshd] section in that same file. Make sure it’s enabled:

[sshd]
enabled = true
port    = ssh

Save and exit.

Restart and verify

Restart Fail2Ban to apply the changes:

sudo systemctl restart fail2ban

You can check how many IPs are currently banned by running:

sudo fail2ban-client status sshd

Your server is now reasonably secure against automated attacks.