Minimum set of measures to secure a Linux server: updates, SSH keys, firewall, fail2ban, SSH port change.
Applies to:
✔ VPS
✔ Dedicated servers
✔ Linux
apt update && apt upgrade -y
Set up automatic security updates:
apt install unattended-upgrades -y
dpkg-reconfigure -plow unattended-upgrades
Generate a key on your local computer:
ssh-keygen -t ed25519
Copy to the server:
ssh-copy-id root@SERVER_IP
Make sure key-based login works. Then disable password login in /etc/ssh/sshd_config:
PasswordAuthentication no
PermitRootLogin prohibit-password
systemctl restart sshd
In /etc/ssh/sshd_config:
Port 2222
Open the new port in the firewall before restarting:
ufw allow 2222/tcp
systemctl restart sshd
Connection:
ssh -p 2222 root@SERVER_IP
ufw default deny incoming
ufw default allow outgoing
ufw allow 2222/tcp
ufw allow 80/tcp
ufw allow 443/tcp
ufw enable
Check rules:
ufw status
apt install fail2ban -y
Create /etc/fail2ban/jail.local:
[sshd]
enabled = true
port = 2222
maxretry = 3
bantime = 3600
systemctl enable fail2ban
systemctl start fail2ban
List running services:
systemctl list-units --type=service --state=running
Disable unnecessary ones:
systemctl disable --now SERVICE_NAME
adduser admin
usermod -aG sudo admin
Work under this user, using sudo for privileged operations.
ufw status
fail2ban-client status sshd
ss -tlnp
Make sure only necessary ports are open.
If you lose access to the server after configuring the firewall, connect via VNC/IPMI console and correct the rules. If needed, contact support.
