KVM VPSSecure a Linux VPS: UFW, fail2ban, SSH keys, disable root
Complete guide to securing a Linux VPS at Lordhosting: UFW firewall, fail2ban brute-force protection, SSH key authentication and disabling root login.
A VPS exposed to the internet is constantly scanned. Without basic configuration, you risk SSH brute-force attempts, intrusions and compromised services. This guide lays the foundations for a hardened Debian/Ubuntu VPS in under 30 minutes.
⚙️ Prerequisites
- A Lordhosting VPS (Debian 11/12 or Ubuntu 22.04/24.04 recommended)
- An SSH client (Terminal on macOS/Linux, PowerShell or PuTTY on Windows)
- Your
rootcredentials received by email at delivery
⚙️ 1. Initial SSH connection
Connect one last time as root to prepare what follows:
ssh root@your_ip
⚙️ 2. Update the system
Always start by patching installed packages:
apt update && apt upgrade -y
⚙️ 3. Create a sudo user
Disabling root is dangerous without a replacement user. Create one with sudo privileges:
adduser lordadmin
usermod -aG sudo lordadmin
Replace lordadmin with the username of your choice.
⚙️ 4. Set up SSH key authentication
On your local machine, generate a key pair if you don't already have one:
ssh-keygen -t ed25519 -C "your_email@example.com"
Accept the default path (~/.ssh/id_ed25519) and choose a strong passphrase.
Then copy the public key to the VPS:
ssh-copy-id lordadmin@your_ip
If ssh-copy-id isn't available (Windows), manually copy the contents of ~/.ssh/id_ed25519.pub into /home/lordadmin/.ssh/authorized_keys on the VPS.
Test the key-based connection in a new window:
ssh lordadmin@your_ip
If it works without asking for a password, continue. Otherwise, don't touch anything and fix authentication first.
⚙️ 5. Disable root login and password authentication
Still connected as lordadmin, open the SSH config:
sudo nano /etc/ssh/sshd_config
Modify or add the following lines:
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
Save (Ctrl+O, Enter, Ctrl+X) then reload SSH:
sudo systemctl restart ssh
⚠️ Don't close your active session until you've verified, in a new window, that you can reconnect as
lordadminwith your key. If it doesn't work, you're still logged in and can roll back.
⚙️ 6. Install and configure UFW (firewall)
UFW (Uncomplicated Firewall) is a simple wrapper around iptables.
sudo apt install -y ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow OpenSSH
sudo ufw enable
Check the status:
sudo ufw status verbose
Remember to open the ports needed for your services. Some examples:
sudo ufw allow 80/tcp # HTTP
sudo ufw allow 443/tcp # HTTPS
sudo ufw allow 25565/tcp # Minecraft Java
sudo ufw allow 19132/udp # Minecraft Bedrock
⚙️ 7. Install and configure fail2ban
fail2ban automatically bans IPs that repeatedly fail login attempts:
sudo apt install -y fail2ban
Create a local config (don't edit jail.conf directly):
sudo nano /etc/fail2ban/jail.local
Paste this:
[DEFAULT]
bantime = 1h
findtime = 10m
maxretry = 5
[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
Start the service:
sudo systemctl enable --now fail2ban
To see banned IPs in real time:
sudo fail2ban-client status sshd
⚙️ 8. Final check
- ✅ SSH connection by key only (no password)
- ✅ Root login disabled
- ✅ UFW active with minimal rules
- ✅ fail2ban monitoring SSH
You can now install your services (web, Pterodactyl, Discord bots, etc.) on a clean ground. To go further, enable automatic security updates with unattended-upgrades and set up regular backups of your VPS.
