After working with various PaaS solutions for years, I decided to set up a VPS with Contabo for hosting a few personal projects. While nothing particularly sensitive will be hosted there, I still wanted to implement proper security practices from the start.
Even simple hobby projects can become targets for automated attacks or get compromised for cryptocurrency mining. Here's my systematic approach to hardening a fresh Ubuntu VPS, covering the essential security fundamentals.
The Starting Point
Fresh VPS with Ubuntu, an admin user with sudo privileges, and SSH key authentication already configured during setup. Time to implement proper security measures.
Step 1: SSH Hardening
The default SSH configuration needed immediate attention. Running SSH on the default port 22 makes your server a target for automated scanning tools that constantly probe this port.
sudo nano /etc/ssh/sshd_config Key changes made:
Port 2222 # Move away from the default port PermitRootLogin no # Disable direct root access PasswordAuthentication no # Enforce key-based authentication PubkeyAuthentication yes # Enable SSH keys MaxAuthTries 3 # Limit failed attempts AllowUsers admin # Restrict user access Then restart SSHD:
sudo systemctl restart sshd Important: Always test your SSH configuration in a separate terminal session before closing your current connection. This prevents accidental lockouts. Also, ideally, don't close your connection before Step 2.
Step 2: Firewall Configuration
Linux's UFW provides straightforward firewall management. The approach is to deny all incoming connections by default, then explicitly allow only necessary services.
# Set restrictive defaults sudo ufw default deny incoming sudo ufw default allow outgoing # Allow essential services sudo ufw allow 2222/tcp # SSH on custom port sudo ufw allow 80/tcp # HTTP sudo ufw allow 443/tcp # HTTPS # Enable firewall sudo ufw enable Critical note: It's recommended to perform Steps 1 & 2 during one SSH session to avoid locking yourself out of access.
Step 3: Automated Intrusion Prevention with Fail2Ban
Fail2Ban monitors log files and automatically bans IP addresses showing suspicious behavior, such as repeated failed login attempts.
sudo apt install fail2ban Modern Ubuntu systems use systemd journaling instead of traditional log files, which requires specific configuration:
sudo nano /etc/fail2ban/jail.local [DEFAULT] bantime = 3600 # Ban duration in seconds findtime = 600 # Time window for counting failures maxretry = 3 # Maximum attempts before ban [sshd] enabled = true port = ssh filter = sshd backend = systemd # Use systemd journal journalmatch = _SYSTEMD_UNIT=ssh.service After that, restart the service for it to use the updated configuration:
sudo systemctl restart fail2ban Step 4: Docker Security Configuration
I am a big fan of Docker. I decided to go full docker. It will bring little few more steps but we'll get better security as all services accessible from internet will run in an isolated docker containers.
It also keeps our host machine clean of unecessary installed packages.
Installation is pretty simple and a lot of VPS providers offers fresh install with docker pre-istalled.
When docker is installed create /etc/docker/daemon.json with following content:
{ "live-restore": true, "userland-proxy": false, "no-new-privileges": true, "log-driver": "json-file", "log-opts": { "max-size": "10m", "max-file": "3" } } The no-new-privileges setting is particularly important as it prevents containers from escalating their privileges during runtime, blocking a common attack vector.
As before, don't forget to restart the service:
sudo systemctl restart docker Current Security Status
The VPS now has:
- SSH access secured with custom port and key-only authentication
- Firewall blocking unauthorized connections
- Automated intrusion detection and response
- Hardened Docker daemon configuration
This setup effectively blocks automated attacks and provides a solid security foundation for hosting web applications.
Coming Up in Part 2
The next article will cover:
- Setting up a reverse proxy with Nginx in Docker
- SSL certificate management with Let's Encrypt
- Container security best practices
- System monitoring and maintenance
These foundational security measures provide essential protection while maintaining accessibility for legitimate use.
Top comments (1)
"Since applications run in Docker containers" - well, that's a big and unproven assumption :-) ... but for the rest, yeah nice, some useful tips/guidelines :)