How to Secure SSH on Your VPS: Fail2ban, Key Authentication, and Firewall Setup

Posted on by Virtual-Servers-Vps-Editor

SSH is the primary access point for managing your Linux VPS — and it is also the most attacked service on the internet. Bots continuously scan for open SSH ports and attempt brute-force logins. Within hours of provisioning a new VPS with default SSH settings, you will see thousands of failed login attempts. This tutorial walks you through hardening SSH access on your VPS using proven security techniques. For VPS providers that include DDoS protection and managed firewalls, check the provider comparison table.

1. SSH Key Authentication — Disable Password Logins

SSH keys use asymmetric cryptography (Ed25519 or 4096-bit RSA), which is practically uncrackable.

Generate an SSH Key Pair

On your local machine, generate a new key pair:

ssh-keygen -t ed25519 -a 100 -f ~/.ssh/vps_key

Install the Public Key on Your VPS

ssh-copy-id -i ~/.ssh/vps_key.pub user@YOUR_VPS_IP

Disable Password Authentication

Edit /etc/ssh/sshd_config:

PasswordAuthentication no
PermitEmptyPasswords no
PermitRootLogin no

Restart SSH: sudo systemctl restart sshd. Keep your existing SSH session open while testing.

2. Change the Default SSH Port

Changing SSH from port 22 to a high-numbered port (e.g., 2222) eliminates 99% of automated attacks:

Port 2222

Connect with: ssh -p 2222 user@YOUR_VPS_IP. Update your firewall rules.

3. Install and Configure Fail2ban

Fail2ban scans logs for repeated failed authentication attempts and bans the offending IP:

sudo apt update && sudo apt install -y fail2ban

Create /etc/fail2ban/jail.local:

[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 5

[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

Enable and start fail2ban:

sudo systemctl enable fail2ban
sudo systemctl start fail2ban
sudo fail2ban-client status sshd

4. Configure the Firewall (UFW)

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 2222/tcp comment 'SSH'
sudo ufw allow 80/tcp comment 'HTTP'
sudo ufw allow 443/tcp comment 'HTTPS'
sudo ufw enable
sudo ufw status verbose

5. Advanced SSH Hardening

Add these to /etc/ssh/sshd_config:

Protocol 2
ClientAliveInterval 300
ClientAliveCountMax 0
AllowUsers yourusername
X11Forwarding no
MaxAuthTries 3
MaxSessions 2

6. Monitor SSH Access

last -10
sudo journalctl -u sshd --since today | grep "Failed password"
sudo tail -100 /var/log/auth.log | grep -E "(ssh|sshd)"

Summary Checklist

  • SSH key authentication configured, passwords disabled
  • Root login disabled
  • Default SSH port changed
  • Fail2ban installed and monitoring sshd
  • Firewall configured
  • SSH idle timeout and session limits set

Securing SSH is one of the most impactful steps to protect your VPS. For VPS providers with additional security features, visit the provider comparison page.

Related Articles:

Free VPS Options in 2026: Comparing AWS Free Tier, Google Cloud Free, Oracle Cloud, and Free Trials Your Comprehensive Guide to GoDaddy VPS Virtual Server How to Optimize MariaDB on Your VPS for Better Query Performance Default ThumbnailSetting Up Docker on a VPS: Step-by-Step for Beginners

Leave a Reply