{"id":462,"date":"2026-06-19T07:50:58","date_gmt":"2026-06-19T07:50:58","guid":{"rendered":"https:\/\/virtualserversvps.com\/blog\/?p=462"},"modified":"2026-06-19T07:50:58","modified_gmt":"2026-06-19T07:50:58","slug":"how-to-secure-ssh-on-your-vps-fail2ban-key-authentication-and-firewall-setup","status":"publish","type":"post","link":"https:\/\/virtualserversvps.com\/blog\/how-to-secure-ssh-on-your-vps-fail2ban-key-authentication-and-firewall-setup\/","title":{"rendered":"How to Secure SSH on Your VPS: Fail2ban, Key Authentication, and Firewall Setup"},"content":{"rendered":"\n

SSH is the primary access point for managing your Linux VPS \u2014 and it is also the most attacked service on the internet. Bots continuously scan for open SSH ports and attempt brute-force logins. Within hours of provisioning a new VPS with default SSH settings, you will see thousands of failed login attempts. This tutorial walks you through hardening SSH access on your VPS using proven security techniques. For VPS providers that include DDoS protection and managed firewalls, check the provider comparison table<\/a>.<\/p>\n\n\n\n

1. SSH Key Authentication \u2014 Disable Password Logins<\/h2>\n\n\n\n

SSH keys use asymmetric cryptography (Ed25519 or 4096-bit RSA), which is practically uncrackable.<\/p>\n\n\n\n

Generate an SSH Key Pair<\/h3>\n\n\n\n

On your local machine, generate a new key pair:<\/p>\n\n\n\n

ssh-keygen -t ed25519 -a 100 -f ~\/.ssh\/vps_key<\/code><\/pre>\n\n\n\n
Install the Public Key on Your VPS<\/h3>\n\n\n\n
ssh-copy-id -i ~\/.ssh\/vps_key.pub user@YOUR_VPS_IP<\/code><\/pre>\n\n\n\n
Disable Password Authentication<\/h3>\n\n\n\n
Edit \/etc\/ssh\/sshd_config<\/code>:<\/p>\n\n\n\n
PasswordAuthentication no\nPermitEmptyPasswords no\nPermitRootLogin no<\/code><\/pre>\n\n\n\n
Restart SSH: sudo systemctl restart sshd<\/code>. Keep your existing SSH session open while testing.<\/p>\n\n\n\n
2. Change the Default SSH Port<\/h2>\n\n\n\n
Changing SSH from port 22 to a high-numbered port (e.g., 2222) eliminates 99% of automated attacks:<\/p>\n\n\n\n
Port 2222<\/code><\/pre>\n\n\n\n
Connect with: ssh -p 2222 user@YOUR_VPS_IP<\/code>. Update your firewall rules.<\/p>\n\n\n\n
3. Install and Configure Fail2ban<\/h2>\n\n\n\n
Fail2ban scans logs for repeated failed authentication attempts and bans the offending IP:<\/p>\n\n\n\n
sudo apt update && sudo apt install -y fail2ban<\/code><\/pre>\n\n\n\n
Create \/etc\/fail2ban\/jail.local<\/code>:<\/p>\n\n\n\n
[DEFAULT]\nbantime = 3600\nfindtime = 600\nmaxretry = 5\n\n[sshd]\nenabled = true\nport = ssh\nlogpath = %(sshd_log)s\nbackend = %(sshd_backend)s<\/code><\/pre>\n\n\n\n
Enable and start fail2ban:<\/p>\n\n\n\n
sudo systemctl enable fail2ban\nsudo systemctl start fail2ban\nsudo fail2ban-client status sshd<\/code><\/pre>\n\n\n\n
4. Configure the Firewall (UFW)<\/h2>\n\n\n\n
sudo ufw default deny incoming\nsudo ufw default allow outgoing\nsudo ufw allow 2222\/tcp comment 'SSH'\nsudo ufw allow 80\/tcp comment 'HTTP'\nsudo ufw allow 443\/tcp comment 'HTTPS'\nsudo ufw enable\nsudo ufw status verbose<\/code><\/pre>\n\n\n\n
5. Advanced SSH Hardening<\/h2>\n\n\n\n
Add these to \/etc\/ssh\/sshd_config<\/code>:<\/p>\n\n\n\n
Protocol 2\nClientAliveInterval 300\nClientAliveCountMax 0\nAllowUsers yourusername\nX11Forwarding no\nMaxAuthTries 3\nMaxSessions 2<\/code><\/pre>\n\n\n\n
6. Monitor SSH Access<\/h2>\n\n\n\n
last -10\nsudo journalctl -u sshd --since today | grep \"Failed password\"\nsudo tail -100 \/var\/log\/auth.log | grep -E \"(ssh|sshd)\"<\/code><\/pre>\n\n\n\n
Summary Checklist<\/h2>\n\n\n\n