Skip to main content
A fresh server with password access starts getting brute-forced by bots within the first few minutes. Work through this checklist — it closes the main holes. The commands are for Ubuntu/Debian, as root.
1

Key-based SSH login

Set up key-based login and disable password login — this removes the very point of brute-forcing. Details: SSH keys.
2

Firewall

Close all incoming ports except the ones you need. Details: Firewall (ufw).
3

Updates

Install the latest package versions — they fix known vulnerabilities:
apt update && apt upgrade
To have security updates install themselves:
apt install unattended-upgrades
dpkg-reconfigure -plow unattended-upgrades
4

fail2ban

fail2ban watches the logs and temporarily bans an IP that brute-forces the SSH password: a few failed attempts and the address gets blocked for a while.Install it:
apt install fail2ban
Make your changes in jail.local — this file isn’t overwritten on updates. Create it:
nano /etc/fail2ban/jail.local
Add:
[sshd]
enabled = true
maxretry = 5
findtime = 600
bantime = 3600
Here: maxretry is how many failed attempts are allowed, findtime is the window in seconds over which they’re counted (600 = 10 minutes), and bantime is how many seconds to ban for (3600 = 1 hour).Start it and check:
systemctl enable --now fail2ban
fail2ban-client status sshd
The second command shows how many addresses are currently banned.
5

Don't run as root all the time

Under root, any mistake or breach means immediate full control of the server. Create a regular user with the right to elevate privileges via sudo:
adduser NAME
usermod -aG sudo NAME
From then on, log in as that user, and run commands that need privileges through sudo.
Before you leave the root session, check in a separate window that you can log in as the new user and run sudo. Otherwise you risk being left without administrative access.
6

Change the default SSH port (optional)

Moving SSH off port 22 to another one cuts out the bulk of blind brute-forcing. It’s not protection in itself, but there’ll be less noise in the logs. In /etc/ssh/sshd_config, set, for example, Port 2222, then restart with systemctl restart ssh.
If ufw is already enabled, open the new port first (ufw allow 2222/tcp), and only then change and restart SSH — otherwise you’ll lock yourself out. If you have fail2ban installed, update its config after changing the port — otherwise it will quietly stop protecting SSH without showing it.
Update /etc/fail2ban/jail.local — in the [sshd] section, add or replace the line:
[sshd]
enabled = true
port = 2222
Then restart:
systemctl restart fail2ban
Before experimenting with access and ports, make a backup — if something goes wrong, you’ll have something to restore from. How: Backups.

Where to next

Backups

Set up backups — in case something goes wrong.

Firewall

Detailed ufw setup and rule management.