Key-based SSH login
Set up key-based login and disable password login — this removes the very point of brute-forcing. Details: SSH keys.
Firewall
Close all incoming ports except the ones you need. Details: Firewall (ufw).
Updates
Install the latest package versions — they fix known vulnerabilities:To have security updates install themselves:
fail2ban
fail2ban watches the logs and temporarily bans an IP that brute-forces the SSH password: a few failed attempts and the address gets blocked for a while.Install it:jail.local — this file isn’t overwritten on updates. Create it:maxretry is how many failed attempts are allowed, findtime is the window in seconds over which they’re counted (600 = 10 minutes), and bantime is how many seconds to ban for (3600 = 1 hour).Start it and check:Don't run as root all the time
Under root, any mistake or breach means immediate full control of the server. Create a regular user with the right to elevate privileges via From then on, log in as that user, and run commands that need privileges through
sudo:sudo.Change the default SSH port (optional)
Moving SSH off port 22 to another one cuts out the bulk of blind brute-forcing. It’s not protection in itself, but there’ll be less noise in the logs. In Then restart:
/etc/ssh/sshd_config, set, for example, Port 2222, then restart with systemctl restart ssh.Update /etc/fail2ban/jail.local — in the [sshd] section, add or replace the line:Where to next
Backups
Set up backups — in case something goes wrong.
Firewall
Detailed ufw setup and rule management.