> ## Documentation Index
> Fetch the complete documentation index at: https://wiki.lumiweb.cc/llms.txt
> Use this file to discover all available pages before exploring further.

# Server hardening

> Security checklist: keys, ufw, fail2ban, updates

A fresh server with password access starts getting brute-forced by bots within the first few minutes. Work through this checklist — it closes the main holes. The commands are for Ubuntu/Debian, as root.

<Steps>
  <Step title="Key-based SSH login">
    Set up key-based login and disable password login — this removes the very point of brute-forcing. Details: [SSH keys](/en/vps/ssh-keys).
  </Step>

  <Step title="Firewall">
    Close all incoming ports except the ones you need. Details: [Firewall (ufw)](/en/vps/firewall).
  </Step>

  <Step title="Updates">
    Install the latest package versions — they fix known vulnerabilities:

    ```bash theme={"system"}
    apt update && apt upgrade
    ```

    To have security updates install themselves:

    ```bash theme={"system"}
    apt install unattended-upgrades
    dpkg-reconfigure -plow unattended-upgrades
    ```
  </Step>

  <Step title="fail2ban">
    `fail2ban` watches the logs and temporarily bans an IP that brute-forces the SSH password: a few failed attempts and the address gets blocked for a while.

    Install it:

    ```bash theme={"system"}
    apt install fail2ban
    ```

    Make your changes in `jail.local` — this file isn't overwritten on updates. Create it:

    ```bash theme={"system"}
    nano /etc/fail2ban/jail.local
    ```

    Add:

    ```ini theme={"system"}
    [sshd]
    enabled = true
    maxretry = 5
    findtime = 600
    bantime = 3600
    ```

    Here: `maxretry` is how many failed attempts are allowed, `findtime` is the window in seconds over which they're counted (600 = 10 minutes), and `bantime` is how many seconds to ban for (3600 = 1 hour).

    Start it and check:

    ```bash theme={"system"}
    systemctl enable --now fail2ban
    fail2ban-client status sshd
    ```

    The second command shows how many addresses are currently banned.
  </Step>

  <Step title="Don't run as root all the time">
    Under root, any mistake or breach means immediate full control of the server. Create a regular user with the right to elevate privileges via `sudo`:

    ```bash theme={"system"}
    adduser NAME
    usermod -aG sudo NAME
    ```

    From then on, log in as that user, and run commands that need privileges through `sudo`.

    <Warning>
      Before you leave the root session, check in a separate window that you can log in as the new user and run `sudo`. Otherwise you risk being left without administrative access.
    </Warning>
  </Step>

  <Step title="Change the default SSH port (optional)">
    Moving SSH off port 22 to another one cuts out the bulk of blind brute-forcing. It's not protection in itself, but there'll be less noise in the logs. In `/etc/ssh/sshd_config`, set, for example, `Port 2222`, then restart with `systemctl restart ssh`.

    <Warning>
      If `ufw` is already enabled, open the new port first (`ufw allow 2222/tcp`), and only then change and restart SSH — otherwise you'll lock yourself out. If you have `fail2ban` installed, update its config after changing the port — otherwise it will quietly stop protecting SSH without showing it.
    </Warning>

    Update `/etc/fail2ban/jail.local` — in the `[sshd]` section, add or replace the line:

    ```ini theme={"system"}
    [sshd]
    enabled = true
    port = 2222
    ```

    Then restart:

    ```bash theme={"system"}
    systemctl restart fail2ban
    ```

    <Tip>
      Before experimenting with access and ports, make a backup — if something goes wrong, you'll have something to restore from. How: [Backups](/en/vps/backups).
    </Tip>
  </Step>
</Steps>

## Where to next

<CardGroup cols={2}>
  <Card title="Backups" icon="box-archive" href="/en/vps/backups">
    Set up backups — in case something goes wrong.
  </Card>

  <Card title="Firewall" icon="shield-halved" href="/en/vps/firewall">
    Detailed ufw setup and rule management.
  </Card>
</CardGroup>
