Hosting & VPS Guides

Securing Your VPS: Firewalls, Fail2Ban and Updates

Practical guide to basic VPS security: system updates, SSH hardening, firewall rules, Fail2Ban, open ports, backups, monitoring and safe maintenance.

By CheckDomainHealth Editorial Team Reviewed by Dionis Ceban Updated Jun 28, 2026 8 min read Beginner

Introduction

A VPS gives you control over the server, but it also exposes you to security responsibility. As soon as a VPS is online, it may receive automated login attempts, port scans, bot traffic and exploit attempts.

Basic VPS security starts with a few important steps: update the operating system, secure SSH access, allow only required firewall ports, install login protection such as Fail2Ban, monitor logs, keep backups and remove services you do not need. These steps do not make a server impossible to attack, but they reduce common risks significantly.

Quick answer

Quick answer

To secure a VPS, update the operating system, use SSH keys, create a non-root sudo user, restrict SSH access, enable a firewall, allow only needed ports, install Fail2Ban or similar login protection, keep software updated, monitor logs and maintain off-server backups.

Securing your VPS

Securing a VPS means reducing the chance of unauthorized access, abuse, malware, downtime or data loss.

Basic VPS security usually includes:

  • operating system updates
  • SSH hardening
  • strong user access control
  • firewall configuration
  • Fail2Ban or login protection
  • minimal open ports
  • secure web server configuration
  • SSL for public websites
  • backups
  • monitoring
  • log review
  • malware and abuse checks
  • regular maintenance

VPS security is not a one-time setup. It must be maintained as software, websites and traffic change.

First security priorities

When setting up a VPS, start with the basics before deploying production websites.

Priority checklist:

  • update packages
  • confirm provider recovery access
  • create non-root sudo user
  • configure SSH keys
  • test sudo access
  • enable firewall
  • allow SSH, HTTP and HTTPS only if needed
  • install Fail2Ban
  • disable unused services
  • set strong passwords
  • configure backups
  • enable monitoring
  • check logs after deployment

Do not disable root login or password login until you confirm your new SSH key and sudo user work correctly.

System updates

Outdated packages are one of the most common security risks on a VPS.

Ubuntu/Debian
sudo apt update
sudo apt upgrade -y
AlmaLinux/Rocky/CentOS-like
sudo dnf update -y
Check OS version
cat /etc/os-release

Plan regular update windows. Some updates may require service restarts or a server reboot.

SSH security

SSH is the main administrative entry point for many VPS servers. It should be protected carefully.

Best practices:

  • use SSH keys where possible
  • create a non-root sudo user
  • use strong passwords where passwords are still enabled
  • disable direct root login only after testing sudo access
  • disable password login only after SSH keys are confirmed
  • restrict SSH by IP if practical
  • avoid sharing one admin account
  • keep provider console access available
  • monitor failed login attempts

Do not lock yourself out. Test a new SSH session before closing the current one after SSH changes.

Firewall basics

A firewall controls which services are reachable from the internet.

Typical web server ports:

  • 22/tcp for SSH
  • 80/tcp for HTTP
  • 443/tcp for HTTPS

Mail server ports only if running mail:

  • 25/tcp for SMTP server-to-server
  • 465/tcp for SMTPS submission
  • 587/tcp for SMTP submission
  • 993/tcp for IMAPS

DNS port only if running DNS:

  • 53/tcp and 53/udp
Basic UFW example
sudo ufw allow OpenSSH
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable
sudo ufw status verbose

Allow SSH before enabling the firewall. Otherwise, you may block your own access.

Fail2Ban basics

Fail2Ban watches logs and blocks IP addresses that repeatedly fail authentication. It is commonly used to reduce brute-force attempts against SSH, mail, webmail and other services.

Install Fail2Ban on Ubuntu/Debian
sudo apt update
sudo apt install fail2ban -y
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
sudo systemctl status fail2ban
Check Fail2Ban jails
sudo fail2ban-client status
sudo fail2ban-client status sshd

Fail2Ban is not a replacement for strong passwords, SSH keys or firewall rules. It is an additional protection layer.

Open ports and services

Every open port is a possible entry point. Keep only required services exposed.

Check listening services
sudo ss -tulpn

Review:

  • what service is listening
  • which port it uses
  • whether it listens on 127.0.0.1 or 0.0.0.0
  • whether it needs public access
  • which user/process owns it

If an internal application runs behind Nginx, it should usually listen on 127.0.0.1, not be exposed publicly.

User accounts and passwords

Weak accounts are a common source of compromise.

Check:

  • remove unused users
  • use strong passwords
  • avoid shared admin accounts
  • limit sudo access
  • disable unused FTP accounts
  • rotate passwords after staff/client changes
  • use SSH keys for admins
  • protect control panel access
  • enable two-factor authentication where available

For hosting servers, compromised FTP, mailbox or control panel accounts can be as dangerous as compromised root access.

Backups as security

Security includes recovery. If the VPS is compromised, misconfigured or damaged, backups may be the only reliable recovery path.

Back up:

  • website files
  • databases
  • configuration files
  • DNS zone records
  • SSL configuration
  • mailboxes if hosted
  • user data
  • application environment files

Best practices:

  • store backups off-server
  • encrypt sensitive backups
  • automate backups
  • keep multiple restore points
  • test restore process
  • restrict backup access

A backup stored only on the same VPS may be lost if the server is deleted, encrypted, compromised or disk fails.

Monitoring and logs

Monitoring helps detect attacks, outages and resource problems earlier.

Monitor:

  • uptime
  • website status
  • SSL expiry
  • disk usage
  • CPU and memory
  • failed SSH logins
  • web server errors
  • mail queue if mail is used
  • backup success
  • unusual outbound traffic
  • blacklists if sending mail

Useful logs:

  • /var/log/auth.log on Ubuntu/Debian
  • /var/log/secure on AlmaLinux/Rocky
  • web server access logs
  • web server error logs
  • mail logs if running email
  • application logs

Logs are most useful when reviewed during and after incidents, not only after damage is done.

Why this matters

Why this matters

VPS security matters because a compromised server can host malware, send spam, leak data, damage domain reputation, get IPs blacklisted, break websites or trigger provider suspension. Automated attacks are common, even on new servers.

Basic hardening reduces common risks and gives you a better chance to detect and recover from problems.

How to check VPS security basics

Use server checks plus CheckDomainHealth tools for public-facing services.

  1. Updates — Confirm OS packages are current.
  2. SSH access — Confirm SSH is protected and logs are monitored.
  3. Firewall — Confirm only needed ports are open.
  4. Fail2Ban — Confirm jails are active for SSH or relevant services.
  5. Open services — Check listening ports and disable unused services.
  6. Backups — Confirm backup schedule and restore process.
  7. Website status — Check public site availability.
  8. SSL — Confirm certificates are valid and not expired.
  9. Mail reputation — If sending mail, check rDNS, SPF, DKIM, DMARC and blacklists.

Check public-facing VPS services

Use Domain Health Checker to review DNS, SSL, website status and related domain signals for services running on your VPS.

Run Domain Health Check →

Common problems

SSH password brute force

High

Automated bots repeatedly try to guess SSH credentials.

Next step: Use SSH keys, Fail2Ban, strong passwords and restrict access where possible.

Firewall disabled

High

Unneeded services may be exposed publicly.

Next step: Enable firewall and allow only required ports.

Root login exposed

High

Direct root login increases attack risk.

Next step: Create a sudo user and disable root login only after testing access.

Outdated packages

High

Old software may contain known vulnerabilities.

Next step: Apply security updates and schedule regular maintenance.

Fail2Ban not active

Medium

Repeated login attempts are not automatically blocked.

Next step: Install and enable Fail2Ban or equivalent protection.

Backend app port exposed

Medium

Internal apps may be reachable directly from the internet.

Next step: Bind apps to localhost or block public access with firewall.

No backups

High

Compromise or mistakes can cause permanent data loss.

Next step: Set automated off-server backups and test restore.

Weak mailbox or FTP passwords

High

Attackers can use compromised accounts to upload malware or send spam.

Next step: Change passwords, remove unused accounts and review logs.

Unused services running

Medium

Extra services increase attack surface.

Next step: Stop and disable services that are not needed.

No monitoring

Medium

Problems may go unnoticed until users complain or provider suspends service.

Next step: Monitor uptime, resources, logs and backups.

How to secure a VPS safely

  1. Step 1: Update the system

    Apply operating system and package updates.

  2. Step 2: Confirm recovery access

    Make sure provider console or rescue access is available.

  3. Step 3: Secure SSH

    Use SSH keys, sudo user and strong authentication.

  4. Step 4: Enable firewall

    Allow only necessary ports.

  5. Step 5: Install Fail2Ban

    Protect SSH and other login services from repeated attempts.

  6. Step 6: Review open ports

    Use ss or similar tools to find exposed services.

  7. Step 7: Disable unused services

    Stop services that are not required for the project.

  8. Step 8: Configure backups

    Use automated off-server backups.

  9. Step 9: Enable monitoring

    Monitor website status, SSL, disk, CPU, memory and logs.

  10. Step 10: Maintain regularly

    Review updates, logs, users and backups on a schedule.

Useful VPS security commands

Useful VPS security commands
Check OS version:
cat /etc/os-release

Update Ubuntu/Debian:
sudo apt update && sudo apt upgrade -y

Check firewall:
sudo ufw status verbose

Check listening ports:
sudo ss -tulpn

Check failed SSH logins on Ubuntu/Debian:
sudo grep "Failed password" /var/log/auth.log | tail

Check recent authentication logs:
sudo tail -100 /var/log/auth.log

Check Fail2Ban status:
sudo fail2ban-client status

Check SSH jail:
sudo fail2ban-client status sshd

Check disk usage:
df -h

Check running services:
systemctl --type=service --state=running

Commands are examples and may vary by operating system. Use care on production servers and test access before changing SSH or firewall settings.

What not to do

Avoid common unsafe practices:

  • do not disable SSH access before testing new login method
  • do not open all ports “just in case”
  • do not use weak passwords
  • do not leave old users active
  • do not run abandoned software
  • do not store backups only on the same VPS
  • do not ignore failed login logs
  • do not expose database ports publicly unless required and secured
  • do not install services you do not need
  • do not assume a new VPS is automatically secure

Mail server security note

If the VPS sends or receives email, security becomes even more important.

Check:

  • no open relay
  • SMTP authentication secured
  • strong mailbox passwords
  • SPF, DKIM and DMARC configured
  • reverse DNS set correctly
  • mail queue monitored
  • spam scripts blocked
  • compromised accounts disabled
  • blacklists monitored

A compromised mail server can quickly get the IP blacklisted and affect domain reputation.

Security maintenance schedule

Use a simple maintenance rhythm.

Weekly:

  • check updates
  • review disk usage
  • check failed login patterns
  • confirm backups completed

Monthly:

  • apply planned updates
  • review users and access
  • check firewall rules
  • test restore if possible
  • review running services

After incidents or staff changes:

  • rotate passwords
  • remove old access
  • review logs
  • scan websites
  • verify backups

Security is strongest when it becomes routine.

Frequently asked questions

Is a new VPS secure by default?

Not fully. It may have a clean OS image, but you still need updates, firewall, SSH protection, backups and monitoring.

Do I need a firewall if only SSH and web are running?

Yes. A firewall helps ensure only intended ports are reachable.

What is Fail2Ban?

Fail2Ban watches logs and blocks IPs that repeatedly fail authentication.

Should I disable root login?

Usually yes, but only after creating and testing a working sudo user.

Should I change the SSH port?

It can reduce noise, but it is not a replacement for keys, strong authentication, firewall and Fail2Ban.

Are backups part of security?

Yes. Backups help recover from compromise, mistakes, deletion or server failure.

How often should I update a VPS?

Check updates regularly and apply security updates promptly, using planned maintenance windows when needed.

Use these free tools to verify your configuration after applying changes.

Browse all Hosting & VPS guides →

Need help applying this fix?

Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.

Get Help Run Domain Health Check

Was this guide helpful?

Your feedback helps us improve our guides for everyone.