Securing Your VPS: Firewalls, Fail2Ban and Updates
Practical guide to basic VPS security: system updates, SSH hardening, firewall rules, Fail2Ban, open ports, backups, monitoring and safe maintenance.
Introduction
A VPS gives you control over the server, but it also exposes you to security responsibility. As soon as a VPS is online, it may receive automated login attempts, port scans, bot traffic and exploit attempts.
Basic VPS security starts with a few important steps: update the operating system, secure SSH access, allow only required firewall ports, install login protection such as Fail2Ban, monitor logs, keep backups and remove services you do not need. These steps do not make a server impossible to attack, but they reduce common risks significantly.
Quick answer
To secure a VPS, update the operating system, use SSH keys, create a non-root sudo user, restrict SSH access, enable a firewall, allow only needed ports, install Fail2Ban or similar login protection, keep software updated, monitor logs and maintain off-server backups.
Securing your VPS
Securing a VPS means reducing the chance of unauthorized access, abuse, malware, downtime or data loss.
Basic VPS security usually includes:
- operating system updates
- SSH hardening
- strong user access control
- firewall configuration
- Fail2Ban or login protection
- minimal open ports
- secure web server configuration
- SSL for public websites
- backups
- monitoring
- log review
- malware and abuse checks
- regular maintenance
VPS security is not a one-time setup. It must be maintained as software, websites and traffic change.
First security priorities
When setting up a VPS, start with the basics before deploying production websites.
Priority checklist:
- update packages
- confirm provider recovery access
- create non-root sudo user
- configure SSH keys
- test sudo access
- enable firewall
- allow SSH, HTTP and HTTPS only if needed
- install Fail2Ban
- disable unused services
- set strong passwords
- configure backups
- enable monitoring
- check logs after deployment
Do not disable root login or password login until you confirm your new SSH key and sudo user work correctly.
System updates
Outdated packages are one of the most common security risks on a VPS.
sudo apt update
sudo apt upgrade -y
sudo dnf update -y
cat /etc/os-release
Plan regular update windows. Some updates may require service restarts or a server reboot.
SSH security
SSH is the main administrative entry point for many VPS servers. It should be protected carefully.
Best practices:
- use SSH keys where possible
- create a non-root sudo user
- use strong passwords where passwords are still enabled
- disable direct root login only after testing sudo access
- disable password login only after SSH keys are confirmed
- restrict SSH by IP if practical
- avoid sharing one admin account
- keep provider console access available
- monitor failed login attempts
Do not lock yourself out. Test a new SSH session before closing the current one after SSH changes.
Firewall basics
A firewall controls which services are reachable from the internet.
Typical web server ports:
- 22/tcp for SSH
- 80/tcp for HTTP
- 443/tcp for HTTPS
Mail server ports only if running mail:
- 25/tcp for SMTP server-to-server
- 465/tcp for SMTPS submission
- 587/tcp for SMTP submission
- 993/tcp for IMAPS
DNS port only if running DNS:
- 53/tcp and 53/udp
sudo ufw allow OpenSSH
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable
sudo ufw status verbose
Allow SSH before enabling the firewall. Otherwise, you may block your own access.
Fail2Ban basics
Fail2Ban watches logs and blocks IP addresses that repeatedly fail authentication. It is commonly used to reduce brute-force attempts against SSH, mail, webmail and other services.
sudo apt update
sudo apt install fail2ban -y
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
sudo systemctl status fail2ban
sudo fail2ban-client status
sudo fail2ban-client status sshd
Fail2Ban is not a replacement for strong passwords, SSH keys or firewall rules. It is an additional protection layer.
Open ports and services
Every open port is a possible entry point. Keep only required services exposed.
sudo ss -tulpn
Review:
- what service is listening
- which port it uses
- whether it listens on 127.0.0.1 or 0.0.0.0
- whether it needs public access
- which user/process owns it
If an internal application runs behind Nginx, it should usually listen on 127.0.0.1, not be exposed publicly.
User accounts and passwords
Weak accounts are a common source of compromise.
Check:
- remove unused users
- use strong passwords
- avoid shared admin accounts
- limit sudo access
- disable unused FTP accounts
- rotate passwords after staff/client changes
- use SSH keys for admins
- protect control panel access
- enable two-factor authentication where available
For hosting servers, compromised FTP, mailbox or control panel accounts can be as dangerous as compromised root access.
Backups as security
Security includes recovery. If the VPS is compromised, misconfigured or damaged, backups may be the only reliable recovery path.
Back up:
- website files
- databases
- configuration files
- DNS zone records
- SSL configuration
- mailboxes if hosted
- user data
- application environment files
Best practices:
- store backups off-server
- encrypt sensitive backups
- automate backups
- keep multiple restore points
- test restore process
- restrict backup access
A backup stored only on the same VPS may be lost if the server is deleted, encrypted, compromised or disk fails.
Monitoring and logs
Monitoring helps detect attacks, outages and resource problems earlier.
Monitor:
- uptime
- website status
- SSL expiry
- disk usage
- CPU and memory
- failed SSH logins
- web server errors
- mail queue if mail is used
- backup success
- unusual outbound traffic
- blacklists if sending mail
Useful logs:
- /var/log/auth.log on Ubuntu/Debian
- /var/log/secure on AlmaLinux/Rocky
- web server access logs
- web server error logs
- mail logs if running email
- application logs
Logs are most useful when reviewed during and after incidents, not only after damage is done.
Why this matters
VPS security matters because a compromised server can host malware, send spam, leak data, damage domain reputation, get IPs blacklisted, break websites or trigger provider suspension. Automated attacks are common, even on new servers.
Basic hardening reduces common risks and gives you a better chance to detect and recover from problems.
How to check VPS security basics
Use server checks plus CheckDomainHealth tools for public-facing services.
- Updates — Confirm OS packages are current.
- SSH access — Confirm SSH is protected and logs are monitored.
- Firewall — Confirm only needed ports are open.
- Fail2Ban — Confirm jails are active for SSH or relevant services.
- Open services — Check listening ports and disable unused services.
- Backups — Confirm backup schedule and restore process.
- Website status — Check public site availability.
- SSL — Confirm certificates are valid and not expired.
- Mail reputation — If sending mail, check rDNS, SPF, DKIM, DMARC and blacklists.
Check public-facing VPS services
Use Domain Health Checker to review DNS, SSL, website status and related domain signals for services running on your VPS.
Common problems
SSH password brute force
HighAutomated bots repeatedly try to guess SSH credentials.
Next step: Use SSH keys, Fail2Ban, strong passwords and restrict access where possible.
Firewall disabled
HighUnneeded services may be exposed publicly.
Next step: Enable firewall and allow only required ports.
Root login exposed
HighDirect root login increases attack risk.
Next step: Create a sudo user and disable root login only after testing access.
Outdated packages
HighOld software may contain known vulnerabilities.
Next step: Apply security updates and schedule regular maintenance.
Fail2Ban not active
MediumRepeated login attempts are not automatically blocked.
Next step: Install and enable Fail2Ban or equivalent protection.
Backend app port exposed
MediumInternal apps may be reachable directly from the internet.
Next step: Bind apps to localhost or block public access with firewall.
No backups
HighCompromise or mistakes can cause permanent data loss.
Next step: Set automated off-server backups and test restore.
Weak mailbox or FTP passwords
HighAttackers can use compromised accounts to upload malware or send spam.
Next step: Change passwords, remove unused accounts and review logs.
Unused services running
MediumExtra services increase attack surface.
Next step: Stop and disable services that are not needed.
No monitoring
MediumProblems may go unnoticed until users complain or provider suspends service.
Next step: Monitor uptime, resources, logs and backups.
How to secure a VPS safely
-
Step 1: Update the system
Apply operating system and package updates.
-
Step 2: Confirm recovery access
Make sure provider console or rescue access is available.
-
Step 3: Secure SSH
Use SSH keys, sudo user and strong authentication.
-
Step 4: Enable firewall
Allow only necessary ports.
-
Step 5: Install Fail2Ban
Protect SSH and other login services from repeated attempts.
-
Step 6: Review open ports
Use ss or similar tools to find exposed services.
-
Step 7: Disable unused services
Stop services that are not required for the project.
-
Step 8: Configure backups
Use automated off-server backups.
-
Step 9: Enable monitoring
Monitor website status, SSL, disk, CPU, memory and logs.
-
Step 10: Maintain regularly
Review updates, logs, users and backups on a schedule.
Useful VPS security commands
Check OS version:
cat /etc/os-release
Update Ubuntu/Debian:
sudo apt update && sudo apt upgrade -y
Check firewall:
sudo ufw status verbose
Check listening ports:
sudo ss -tulpn
Check failed SSH logins on Ubuntu/Debian:
sudo grep "Failed password" /var/log/auth.log | tail
Check recent authentication logs:
sudo tail -100 /var/log/auth.log
Check Fail2Ban status:
sudo fail2ban-client status
Check SSH jail:
sudo fail2ban-client status sshd
Check disk usage:
df -h
Check running services:
systemctl --type=service --state=running
Commands are examples and may vary by operating system. Use care on production servers and test access before changing SSH or firewall settings.
What not to do
Avoid common unsafe practices:
- do not disable SSH access before testing new login method
- do not open all ports “just in case”
- do not use weak passwords
- do not leave old users active
- do not run abandoned software
- do not store backups only on the same VPS
- do not ignore failed login logs
- do not expose database ports publicly unless required and secured
- do not install services you do not need
- do not assume a new VPS is automatically secure
Mail server security note
If the VPS sends or receives email, security becomes even more important.
Check:
- no open relay
- SMTP authentication secured
- strong mailbox passwords
- SPF, DKIM and DMARC configured
- reverse DNS set correctly
- mail queue monitored
- spam scripts blocked
- compromised accounts disabled
- blacklists monitored
A compromised mail server can quickly get the IP blacklisted and affect domain reputation.
Security maintenance schedule
Use a simple maintenance rhythm.
Weekly:
- check updates
- review disk usage
- check failed login patterns
- confirm backups completed
Monthly:
- apply planned updates
- review users and access
- check firewall rules
- test restore if possible
- review running services
After incidents or staff changes:
- rotate passwords
- remove old access
- review logs
- scan websites
- verify backups
Security is strongest when it becomes routine.
Frequently asked questions
Is a new VPS secure by default?
Not fully. It may have a clean OS image, but you still need updates, firewall, SSH protection, backups and monitoring.
Do I need a firewall if only SSH and web are running?
Yes. A firewall helps ensure only intended ports are reachable.
What is Fail2Ban?
Fail2Ban watches logs and blocks IPs that repeatedly fail authentication.
Should I disable root login?
Usually yes, but only after creating and testing a working sudo user.
Should I change the SSH port?
It can reduce noise, but it is not a replacement for keys, strong authentication, firewall and Fail2Ban.
Are backups part of security?
Yes. Backups help recover from compromise, mistakes, deletion or server failure.
How often should I update a VPS?
Check updates regularly and apply security updates promptly, using planned maintenance windows when needed.
Related tools
Use these free tools to verify your configuration after applying changes.
Related guides
Browse all Hosting & VPS guides →Need help applying this fix?
Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.
Was this guide helpful?
Your feedback helps us improve our guides for everyone.
Thanks for your feedback!