Server security is not optional - it is a fundamental requirement. Every VPS connected to the internet faces constant automated attacks, brute-force login attempts, and vulnerability scans. This comprehensive guide covers three essential layers of defense: SSH key authentication, firewall configuration, and intrusion prevention with Fail2ban.

Critical: Always maintain an active SSH session while making security changes. If something goes wrong, you can use the existing session to revert changes. Locking yourself out of your server requires a support ticket at billing.sakurahost.co.tz.

1. SSH Key Authentication

SSH keys provide cryptographic authentication that is vastly more secure than passwords. A key pair consists of a private key (kept on your local machine) and a public key (placed on the server).

Generate an SSH Key Pair

On your local machine (not the server), generate a new Ed25519 key pair:

ssh-keygen -t ed25519 -C "your_email@example.com"

When prompted, accept the default file location and set a strong passphrase. Ed25519 keys are shorter, faster, and more secure than traditional RSA keys.

Copy the Public Key to Your Server

Use ssh-copy-id for automatic installation:
ssh-copy-id -i ~/.ssh/id_ed25519.pub sakura@YOUR_SERVER_IP

If ssh-copy-id is not available (common on Windows), manually copy the key:

cat ~/.ssh/id_ed25519.pub | ssh sakura@YOUR_SERVER_IP "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"

Test Key-Based Login

Verify you can log in without a password:
ssh sakura@YOUR_SERVER_IP

If the key is correctly installed, you will not be asked for a server password (though your key passphrase will be requested if set).

Disable Password Authentication

Edit the SSH daemon configuration:
sudo nano /etc/ssh/sshd_config

Find and modify these directives:

PasswordAuthentication no PubkeyAuthentication yes PermitRootLogin no MaxAuthTries 3
Restart the SSH service:
sudo systemctl restart sshd
Do Not Close Your Current Session! Open a new terminal and test logging in with your key before closing the existing connection. This ensures you can still access the server.

2. Advanced Firewall Configuration with UFW

While basic UFW setup was covered in our Getting Started with Your SakuraHost VPS guide, production servers require more granular rules.

Essential Firewall Rules

# Allow SSH (change port if using non-standard) sudo ufw allow 22/tcp # Allow HTTP and HTTPS for web servers sudo ufw allow 80/tcp sudo ufw allow 443/tcp # Allow specific IP ranges (e.g., your office) sudo ufw allow from 203.0.113.0/24 to any port 22 # Deny all other incoming traffic (default) sudo ufw default deny incoming sudo ufw default allow outgoing # Enable the firewall sudo ufw enable

Rate Limiting SSH Connections

UFW includes a built-in rate limiter that blocks IP addresses attempting more than 6 connections within 30 seconds:

sudo ufw limit 22/tcp

View your active rules at any time with sudo ufw status verbose.

3. Installing and Configuring Fail2ban

Fail2ban monitors log files for suspicious activity and automatically bans offending IP addresses. It is your active defense against brute-force attacks.

Install Fail2ban:
sudo apt update sudo apt install fail2ban -y
Create a local configuration file (never edit the main config directly):
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local sudo nano /etc/fail2ban/jail.local

Recommended Jail Configuration

Add or modify the following in jail.local:

[DEFAULT] bantime = 3600 findtime = 600 maxretry = 3 banaction = ufw [sshd] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3 bantime = 86400

This configuration bans any IP that fails SSH login 3 times within 10 minutes, blocking them for 24 hours (86400 seconds). The general default bans for 1 hour.

Start and enable Fail2ban:
sudo systemctl start fail2ban sudo systemctl enable fail2ban

Monitoring Fail2ban

# Check overall status sudo fail2ban-client status # Check SSH jail specifically sudo fail2ban-client status sshd # Unban a specific IP if needed sudo fail2ban-client set sshd unbanip 192.168.1.100

4. Additional Security Hardening

Change the Default SSH Port

While security through obscurity is not a complete solution, changing the default SSH port dramatically reduces automated scan noise:

sudo nano /etc/ssh/sshd_config # Change: Port 2222 sudo ufw allow 2222/tcp sudo ufw delete allow 22/tcp sudo systemctl restart sshd

Install and Configure Logwatch

Logwatch sends you daily email summaries of server activity:

sudo apt install logwatch -y sudo logwatch --detail high --mailto your@email.com --range today

5. Security Checklist

  • SSH key authentication enabled, password authentication disabled
  • Root login disabled via SSH
  • UFW firewall active with minimal open ports
  • Fail2ban running with SSH jail configured
  • Automatic security updates enabled
  • Non-standard SSH port (optional but recommended)
  • Regular log review process in place
Further Reading: For more advanced security practices, consult the Ubuntu Security Documentation and the DigitalOcean Recommended Security Measures guide. Need help? Contact SakuraHost support at billing.sakurahost.co.tz.
Was this answer helpful? 0 Users Found This Useful (0 Votes)

Most Popular Articles

Getting Started with Your SakuraHost VPS: Initial Server Setup

.kb-article { font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;...
Installing and Configuring Nginx on Your SakuraHost VPS

.kb-article { font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;...
How to Deploy a Node.js Application on Your VPS with PM2

.kb-article { font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;...
Docker on SakuraHost VPS: Container Deployment Made Easy

.kb-article { font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;...
How to Set Up Let's Encrypt SSL on Your VPS (Certbot Guide)

.kb-article { font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;...