Hardening guide: how to secure a new VPS on Hetzner or DigitalOcean
When you purchase a Virtual Private Server (VPS) from Hetzner, DigitalOcean, or AWS, it comes by default with a clean installation of the operating system (usually Ubuntu or Debian). The moment your server is assigned a public IP address, automated internet bots start scanning it for open vulnerabilities and executing brute-force attacks against the SSH port (default port 22).
If you leave the default settings and allow direct root access with a traditional password, it is only a matter of time before your server gets compromised.
In this guide, we walk you through the indispensable hardening steps to shield your VPS against intrusions.
1. Disable Password Auth and Force SSH Keys
Password authentication is highly vulnerable to dictionary and brute-force attacks. You should configure your server to only accept connections via cryptographic public-private SSH keys.
Step 1: Copy your SSH Public Key to the server
Before disabling passwords, ensure you have copied your public key over. On your local machine:
ssh-copy-id username@YOUR_SERVER_IP
Step 2: Edit the SSH Daemon Configuration
Log into your server via SSH and open the SSH configuration file:
sudo nano /etc/ssh/sshd_config
Modify the following lines to match these values:
PermitRootLogin prohibit-passwordorno(this prevents root login with password).PasswordAuthentication no(completely disables password authentication).PubkeyAuthentication yes(ensures only SSH public keys are allowed).
Save the file and restart the SSH service:
sudo systemctl restart ssh
Important: Do not close your current SSH terminal session until you open a new window and verify that you can log back in successfully without being prompted for a password.
2. Configure the Firewall (UFW)
By default, all ports on your server are open unless you set up a firewall. On Ubuntu, the standard tool is UFW (Uncomplicated Firewall).
Configure the rules to allow only necessary traffic (SSH, HTTP, and HTTPS):
# Allow SSH (ensure you run this before enabling UFW!)
sudo ufw allow ssh
# Allow standard web traffic
sudo ufw allow http
sudo ufw allow https
# Enable the firewall
sudo ufw enable
You can verify your open ports at any time by running:
sudo ufw status verbose
3. Install and Configure Fail2ban
Even if you disable password authentication, bots will keep flooding your SSH port with failed connection attempts, consuming network resources and CPU cycles. Fail2ban mitigates this by analyzing authentication logs and temporarily banning IP addresses that show malicious behavior.
Install Fail2ban:
sudo apt update && sudo apt install fail2ban -y
The service starts automatically, applying default jail rules for the SSH daemon. If an IP fails to connect 5 times, it is automatically banned for 10 minutes.
4. Automate Security Hardening with FerroSentry
Performing these steps manually on every server you configure is time-consuming and prone to human errors (like accidentally locking yourself out of your own server).
To address this, SecuryBlack includes the open-source security agent written in Rust, FerroSentry. When you connect a VPS to SecuryBlack, FerroSentry automatically performs the entire hardening checklist in under a minute:
- Closes all unnecessary ports by configuring the firewall automatically.
- Installs and configures fail2ban with optimized presets.
- Secures the SSH daemon by disabling weak ciphers and passwords.
- Enables automatic, unattended system security updates (
unattended-upgrades).
If you want to evaluate the security of your server immediately without creating an account anywhere, you can run our free auditor script in your console:
curl -sSL audit.securyblack.com | bash
You will get an instant terminal output detailing whether your firewall is enabled, which ports are open, and if your SSH configuration is shielded against automated attacks.