Securing your server

⏱ 12 min read 🔵 Intermediate Last updated: April 2026

A freshly created server is functional but not hardened. Internet-facing servers are scanned continuously by automated bots looking for weaknesses. This guide covers the essential steps to lock yours down.

⚠️ Do this before exposing your server to the internet. An unprotected server can be compromised within minutes of going online.

Quick checklist

Essential security steps

✅Keep the OS and packages updated

✅Enable UFW firewall and only open ports you need

✅Disable SSH password authentication — use keys only

✅Disable SSH root login

✅Install fail2ban to block brute-force attempts

✅Create a non-root user for daily work

1. Keep it updated

The single most effective security measure. Run this immediately after connecting:

sudo apt update && sudo apt upgrade -y

Set up automatic security updates so you don't have to think about it:

sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure --priority=low unattended-upgrades

Select Yes when prompted to enable automatic updates.

2. Set up a firewall (UFW)

UFW (Uncomplicated Firewall) is a straightforward way to control what traffic reaches your server. By default, block everything and only allow what you need.

⚠️ Add the SSH rule before enabling UFW or you'll lock yourself out of the server.

# Install UFW
sudo apt install ufw -y

# Set defaults — deny all incoming, allow all outgoing
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH (do this FIRST)
sudo ufw allow 22/tcp

# Allow other ports as needed
sudo ufw allow 80/tcp   # HTTP
sudo ufw allow 443/tcp  # HTTPS

# Enable the firewall
sudo ufw enable

# Check the rules
sudo ufw status

💡 Only open the ports your application actually uses. If you're only running a website, you need 22 (SSH), 80 (HTTP), and 443 (HTTPS). Everything else stays closed.

3. Harden SSH

SSH is the most common attack vector. These changes make it significantly harder to compromise.

Disable password authentication

If you're using SSH keys (which you should be), disable password login entirely:

sudo nano /etc/ssh/sshd_config

Find and change these lines:

PasswordAuthentication no
PermitRootLogin no
PubkeyAuthentication yes

Save the file, then restart SSH:

sudo systemctl restart sshd

⚠️ Before restarting SSH, open a second terminal session to verify you can still connect. That way if something goes wrong, you're not locked out.

Change the SSH port (optional)

Changing SSH from port 22 to a non-standard port reduces automated scanning noise significantly. It's not a security measure on its own, but it cuts down on log spam.

# In /etc/ssh/sshd_config
Port 2222  # choose any unused port above 1024

# Remember to update your firewall
sudo ufw allow 2222/tcp
sudo ufw delete allow 22/tcp
sudo systemctl restart sshd

Connect afterwards with: ssh -p 2222 ubuntu@YOUR_IP

4. Block brute-force attempts (fail2ban)

fail2ban monitors your logs and automatically bans IP addresses that are repeatedly trying to break in.

sudo apt install fail2ban -y
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

The default configuration protects SSH. Check it's working:

sudo fail2ban-client status sshd

You should see the jail is active and a count of banned IPs.

💡 If you changed your SSH port, update fail2ban's config: sudo nano /etc/fail2ban/jail.local and add port = 2222 under [sshd].

5. User management

Don't do everything as root. Create a regular user with sudo access for daily work:

# Create a new user
sudo adduser yourname

# Add them to the sudo group
sudo usermod -aG sudo yourname

# Copy your SSH key to the new user
sudo mkdir /home/yourname/.ssh
sudo cp ~/.ssh/authorized_keys /home/yourname/.ssh/
sudo chown -R yourname:yourname /home/yourname/.ssh
sudo chmod 700 /home/yourname/.ssh
sudo chmod 600 /home/yourname/.ssh/authorized_keys

Test that you can log in as the new user before disabling root SSH access:

ssh yourname@YOUR_SERVER_IP