Why Hardening Matters

A freshly provisioned server with root access and a default SSH port is scanned and probed within minutes of its IP appearing online. Without hardening, even a well-written application running on top of it is at risk.

The checklist below takes about 30 minutes and eliminates the vast majority of opportunistic attacks.

1. Disable Root Login and Use SSH Keys

# Generate a key pair on your local machine
ssh-keygen -t ed25519 -C "your@email.com"

# Copy the public key to the server
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@your-server-ip

Then in /etc/ssh/sshd_config:

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes

Restart SSH: systemctl restart sshd

2. Change the Default SSH Port

Not security through obscurity alone — it dramatically reduces automated scan noise:

Port 2222

3. Configure UFW (Uncomplicated Firewall)

ufw default deny incoming
ufw default allow outgoing
ufw allow 2222/tcp   # your custom SSH port
ufw allow 80/tcp     # HTTP
ufw allow 443/tcp    # HTTPS
ufw enable

4. Enable Automatic Security Updates

apt install unattended-upgrades
dpkg-reconfigure --priority=low unattended-upgrades

5. Install Fail2Ban

Fail2Ban monitors log files and bans IPs with too many failed attempts:

apt install fail2ban
systemctl enable fail2ban --now

6. Set Up Intrusion Detection With OSSEC or Wazuh

For production workloads, a host-based intrusion detection system (HIDS) gives you real-time alerts on:

  • Unauthorised file changes
  • Privilege escalation attempts
  • Suspicious process creation

7. Periodic Audits

  • Run lynis audit system monthly
  • Review auth.log weekly
  • Rotate secrets and API keys quarterly

HostingNodes Network-Level Protection

Beyond OS hardening, all HostingNodes servers ship with always-on volumetric DDoS scrubbing at our network edge — no configuration required on your end.

Learn more about our DDoS protection →