I checked the auth logs on a brand-new server once, about 48 hours after spinning it up. Before I'd even deployed anything on it, there were already thousands of failed SSH login attempts from IP addresses all over the world. Bots constantly scan the internet for exposed servers with default configurations — it's not targeted, it's just automated noise that runs 24/7.
The good news: a handful of straightforward steps makes your server effectively invisible to these automated attacks. None of it is difficult. I run through the same checklist every time I provision a new server, and it takes about 20 minutes.
What's covered here: SSH key authentication, disabling password login, configuring UFW firewall rules, setting up Fail2ban to block repeated failed attempts, and enabling automatic security updates. This is the security baseline — not advanced hardening, just the fundamentals that matter most.
I run this on Tencent Cloud Lighthouse. One thing I specifically appreciate for security configurations: Lighthouse has a console-level firewall that's completely independent of the OS. It operates at the network infrastructure layer, which means it blocks traffic before it even reaches your server. If you accidentally lock yourself out of SSH by misconfiguring UFW, the console firewall keeps everything protected while you use OrcaTerm (the browser-based terminal in the control panel) to fix the issue. Having two independent layers of firewall protection — OS-level UFW plus infrastructure-level console firewall — adds meaningful defense in depth.
Key Takeaways
- Disable SSH password authentication — key-based auth makes brute force irrelevant
- Lighthouse console firewall + UFW = two independent firewall layers
- Fail2ban automatically blocks IPs with repeated failed login attempts
- Enable
unattended-upgradesfor automatic security patches- OrcaTerm provides browser access if SSH gets locked due to misconfiguration
Self-hosting gives you full control of your infrastructure — which means you're also responsible for securing it. A few facts worth knowing:
The good news: the baseline protection covered here stops the vast majority of automated attacks. It takes about 20 minutes and doesn't require deep security expertise.
SSH keys are both more secure and more convenient than passwords. A private key can't be brute-forced.
# On your local machine — not the server
ssh-keygen -t ed25519 -C "server-access-key"
# Accept the default location (~/.ssh/id_ed25519)
# Set a passphrase for extra security (optional but recommended)
# Easiest method
ssh-copy-id username@YOUR_SERVER_IP
# Manual method (if ssh-copy-id isn't available)
# On the server:
mkdir -p ~/.ssh
chmod 700 ~/.ssh
echo "YOUR_PUBLIC_KEY_CONTENT" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
# In a NEW terminal window — don't close your current session yet
ssh username@YOUR_SERVER_IP
# Should connect without asking for a password
Only proceed to disabling password auth after confirming this works.
sudo nano /etc/ssh/sshd_config
Update these settings:
# Disable password authentication
PasswordAuthentication no
# Disable root login
PermitRootLogin no
# Enable public key authentication
PubkeyAuthentication yes
# Optional: change the SSH port (security through obscurity, reduces log noise)
# Port 2222
# Limit login attempts
MaxAuthTries 3
# Disconnect idle sessions
ClientAliveInterval 300
ClientAliveCountMax 2
Save, then restart SSH:
sudo systemctl restart sshd
Test the connection from a new terminal before closing your current session.
Changing SSH from port 22 to a non-standard port (e.g., 2222) doesn't prevent a determined attacker but significantly reduces the volume of automated scanning and log noise.
# In sshd_config, set: Port 2222
# Then open the new port in UFW and Lighthouse firewall
sudo ufw allow 2222/tcp
# Connect with: ssh -p 2222 username@YOUR_SERVER_IP
UFW (Uncomplicated Firewall) manages iptables rules with a simpler interface.
sudo apt install -y ufw
# Deny all incoming connections by default
sudo ufw default deny incoming
# Allow all outgoing connections
sudo ufw default allow outgoing
# Allow SSH — do this BEFORE enabling UFW
sudo ufw allow ssh
# If you changed the SSH port: sudo ufw allow 2222/tcp
# Add other ports as needed
sudo ufw allow http # Port 80
sudo ufw allow https # Port 443
# Enable UFW
sudo ufw enable
# Verify
sudo ufw status verbose
Tencent Cloud Lighthouse also has its own firewall at the console level (under the Firewall tab). This operates independently of UFW and can be used as an additional layer, or as a recovery option if you misconfigure UFW.
I keep both in sync: if I open a port in UFW, I also open it in the Lighthouse console.
Fail2ban monitors log files and automatically bans IP addresses that show signs of brute-force attacks.
sudo apt install -y fail2ban
# Create a local config file (don't edit jail.conf directly)
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local
Find the [DEFAULT] section and configure:
[DEFAULT]
# Ban time in seconds (600 = 10 minutes, 3600 = 1 hour)
bantime = 3600
# Window in which to count failures
findtime = 600
# Number of failures before banning
maxretry = 5
# Email notification (optional)
# destemail = your@email.com
# action = %(action_mwl)s
Enable SSH protection in the [sshd] section:
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600
If you changed the SSH port, update the port value:
[sshd]
enabled = true
port = 2222
Start and enable Fail2ban:
sudo systemctl start fail2ban
sudo systemctl enable fail2ban
# Overall status
sudo fail2ban-client status
# Status of the SSH jail
sudo fail2ban-client status sshd
# See currently banned IPs
sudo fail2ban-client status sshd | grep 'Banned IP'
# Unban an IP (if you accidentally ban yourself)
sudo fail2ban-client set sshd unbanip YOUR_IP
Keeping the OS patched is one of the most effective security measures.
sudo apt install -y unattended-upgrades apt-listchanges
# Configure it
sudo dpkg-reconfigure --priority=low unattended-upgrades
# Select "Yes" to enable
Verify the configuration:
cat /etc/apt/apt.conf.d/20auto-upgrades
Should contain:
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
# Check what's listening on network ports
sudo ss -tulpn
# Disable services you don't need
sudo systemctl disable SERVICE_NAME
sudo systemctl stop SERVICE_NAME
sudo nano /etc/fstab
Add this line:
tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0
Get an email or webhook notification whenever someone successfully logs into your server:
sudo nano /etc/profile.d/login-notify.sh
#!/bin/bash
# Notify on login (customize with your notification method)
echo "Login on $(hostname): $USER from $SSH_CLIENT at $(date)" >> /var/log/login-notify.log
sudo chmod +x /etc/profile.d/login-notify.sh
# View recent authentication events
sudo tail -100 /var/log/auth.log
# Watch failed login attempts live
sudo tail -f /var/log/auth.log | grep "Failed"
# Count failed attempts by IP
sudo grep "Failed password" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -rn | head -20
sudo tail -f /var/log/ufw.log
sudo tail -f /var/log/fail2ban.log
The most common security setup mistake: locking yourself out of SSH. This happens when you:
Recovery: If you're on Lighthouse, use OrcaTerm in the console — it gives you direct terminal access regardless of SSH configuration. From there you can fix the issue.
Checklist to avoid lockout:
sudo ufw allow ssh before sudo ufw enable| Step | Command | Done? |
|---|---|---|
| SSH key authentication configured | ssh-copy-id user@SERVER |
☐ |
| Key login verified | ssh user@SERVER (new window) |
☐ |
| Password auth disabled | PasswordAuthentication no in sshd_config |
☐ |
| Root login disabled | PermitRootLogin no in sshd_config |
☐ |
| UFW enabled with SSH allowed | sudo ufw enable |
☐ |
| Fail2ban installed and running | sudo fail2ban-client status sshd |
☐ |
| Auto security updates enabled | unattended-upgrades configured |
☐ |
| All packages updated | sudo apt update && sudo apt upgrade |
☐ |
| Issue | Likely Cause | Fix |
|---|---|---|
| Connection refused | Service not running or wrong port | Check systemctl status SERVICE and verify firewall rules |
| Permission denied | Wrong file ownership or permissions | Check file ownership with ls -la and use chown/chmod to fix |
| 502 Bad Gateway | Backend service not running | Restart the backend service; check logs with journalctl -u SERVICE |
| SSL certificate error | Certificate expired or domain mismatch | Run sudo certbot renew and verify domain DNS points to server IP |
| Service not starting | Config error or missing dependency | Check logs with journalctl -u SERVICE -n 50 for specific error |
| Out of disk space | Logs or data accumulation | Run df -h to identify usage; clean logs or attach CBS storage |
| High memory usage | Too many processes or memory leak | Check with htop; consider upgrading instance plan if consistently high |
| Firewall blocking traffic | Port not open in UFW or Lighthouse console | Open port in Lighthouse console firewall AND sudo ufw allow PORT |
How quickly does a new server start receiving attack attempts?
Within minutes. Automated scanners constantly probe the internet. This is why running the security baseline immediately matters.
What is Fail2ban?
Fail2ban monitors log files for repeated failed auth attempts and blocks source IPs using firewall rules. Effective defense against SSH brute-force attacks.
Should I change the SSH port from 22?
It reduces scanner noise but provides limited actual security. Disabling password auth entirely is more effective.
How does the Lighthouse console firewall differ from UFW?
UFW operates at the OS level. The Lighthouse console firewall operates at the network infrastructure level, blocking traffic before it reaches your server.
What is unattended-upgrades?
It automatically installs security updates on Ubuntu without manual intervention. Enable it for security packages to keep your server patched.
Build on a secure foundation:
👉 Tencent Cloud Lighthouse — Cloud server with console-level firewall
👉 View current pricing and promotions
👉 Explore all active deals and offers