Your Virtual Private Server is a massive target. Hackers do not sleep. They run automated scripts continuously. These scripts test thousands of passwords every single minute.
If they guess your server password, they win. They take total control of your data. They can delete your website. They can host illegal files. They can completely ruin your digital business.
A simple password is never enough. You must actively harden your digital infrastructure. You must build a secure fortress.
This massive guide teaches you exactly how to protect your server. We break down every single technical step. You will learn how to block automated bots. You will shut down brute force threats entirely.
Let us secure your system right now.
What Is a Brute Force Attack?
A brute force attack is an incredibly simple guessing game. Hackers do not type passwords manually. They use massive networks of infected computers. These networks are called botnets.
The attackers load huge lists of leaked passwords into their software. The software scans the open internet. It looks for servers with weak security. When it finds your server, the guessing begins.
How Automated Scripts Work
The script tests the word password first. It fails. Then it tests admin123. It fails again. It repeats this process millions of times. It never gets tired.
If you use a common dictionary word, the script cracks it instantly. Once the attacker gets inside, your server belongs to them.
You must stop this automated guessing process at the network level. A long password helps slightly. But active defense mechanisms are the only real solution.
Understanding Secure Shell Connections
Secure Shell is the tool you use to manage your remote Linux server. People usually call it SSH. It creates a secure tunnel between your personal laptop and your distant server.
Why Hackers Target Port 22
By default, the SSH service listens on port 22. Every hacker in the world knows this fact. Every automated scanner checks port 22 automatically.
If you leave your access point on port 22, you are asking for trouble. You invite relentless daily attacks. Moving this access point is the foundation of server security.
Step 1: Update Your Core Software
You must always start with fresh software. Old software has known security bugs. Hackers exploit these old bugs easily.
Log into your server. Run this exact command to fetch the latest software lists:
sudo apt update
Wait for the download to finish. Then, upgrade all your current packages:
sudo apt upgrade
Your server might ask you to confirm. Type the letter Y and press enter. Reboot your server if the system installs a new kernel. Fresh software is your first layer of defense.
Step 2: Create a Standard User Account
The root user is the ultimate administrator on Linux. The root account has absolute power. It can destroy the entire server with one command.
Hackers always try to log in as root first. You should never log in as root directly. You need a standard user account instead.
Run this command to create a new user. Replace newuser with your actual name:
adduser newuser
The terminal will ask you to create a password. Make it strong. It will ask for contact details. Just press enter to skip them.
Now, give your new user administrative power. Add the user to the sudo group:
usermod -aG sudo newuser
This new user can now run powerful commands safely by typing sudo first.
Step 3: Install Cryptographic Keys
Passwords are weak by design. Cryptographic keys solve this massive problem. They replace your typed password with an encrypted digital file.
How Digital Keys Work
A key pair has two separate parts. You get a public key and a private key.
The public key is a digital padlock. You put this padlock on your server. The private key is the physical metal key. You keep this private key safely on your laptop.
When you log in, the server checks your private key. If it matches the padlock, you get inside instantly. If a hacker tries to log in without your exact private key file, the server drops their connection completely.
Generating Your Key Pair
Open the terminal on your personal computer. Do not run this on your server. The official OpenSSH project recommends the Ed25519 algorithm for maximum security. Run this command to build a modern key pair:
ssh-keygen -t ed25519 -C 'your_email@example.com'
Press enter to accept the default save location. The system will ask for a passphrase. A passphrase encrypts your private key file. Type a long phrase and press enter.
Moving the Padlock to Your Server
You must send the public key to your server. Run this command from your laptop. Replace the details with your actual username and IP address:
ssh-copy-id newuser@your_server_ip
Type your password one last time. The system copies the file automatically. Test your new connection. You should log in without typing a traditional server password.
Step 4: Move Your Access Port
Bots attack port 22 blindly. Moving your access point to a random number is highly effective. It drops your attack volume instantly.
Open your main connection configuration file:
sudo nano /etc/ssh/sshd_config
Scroll down. Find the line that says Port 22. Delete the number 22. Pick a random five-digit number. You could choose 48293. Change the line to look exactly like this:
Port 48293
Leave the file open. You have more crucial edits to make next.
Step 5: Disable Root Login Completely
This is the ultimate kill shot for brute force scripts. You have your digital key working. You no longer need passwords. You no longer need root access.
In the exact same configuration file, find this line:
PermitRootLogin yes
Change the word yes to the word no. This blocks the root account completely:
PermitRootLogin no
Next, find the password setting line:
PasswordAuthentication yes
Change this word to no. This kills password guessing entirely:
PasswordAuthentication no
Save your changes. Press Control and O to save. Press Enter. Press Control and X to exit.
Restart the SSH service to apply these massive changes:
sudo systemctl restart sshd
Warning: Do not close your current terminal window yet. Open a brand new window. Test your new custom port. Make absolutely sure your key works. If you made a mistake, fix it in the original open window.
Step 6: Configure a Strict Server Firewall
A firewall is a strict border guard. It drops bad data packets before they touch your server applications. If you are reading a complete setup VPS hosting tutorial, configuring this guard is mandatory.
Linux servers use the Uncomplicated Firewall. It is very easy to use. First, block all incoming traffic by default:
sudo ufw default deny incoming
Next, allow your server to send data out freely:
sudo ufw default allow outgoing
Now you must open specific doors. If you skip this, you will lock yourself out. Allow your new custom port number. Use the exact number you chose earlier:
sudo ufw allow 48293/tcp
If you host a website, open the standard web port:
sudo ufw allow 80/tcp
You must also allow secure web traffic. This ensures your SSL certificate functions properly:
sudo ufw allow 443/tcp
Enable the firewall service now:
sudo ufw enable
Type Y and press enter. Your server is now sitting safely behind a strict digital wall.
Step 7: Deploy Fail2Ban for Automated Defense
Bots might still scan your custom port. They will fail to guess your digital key. But these failed attempts waste your server memory. You need an automated robot to fight back.
The open-source Fail2Ban software reads your server logs in real time. It spots failed logins instantly.
If an IP address fails too many times, Fail2Ban blocks them at the firewall automatically.
Install the software directly:
sudo apt install fail2ban
Create a local configuration file. This stops updates from deleting your rules:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Open your new local file:
sudo nano /etc/fail2ban/jail.local
Scroll down to the sshd section. Update the port setting to match your custom number. Make it look like this:
[sshd]
enabled = true
port = 48293
Look for the bantime setting. Change it to 86400. This blocks attackers for a full day. Look for the maxretry setting. Change it to 3.
Save the file and exit. Restart the service to load your aggressive rules:
sudo systemctl restart fail2ban
You now have a heavy security guard working for you continuously.
Step 8: Add Two-Factor Authentication
If someone steals your personal laptop, they steal your digital key. You can prevent this physical threat by adding Two-Factor Authentication.
Install the Google Authenticator module on your server:
sudo apt install libpam-google-authenticator
Run the setup program. Do not use sudo here:
google-authenticator
Answer yes to make tokens time-based. Scan the massive barcode with your phone app. Write down the emergency backup codes. Keep them safe. Answer yes to all the remaining security questions.
Linking the Code to Your Login
Open the main configuration file again:
sudo nano /etc/ssh/sshd_config
Find ChallengeResponseAuthentication. Change the value to yes. Save the file.
Now edit the deep system authentication rules:
sudo nano /etc/pam.d/sshd
Scroll to the absolute bottom. Add this exact line:
auth required pam_google_authenticator.so
Save the file. Restart the connection service:
sudo systemctl restart sshd
Your server will now ask for your digital key first. Then it will demand the six-digit code from your phone. You are completely locked down.
Step 9: Monitor Your Security Logs
Security requires active observation. You must check your logs to see the battlefield.
Your server records every single failed attempt. View the recent connection logs with this command:
sudo cat /var/log/auth.log | grep sshd
You will see many lines saying connection closed. These are bots failing to breach your walls.
Check how many attackers your Fail2Ban robot has trapped. Run this status check:
sudo fail2ban-client status sshd
A high number means your security layers are working beautifully.
Infrastructure Choices and Security Risks
Managing a raw virtual server takes intense focus. You must update the operating system. You must write firewall rules manually. You carry all the structural risk.
If you want to grasp this responsibility fully, you must understand exactly what is VPS hosting. It offers ultimate freedom, but it demands ultimate technical discipline.
The Managed Cloud Platform Advantage
Many business owners hate managing server terminal screens. They want to focus entirely on building their brand revenue.
Premium managed platforms eliminate this technical stress completely. They handle the hard work automatically.
When you launch a server on Cloudways, they lock down the ports for you. You never have to edit complex configuration files. They install a massive web hosting firewall automatically.
Massive network floods will crash a raw server instantly. Moving to a premium environment guarantees you have global DDoS protection hosting active from day one.
Dedicated platforms like Kinsta and WP Engine optimize the application layer specifically. They isolate your website in secure containers. They scan for malware daily.
Even top-tier shared environments like SiteGround write aggressive custom security rules to protect their clients from brute force tools.
Choosing a managed platform buys you peace of mind. It saves you dozens of hours every single month.
Common Beginner Security Mistakes
Even smart users make simple errors. Avoid these dangerous mistakes.
Losing Your Digital Key
Your private key is your only door. If your hard drive dies, the key dies. Back up your private key file to a secure offline USB drive immediately.
Locking the Firewall Improperly
Always allow your custom port before enabling the firewall. If you turn it on too early, you block yourself instantly.
Ignoring Basic Database Security
A secure server is useless if your website admin password is weak. You must combine server hardening with strong essential hosting security tips. Keep your plugins updated constantly.
Banning Your Own Office
Aggressive Fail2Ban rules can trap you. If you forget your password, you might ban your own office network. Whitelist your static home IP address to preserve your website uptime importance workflows safely.
Conclusion
Securing your virtual private server is mandatory. Automated bots scour the internet constantly. If you leave your server on factory settings, they will break inside. They will destroy your hard work.
You changed your access port. You killed password authentication entirely. You deployed cryptographic keys. You built a strict firewall. You activated an automated response robot.
Your server is no longer an easy target. It is a hardened digital vault. You can now build your business with total confidence.
Frequently Asked Questions
Can I use a password and a key together?
Technically yes. But it ruins your security. Bots will continue to guess the password. Disabling passwords entirely is the only way to kill brute force attacks.
Will changing my port break my live website?
No. Web traffic uses port 80 and port 443 strictly. Changing your Secure Shell port only changes your backend terminal access. Your visitors notice nothing.
What happens if I lose my authenticator phone?
You must use your emergency backup codes. Each code works exactly once. Log in using a backup code. Disable the requirement until you buy a new phone.
Does a strong firewall slow down my server speed?
No. Firewalls check packets at incredible speeds. Dropping bad traffic quickly actually saves your server processing power. Your live site will likely run faster.
Should I change my port number every month?
No. Changing it once takes you off the massive automated radar. Changing it constantly provides zero extra security. It just increases the chance of a typing mistake.
