Secured Ubuntu VPS Against Attacks

The Challenge

The client managed a fintech application server hosted on a standard Ubuntu VPS. While reviewing system logs, they noticed their system resources were strained. Their auth.log file recorded thousands of automated password guessing attempts every hour, indicating a botnet target.

Technical Diagnosis

I ran security audits and discovered:

• SSH was open to the public on the default port 22, allowing automated bots to scan the port continuously.
• Root login was enabled with password authentication, creating vulnerability to dictionary attacks.
• No firewall rules were active, leaving internal developer database ports exposed to the public internet.

Steps Taken

1. User Administration: I created a secure, limited user account, added it to sudoers, and disabled default root login permissions.
2. SSH Key Authorization: I configured RSA 4086-bit public/private SSH Keys for developer access and disabled password authentication in sshd_config.
3. Port Customization: I relocated the SSH listening port from 22 to a random high port to hide the service from automated scanners.
4. Firewall Implementation: I enabled UFW, blocking all incoming ports except public web traffic (80/443) and the custom SSH port.
5. Intrusion Prevention: I installed Fail2ban and configured jails to monitor logs, banning IP addresses after 3 failed connections.

Before vs After Results

Failed login attempts dropped from 15,000+ per day to zero. The custom SSH port effectively hides the SSH service from automated bot scanners. Fail2ban banned several active attackers within hours, restoring normal CPU performance and securing developer databases.

Lessons Learned

Never deploy public cloud servers without configuring a firewall. Force SSH key files instead of passwords to eliminate brute-force vulnerability.