A fresh VPS gets probed by bots within minutes. GoZen provides platform-level security on all plans, but server hardening is your responsibility on unmanaged servers. This guide covers the practical steps that block most automated attacks.

If you haven’t done initial server setup yet, start there. It covers non-root users, SSH keys, and firewall basics. This article builds on that.

Install Fail2Ban

Fail2Ban monitors log files and bans IPs that show malicious patterns. It’s the single most effective tool against brute-force attacks.

  sudo apt install fail2ban -y
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
  
  sudo dnf install epel-release -y
sudo dnf install fail2ban -y
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Configure Fail2Ban for SSH

Create a local config file (never edit the main config, it gets overwritten on updates):

  sudo nano /etc/fail2ban/jail.local

Add:

  [sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
bantime = 3600
findtime = 600

This bans an IP for 1 hour after 5 failed login attempts within 10 minutes.

  sudo systemctl restart fail2ban

Check banned IPs:

  sudo fail2ban-client status sshd

Change the SSH Port

Most bots target port 22. Changing the port doesn’t stop a determined attacker, but it eliminates 99% of automated noise from your logs.

  sudo nano /etc/ssh/sshd_config

Change:

  Port 2222

Update your Fail2Ban config to match the new port:

  [sshd]
port = 2222

Disable Unused Services

Every running service is a potential entry point. List what’s running:

  sudo systemctl list-units --type=service --state=running

Disable anything you don’t need:

  # Examples of services you likely don't need
sudo systemctl disable --now cups        # Print service
sudo systemctl disable --now avahi-daemon # mDNS
sudo systemctl disable --now postfix     # Mail (if not using)

Kernel Security (sysctl)

Harden network behaviour:

  sudo nano /etc/sysctl.d/99-hardening.conf

Add:

  # Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0

# Don't send redirects
net.ipv4.conf.all.send_redirects = 0

# Enable SYN flood protection
net.ipv4.tcp_syncookies = 1

# Log suspicious packets
net.ipv4.conf.all.log_martians = 1

# Ignore broadcast pings
net.ipv4.icmp_echo_ignore_broadcasts = 1

Apply:

  sudo sysctl -p /etc/sysctl.d/99-hardening.conf

Automatic Security Updates 

  sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure -plow unattended-upgrades

Verify it’s enabled:

  cat /etc/apt/apt.conf.d/20auto-upgrades

You should see:

  APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
  
  sudo dnf install dnf-automatic -y
sudo systemctl enable --now dnf-automatic-install.timer

Check the timer:

  sudo systemctl status dnf-automatic-install.timer

Quick Security Audit

Run this checklist on any new server:

CheckCommandExpected
Root login disabledgrep PermitRootLogin /etc/ssh/sshd_configno
Password auth disabledgrep PasswordAuthentication /etc/ssh/sshd_configno
Fail2Ban runningsudo systemctl status fail2banactive (running)
Firewall activesudo ufw status or sudo firewall-cmd --stateactive / running
Auto-updates enabledCheck config files aboveEnabled
SSH port changedgrep Port /etc/ssh/sshd_configNot 22

What to Do Next

Last updated 05 Apr 2026, 00:00 +0200. history

Was this page helpful?