Fail2Ban and UFW: Basic VPS Security That Actually Works in 2026
Within minutes of a VPS going online with a public IP, automated scanners begin probing SSH and common ports. This is not paranoia — it is measurable reality. Check your authentication logs:
grep "Failed password" /var/log/auth.log | wc -l
On an unprotected server, this number reaches thousands within 48 hours. UFW and Fail2Ban reduce this surface to near zero.
UFW: Defining What Should Be Reachable
UFW (Uncomplicated Firewall) wraps Linux iptables in a simple interface. Basic setup:
# Install
sudo apt install ufw
# Default: deny incoming, allow outgoing
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Essential: allow SSH (change 22 to your custom port if you moved it)
sudo ufw allow 22/tcp
# Add your services:
sudo ufw allow 80/tcp # HTTP
sudo ufw allow 443/tcp # HTTPS
sudo ufw allow 25565/tcp # Minecraft
sudo ufw allow 30120/tcp # FiveM
# DO NOT add ports you don't use
# Enable
sudo ufw enable
# Verify
sudo ufw status verbose
Fail2Ban: Automatic IP Blocking After Failed Attempts
Fail2Ban monitors log files and bans IPs with too many failed authentication attempts:
sudo apt install fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Edit /etc/fail2ban/jail.local:
[DEFAULT]
# Ban after 5 failed attempts
maxretry = 5
# Ban for 1 hour
bantime = 3600
# Window: count failures within 600 seconds
findtime = 600
[sshd]
enabled = true
port = 22 # Change if you moved SSH
logpath = /var/log/auth.log
Restart and verify:
sudo systemctl restart fail2ban
sudo fail2ban-client status sshd
Beyond Basics: SSH Key Authentication Only
Password-based SSH authentication is unnecessary with key-based auth. Disable it:
# In /etc/ssh/sshd_config:
PasswordAuthentication no
PubkeyAuthentication yes
With key-based auth + UFW + Fail2Ban, your VPS is protected from the overwhelming majority of automated attacks.