Server Hardening: Protection Against Attacks with Fail2Ban, UFW and Pentest

A VPS you open to the Internet starts being scanned within the first hour of its establishment. Bots automatically scan ports such as 22 (SSH), 80 (HTTP), 443 (HTTPS), 3306 (MySQL) and try to connect with default passwords. If you look at your log, you will see thousands of failed login attempts on the first day.

In this guide, we will explain the methods of hardening your VPS at production-grade level, which measures are critical and why, and how VDS Panel automatically installs these layers.

Bir bakışta

5-10 dk

First attack attempt

1000+/day

Brute-force trial

140+

Number of pentest tests

99%

Bot traffic is blocked

Defense layers

Security is not a single tool, but a combination of multiple layers:

Network layer, close unnecessary ports with Firewall (UFW)
Access layer, SSH key-only, prevent brute-force with Fail2Ban
Application layer, Rate limit, CSP, HSTS, CORS hardening
Audit layer, Log, security audit trail, anomaly detection
Pentest layer, Vulnerability scanning, real attack simulation

Bypassing a single layer does not mean a complete takeover of your server.

Layer 1: UFW firewall

UFW (Uncomplicated Firewall) is the user-friendly face of iptables. By default it rejects all incoming connections, only the ports you allow are opened.

All remaining ports (MySQL, PostgreSQL, Redis, panel internal services) can only be accessed from localhost. VDS Panel sets up this configuration automatically.

Common mistake: Opening DB ports

Do not open PostgreSQL 5432 or MySQL 3306 ports to the outside world. It is opened for reasons such as “for remote connection” and bots immediately start to brute-force it. Use SSH tunnel or VPN for remote management.

Layer 2: SSH hardening

Default SSH settings are weak. Basic precautions:

01

Turn off password login

PasswordAuthentication no. in /etc/ssh/sshd_config. Login only with SSH key. Brute-force becomes impossible.
02

Turn off root login

PermitRootLogin no. The attacker is forced to guess the account name, only to run out of chances of trying 'root'.
03

Change port

Like 2222 instead of 22. Automated bots scan 22, miss the alternative port. Security through obscurity is a weak but effective noise reducer.
04

Use Ed25519 key

Ed25519 instead of RSA 2048. Shorter, safer, faster. It is generated with the ssh-keygen -t ed25519 command.
05

Activate Fail2Ban

In case of unsuccessful login attempts, the IP is automatically banned. Let's move on to layer 3.

Layer 3: Fail2Ban

Fail2Ban monitors log files and temporarily bans the IP when it detects suspicious patterns:

P0 → SSH failed login
P1 → HTTP 401/403/429 repeats
Log of your custom app → custom jail definitions

Default behavior: 10 minute ban for 3 failed login attempts. If he tries more often, the ban period will be extended.

99%

bot traffic is filtered

When Fail2Ban + UFW is used together, almost all automatic brute-force attempts are banned.

VDS Panel automatically configures Fail2Ban with custom jails: SSH, nginx auth, dedicated rules for P0, P1 endpoints.

Layer 4: Application security

OS level protections are not enough; In your application:

Rate limiting

Request limit per endpoint:

Login endpoint: 10 requests / 15 minutes / IP
Public API: 100 requests / minute / IP
Admin API: 500 requests / minute / user

In case of exceedance, 429 Too Many Requests is returned. The panel applies double-layer rate limits at the nginx and backend levels.

Security headers

These turn off common attack vectors such as XSS, clickjacking, MIME sniffing. VDS Panel sends these headers by default for each domain.

JWT security

Strict signature verification against P0 attack
Tokens expire in 24 hours
Token is blacklisted in logout
Forced exit with P1

Layer 5: Pentest scanner

In addition to static configuration scans, VDS Panel includes a pentest scanner with 140+ tests:

What does Pentest scan?

SSL/TLS: weak cipher suite, heartbleed, expired cert
HTTP headers: missing HSTS, CSP, X-Frame-Options
Auth: JWT alg=none, login without brute-force protection
SQL injection vectors
XSS payloads (raw input control)
Path traversal and directory listing
Known CVEs (based on installed package versions)
Default credentials (admin/admin attempts)
Open ports (unexpected service)

The scanner runs automatically weekly, for each vulnerability it finds:

Drops into panel event log
HTML report is generated
Warning to admin if there is a critical vulnerability

Security audit log

The panel permanently logs all critical operations:

Login, logout, failed login
Adding/deleting admin users
Creating a new project
SSL certificate renewal
Panel setting change

Each record contains IP, user-agent, timestamp. The full chain is available when forensic examination is required.

Automatic update

With the Ubuntu P0 package, security updates are installed automatically:

VDS Panel automatically activates this during installation. Kernel and critical security patches are installed while the panel is running, and automatic reboot is planned when necessary.

Conclusion

Server security is not provided by a single “silver bullet”. Layer-by-layer defense, firewall, SSH hardening, Fail2Ban, rate limiting, security headers, audit log and periodic pentest all work together.

VDS Panel reduces the hours you need to manually install these layers to minutes. Fail2Ban jails, UFW rules, nginx security headers, 140+ pentest tests; all installed by default and constantly monitored.

For details about security features, you can visit the home page or get consultation for your specific scenario from the contact form.