By default, Linux is reasonably secure, but "reasonable" is not enough for production. This guide covers the essential steps to lock down a VPS or dedicated server against automated botnets and targeted attacks.
1. SSH Hardening (The Front Door)
The majority of attacks are SSH Brute Force.
Disable Root Login: Edit `/etc/ssh/sshd_config` -> `PermitRootLogin no`.
Use SSH Keys Only: Disable passwords (`PasswordAuthentication no`).
Change Default Port: Move it from 22 to 2222. (Reduces log noise by 99%).
2. Firewall (UFW)
Uncomplicated Firewall (UFW) makes iptables easy.
sudo ufw default deny incoming (Block everything by default).
sudo ufw allow 2222/tcp (Allow your custom SSH port).
sudo ufw allow 80/tcp (Allow Web).
sudo ufw enable.
3. Fail2Ban
Even with keys, bots will spam your SSH port.
Fail2Ban scans log files for repeated failures.
If an IP fails to login 5 times in 10 minutes, Fail2Ban adds a firewall rule to ban that IP for 24 hours.
Install: `sudo apt install fail2ban`.
4. Automatic Updates
You will forget to update.
Install `unattended-upgrades`.
It automatically installs critical security patches every night without rebbooting (unless kernel update requires it).