I see a lot of people getting into self-hosting for privacy reasons, which is great — but then running their VPS with default SSH settings and no firewall. Here’s the 10-minute checklist I run on every fresh server.
The Essentials
1. Non-root user + key-only SSH
adduser deploy && usermod -aG sudo deploy
# Copy your key, then in /etc/ssh/sshd_config:
# PermitRootLogin no
# PasswordAuthentication no
# Port 2222
2. Firewall (ufw)
ufw default deny incoming
ufw allow 2222/tcp # SSH
ufw allow 80/tcp # HTTP
ufw allow 443/tcp # HTTPS
ufw enable
3. fail2ban
apt install fail2ban -y
Default config bans IPs after 5 failed SSH attempts. Works out of the box.
4. Automatic security updates
apt install unattended-upgrades -y
dpkg-reconfigure -plow unattended-upgrades
Why This Matters for Privacy
A compromised server leaks everything — your emails, your files, your DNS queries. The irony of self-hosting for privacy and then getting owned because of a default SSH config is real.
After this 10-minute setup you have:
- Non-standard SSH port (stops 90% of automated scans)
- Key-only auth (password brute-force is impossible)
- Automatic banning of persistent attackers
- Security patches applied automatically
Full detailed guide: https://write.as/devtoolkit/secure-your-vps-in-10-minutes-a-no-nonsense-checklist
I would really like to see a setup guide for this. Because if you are throwing a VPS up, they usually just give you a public ip address. I don’t really know how you would put a router/firewall in front.