SSH is your front door — lock it
Most VPSes are compromised through SSH. Most compromises happen because of three settings most people never change.
The three settings
- PasswordAuthentication no — keys only, no passwords
- PermitRootLogin no — never log in as root
- AllowUsers claw — only your one non-root user can SSH in
/etc/ssh/sshd_config:
Port 2222
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AllowUsers claw
LoginGraceTime 30
ClientAliveInterval 300
ClientAliveCountMax 2
sudo systemctl restart ssh
Why a non-default port
Moving SSH off port 22 cuts log spam by ~99%. It is not real security on its own — a determined scanner finds you anyway — but it makes your logs readable, which is what matters for spotting real attacks.
Fail2ban
sudo apt install -y fail2ban
sudo systemctl enable --now fail2ban
Default config bans IPs after 5 failed auths for 10 minutes. With PasswordAuthentication no, the only attempts you ever see are bots probing — and they get banned.
Verify
- New terminal:
ssh -p 2222 claw@<vps>should work ssh root@<vps>should be deniedssh claw@<vps>(default port) should be denied
If any of those three is wrong, fix it before the next lesson.