Secure Your Hostinger VPS: Fail2Ban, SSL, and Firewall Guide

SSH is the most common attack surface. Harden it immediately:

# First, set up SSH keys (on your LOCAL machine)
ssh-keygen -t ed25519 -C "your-email@example.com"
ssh-copy-id root@YOUR_SERVER_IP

# Test key login works before disabling passwords!
ssh root@YOUR_SERVER_IP

# Now edit SSH config on the server
nano /etc/ssh/sshd_config

# Change/add these settings:
PermitRootLogin no          # Disable root SSH login
PasswordAuthentication no   # Require SSH keys only
X11Forwarding no
MaxAuthTries 3
Port 22  # Optional: change to a non-standard port

# Restart SSH
systemctl restart sshd

Warning: Test that your SSH key works before disabling password auth. Getting locked out requires console access through Hostinger's panel.

UFW (Uncomplicated Firewall) provides simple iptables management:

# Install UFW
apt install ufw -y

# Set default policies
ufw default deny incoming
ufw default allow outgoing

# Allow SSH (critical — don't skip!)
ufw allow 22/tcp
# If you changed SSH port:
# ufw allow YOUR_NEW_PORT/tcp

# Allow HTTP and HTTPS
ufw allow 80/tcp
ufw allow 443/tcp

# Enable firewall
ufw enable

# Verify
ufw status verbose

Only open ports you actively use. Each open port is a potential attack vector. If you're running a game server, database, or other services, add their ports explicitly.

Fail2Ban monitors logs and bans IPs that show malicious behavior:

# Install Fail2Ban
apt install fail2ban -y

# Create a local config (don't edit jail.conf directly)
cat > /etc/fail2ban/jail.local << 'EOF'
[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 5

[sshd]
enabled = true
port = 22
logpath = /var/log/auth.log
maxretry = 3

[nginx-http-auth]
enabled = true

[nginx-limit-req]
enabled = true
EOF

# Start Fail2Ban
systemctl enable fail2ban
systemctl start fail2ban

# Check status
fail2ban-client status
fail2ban-client status sshd

Fail2Ban will automatically ban any IP that fails SSH login 3 times within 10 minutes, for 1 hour. You can adjust these thresholds in jail.local.

Keep your server patched without manual intervention:

# Install unattended-upgrades
apt install unattended-upgrades -y

# Configure to apply security updates automatically
cat > /etc/apt/apt.conf.d/20auto-upgrades << 'EOF'
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::AutocleanInterval "7";
EOF

# Verify configuration
unattended-upgrades --dry-run --debug 2>&1 | head -20

Never expose services over HTTP. Use Traefik (for Docker apps) or Certbot (for traditional apps) for automatic SSL:

# For traditional Nginx/Apache apps:
apt install certbot python3-certbot-nginx -y
certbot --nginx -d yourdomain.com -d www.yourdomain.com

# Auto-renew is set up automatically by Certbot
# Test renewal:
certbot renew --dry-run

For Docker-based deployments, use Traefik as shown in the Docker guide — it handles SSL automatically for every container you label.

• Create a non-root user: Never run your applications as root
• Regular backups: A compromised server you can restore from is recoverable; one without backups is not
• Monitoring: Set up UptimeRobot and check auth logs regularly (tail -f /var/log/auth.log)
• Docker security: Don't run containers as root, use read-only mounts where possible
• Disable unused services: systemctl list-units --type=service --state=active — disable anything you don't recognize