These are baseline steps we recommend after your first login to a new VPS. They reduce automated login attempts, help you avoid exposing services unintentionally, and prevent unauthorized access. You are responsible for setting up firewall rules for your own VPS so only the services you intend to publish are reachable.
Before changing SSH settings, keep your current SSH session open and test a second login in a new terminal. That way, you can recover quickly if a port, firewall, or key setting is wrong. If you have not created a non-root admin user yet, start with Adding a non-root user.
1. Update the System
Start by installing the latest security updates, along with the sudo, curl, nano, and fail2ban packages.
Reboot if the update installed a new kernel or core system libraries:
sudo systemctl reboot
2. Harden SSH
Open your SSH server configuration:
sudonano /etc/ssh/sshd_config.d/10-userssh.conf
Because we place SSH configuration in sshd_config.d at priority 50, make sure you use this file path to override our default values, which may otherwise conflict.
Set these options in your configuration:
PermitRootLogin no
PasswordAuthentication no
KbdInteractiveAuthentication no
PubkeyAuthentication yes
X11Forwarding no
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2
To exit nano, press Ctrl + X. If you’d like to save, press Y, then enter. If you don’t want to save, just press N.
Only disable password authentication after you have confirmed key-based login works for your admin user.
Validate the SSH config before restarting the service:
sudo sshd -t
If the command prints nothing and exits successfully, restart SSH:
Changing the SSH port does not replace key-based authentication, but it cuts down on noisy automated scans against port 22.
Choose an unused high port, such as 2222, 22022, or another value between 1024 and 65535. In /etc/ssh/sshd_config.d/10-port.conf, set:
Port 2222
Allow the new port in your VPS firewall before restarting SSH. If you change the SSH port but forget to allow it in your firewall rules, you may lock yourself out.
If you’re using SSH on a non-standard port, you will need to specify the port when connecting:
ssh-p2222 stackuser@your_server_ip
If you’re on Windows using PuTTY, set the port in the “Session” section before connecting.
Fedora systems with SELinux enforcing also need the new SSH port labeled before sshd can bind to it:
If that works, update your local SSH config for convenience:
Host fyrastack-vps
HostName your_server_ip
User stackuser
Port 2222
IdentityFile ~/.ssh/id_ed25519
4. Set up your Firewall
Set up firewall rules for your VPS before exposing services to the internet. At minimum, allow your SSH port and any public services you intentionally run, such as HTTP or HTTPS. Do not assume unused ports are protected unless you have configured firewall rules yourself.
Fyra Stack does not provide a firewall layer for your VPS. You are responsible for configuring your own firewall rules. The only traffic we block by default is SMTP (port 25). See our VPS networking documentation for more information.
The examples below show common guest firewall setups. Adjust the allowed ports for your own services.
Fedora with firewalld
sudo dnf install-y firewalld
sudo systemctl enable--now firewalld
sudo firewall-cmd --permanent --add-port=2222/tcp # Change this to match your SSH portsudo firewall-cmd --permanent --add-service=http # Example servicesudo firewall-cmd --permanent --add-service=https # Example servicesudo firewall-cmd --reloadsudo firewall-cmd --list-all
If you no longer need SSH on port 22, remove the default SSH service after confirming the new port works:
sudoaptinstall-y ufw
sudo ufw allow 2222/tcp # Change this to match your SSH portsudo ufw allow 80/tcp # Example servicesudo ufw allow 443/tcp # Example servicesudo ufw enablesudo ufw status verbose
If you are already using UFW and no longer need SSH on port 22, remove the old rule after confirming the new port works:
sudo ufw delete allow 22/tcp
5. Set up fail2ban
fail2ban watches service logs and temporarily blocks IPs that repeatedly fail authentication. This is especially useful for public SSH services, and we recommend it even if you have already changed the SSH port.
Create a local jail file so package updates do not overwrite your settings:
sudonano /etc/fail2ban/jail.d/sshd.local
Add the following configuration. Match port to the SSH port you configured above.
If you lock yourself out, use the Fyra Stack console or recovery environment to revert the firewall or SSH configuration. Common fixes are re-allowing the new port in your firewall, restoring Port 22, disabling a guest firewall rule, or correcting file permissions under /home/stackuser/.ssh.
Initial Server Hardening
These are baseline steps we recommend after your first login to a new VPS. They reduce automated login attempts, help you avoid exposing services unintentionally, and prevent unauthorized access. You are responsible for setting up firewall rules for your own VPS so only the services you intend to publish are reachable.
Before changing SSH settings, keep your current SSH session open and test a second login in a new terminal. That way, you can recover quickly if a port, firewall, or key setting is wrong. If you have not created a non-root admin user yet, start with Adding a non-root user.
1. Update the System
Start by installing the latest security updates, along with the
sudo,curl,nano, andfail2banpackages.Fedora
Debian / Ubuntu
Reboot if the update installed a new kernel or core system libraries:
2. Harden SSH
Open your SSH server configuration:
Because we place SSH configuration in
sshd_config.dat priority 50, make sure you use this file path to override our default values, which may otherwise conflict.Set these options in your configuration:
To exit nano, press
Ctrl + X. If you’d like to save, pressY, then enter. If you don’t want to save, just pressN.Only disable password authentication after you have confirmed key-based login works for your admin user.
Validate the SSH config before restarting the service:
If the command prints nothing and exits successfully, restart SSH:
3. Change the SSH Port
Changing the SSH port does not replace key-based authentication, but it cuts down on noisy automated scans against port
22.Choose an unused high port, such as
2222,22022, or another value between1024and65535. In/etc/ssh/sshd_config.d/10-port.conf, set:Allow the new port in your VPS firewall before restarting SSH. If you change the SSH port but forget to allow it in your firewall rules, you may lock yourself out.
If you’re using SSH on a non-standard port, you will need to specify the port when connecting:
If you’re on Windows using PuTTY, set the port in the “Session” section before connecting.
Fedora systems with SELinux enforcing also need the new SSH port labeled before
sshdcan bind to it:If the port was already registered, modify it instead:
Now validate and restart SSH again.
Test from a new terminal while your existing session remains open. Replace
stackuserwith your admin username:If that works, update your local SSH config for convenience:
4. Set up your Firewall
Set up firewall rules for your VPS before exposing services to the internet. At minimum, allow your SSH port and any public services you intentionally run, such as HTTP or HTTPS. Do not assume unused ports are protected unless you have configured firewall rules yourself.
Fyra Stack does not provide a firewall layer for your VPS. You are responsible for configuring your own firewall rules. The only traffic we block by default is SMTP (port 25). See our VPS networking documentation for more information.
The examples below show common guest firewall setups. Adjust the allowed ports for your own services.
Fedora with firewalld
If you no longer need SSH on port
22, remove the default SSH service after confirming the new port works:Debian / Ubuntu with UFW
If you are already using UFW and no longer need SSH on port
22, remove the old rule after confirming the new port works:5. Set up fail2ban
fail2banwatches service logs and temporarily blocks IPs that repeatedly fail authentication. This is especially useful for public SSH services, and we recommend it even if you have already changed the SSH port.Create a local jail file so package updates do not overwrite your settings:
Add the following configuration. Match
portto the SSH port you configured above.Enable fail2ban, restart it to load the new jail, and check the jail status:
Recovery Notes
If you lock yourself out, use the Fyra Stack console or recovery environment to revert the firewall or SSH configuration. Common fixes are re-allowing the new port in your firewall, restoring Port 22, disabling a guest firewall rule, or correcting file permissions under
/home/stackuser/.ssh.