Securing Your VPS with UFW and Fail2Ban

Every VPS on the public internet is probed constantly for open ports and weak passwords. UFW and Fail2Ban address the two most common attack vectors: an overly open network surface and SSH brute-force attempts. By the end of this guide, you will have a firewall that blocks all but the ports you explicitly allow, and an automated system that bans IPs attempting repeated failed logins.

This guide assumes you have a running Ubuntu server with a non-root sudo user. If not, complete the Ubuntu 24.04 initial setup guide first.

Part 1 - UFW

UFW (Uncomplicated Firewall) is a front-end for iptables that makes firewall rules straightforward to manage. It comes pre-installed on Ubuntu. These steps walk through setting a deny-all default policy, allowing the ports your server needs, and enabling the firewall.

Checking UFW Status

Before making any changes, check the current firewall state:

ufw status

Setting the Default Policy

Deny all incoming connections by default and allow all outgoing. This ensures nothing can reach the server unless you have explicitly permitted it:

ufw default deny incoming
ufw default allow outgoing

Allowing SSH

Allow SSH access before enabling the firewall. If you enable UFW without doing this first, your current SSH session will be dropped and you will lose access to the server.

ufw allow OpenSSH

If you are running SSH on a non-standard port such as 2222:

ufw allow 2222/tcp

Allowing HTTP and HTTPS

If you are hosting a website or web application, allow HTTP and HTTPS traffic:

ufw allow 80/tcp
ufw allow 443/tcp

Enabling UFW

With your allow rules in place, enable the firewall:

ufw enable

Checking the Rules

Confirm the active rules match what you intended:

ufw status numbered

Part 2 - Fail2Ban

Fail2Ban monitors log files for repeated authentication failures and temporarily bans the offending IP addresses. It is particularly effective against SSH brute-force attacks, where automated tools try large volumes of password combinations against exposed servers.

Installing Fail2Ban

Install the package with:

apt install fail2ban -y

Creating a Local Config

Do not edit the main config file directly. Creating a local override keeps your changes separate from the defaults and ensures they survive package updates:

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Configuring the SSH Jail

Open /etc/fail2ban/jail.local and find the [sshd] section. Set the following values to enable the jail and configure its ban behaviour:

[sshd]
enabled  = true
port     = ssh
maxretry = 5
bantime  = 1h
findtime = 10m

With these settings, an IP that fails five login attempts within ten minutes is banned for one hour.

Starting and Enabling Fail2Ban

Start the service and enable it to run automatically on boot:

systemctl enable fail2ban
systemctl start fail2ban

Checking the SSH Jail

Confirm the SSH jail is active and review any currently banned IPs:

fail2ban-client status sshd

Unbanning an IP

If you accidentally lock yourself out, you can remove a ban from your provider's web console or from another server with access:

fail2ban-client set sshd unbanip 1.2.3.4

Replace 1.2.3.4 with your actual IP address.

Your Server Is Protected

You now have a firewall blocking uninvited incoming traffic and an automated ban system in place for repeated SSH login failures. For further hardening, follow the SSH key authentication guide to disable password logins entirely, which removes the most common SSH attack vector altogether.