A fresh Ubuntu server is open by default. This guide covers the essential first steps: creating a sudo user, disabling root SSH, configuring UFW, setting up fail2ban, and hardening SSH.
In this guide
Never operate as root in production. Create a user: adduser ubuntu — usermod -aG sudo ubuntu. Copy your SSH key to the new user: rsync --archive --chown=ubuntu:ubuntu ~/.ssh /home/ubuntu. Test you can SSH as the new user before proceeding. Running as root means a single mistake or compromised process has unrestricted access to the entire system.
Edit /etc/ssh/sshd_config: set PermitRootLogin no and PasswordAuthentication no (only allow key-based auth). Restart SSH: sudo systemctl restart sshd. Before doing this, make absolutely sure your key-based login works as your new sudo user — otherwise you will lock yourself out. With these two settings, password brute-force and root login attacks are blocked entirely.
UFW (Uncomplicated Firewall) is the standard Ubuntu firewall. Set defaults: sudo ufw default deny incoming && sudo ufw default allow outgoing. Allow SSH: sudo ufw allow OpenSSH. Allow your app ports: sudo ufw allow 80 && sudo ufw allow 443. Enable: sudo ufw enable. Verify: sudo ufw status verbose. Only open ports you actually use.
Fail2ban bans IPs that fail authentication repeatedly. Install: sudo apt install -y fail2ban. Create a local config: sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local. In jail.local, set bantime = 1h, findtime = 10m, maxretry = 5 under [DEFAULT]. Enable the SSH jail under [sshd]: enabled = true. Start: sudo systemctl enable fail2ban && sudo systemctl start fail2ban.
Install unattended-upgrades: sudo apt install -y unattended-upgrades. Enable it: sudo dpkg-reconfigure --priority=low unattended-upgrades. This automatically installs security updates daily. Edit /etc/apt/apt.conf.d/50unattended-upgrades to configure which updates apply and whether to auto-reboot for kernel updates (set Unattended-Upgrade::Automatic-Reboot to false for production servers).
Edit /etc/ssh/sshd_config and change Port 22 to an uncommon port like Port 2222. Update UFW: sudo ufw allow 2222 && sudo ufw delete allow OpenSSH. Restart SSH. This does not stop a determined attacker but eliminates 99% of automated scanning noise in your logs. Remember to update any SSH config files or firewall rules that reference port 22.
Need Help?
Our engineering team handles implementations like this every week. Get a free scoping call — we will tell you exactly what it takes and what it costs.
Book a free callCompetitive Intelligence
Efficiency Modeling
© 2026 NexWorldTech — Built for Global Dominance.