First Login & Hardening

What you are defending against

Within minutes of a fresh public IP going live, you will see brute-force SSH attempts in your logs — not because anyone targeted you, but because bots scan the entire IPv4 space for open port 22 every few hours. The goal of hardening is not to stop a determined attacker; it is to make your box boring enough that the automated waves move on.

Create a non-root user

Log in as root once, create a user with sudo access, copy your SSH key into their ~/.ssh/authorized_keys, then never log in as root again.

adduser deploy
usermod -aG sudo deploy
rsync --archive --chown=deploy:deploy ~/.ssh /home/deploy

Test SSH-ing in as the new user from a second terminal before you close your root session. Getting locked out of a fresh box is a rite of passage, but you can skip it.

Lock down SSH

Edit /etc/ssh/sshd_config (or drop a file in sshd_config.d/) and set:

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes

Then systemctl restart ssh. Password auth off is the single highest-leverage change you can make — it eliminates brute-force SSH as a threat entirely.

Firewall with UFW

Ubuntu ships with UFW, a friendly wrapper around iptables. A three-command firewall:

ufw default deny incoming
ufw allow OpenSSH
ufw allow http
ufw allow https
ufw enable

That is the entire thing. Docker punches its own holes in iptables and can surprise you — we cover that in the Docker lesson.

fail2ban and automatic updates

fail2ban watches your auth logs and bans IPs that fail SSH too many times. With key-only auth it is belt-and-braces, but it also cuts the noise in your logs by 90%: apt install fail2ban && systemctl enable --now fail2ban.

unattended-upgrades installs security patches on a cron and is genuinely set-and-forget: apt install unattended-upgrades && dpkg-reconfigure --priority=low unattended-upgrades. Enable the Unattended-Upgrade::Automatic-Reboot "true" line in /etc/apt/apt.conf.d/50unattended-upgrades so kernel updates actually land.