How to Set Up Your Own Private WireGuard VPN Server
Hardening Linux Systems Against Remote Exploits
Publicly accessible cloud instances face automated brute-force attacks and port scans within minutes of deployment. To protect your server from these threats, it is critical to go beyond basic password configurations and implement a default-deny security model. This approach involves replacing traditional password logins with asymmetric key pairs (like ED25519) and using firewalls to block unauthorized access.
By using Fail2ban along with native Linux firewalls (like UFW or nftables), you can dynamically detect brute-force attempts and temporarily ban the source IP addresses. Hardening the underlying server runtime configuration, such as setting custom restrictions on system boundaries and locking down SSH settings, forms a robust defense layer that protects your applications and user data.
Establishing these parameters helps you mitigate intrusion threats without introducing routing latency or connection drops for authorized clients accessing server ports.
# /etc/fail2ban/jail.local
# Automated rate-limiting brute-force shield settings
[sshd]
enabled = true
port = 22
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
bantime = 86400
findtime = 600
ignoreip = 127.0.0.1/8 192.168.1.0/24Essential CLI Setup Steps
To implement this setup on your cloud instances, execute the following commands in sequence inside your system console:
# Step 1: Install standard firewall and threat scanning packages
sudo apt-get update && sudo apt-get install -y ufw fail2ban
# Step 2: Authorize base SSH port connections through UFW
sudo ufw allow 22/tcp
sudo ufw limit 22/tcp
# Step 3: Enable the firewall interface with the default-deny ruleset
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw --force enable
# Step 4: Run Fail2ban to actively monitor and jail malicious IPs
sudo systemctl restart fail2ban
sudo systemctl enable fail2banConfiguring Fail2ban and System Access Guards
The Fail2ban configuration establishes a monitor over /var/log/auth.log, tracing failed authentication requests. If an external IP registers more than 5 failed authentication attempts (maxretry = 5) within a 10-minute window (findtime = 600), Fail2ban injects dynamic firewall rules to block the source host for 24 hours (bantime = 86400). This setup helps block automated dictionary and brute-force attacks.
By enforcing a default-deny policy (ufw default deny incoming), you block access to all unmapped TCP/UDP ports, minimizing the server's attack surface.
Operational Guidelines
Before launching in production, verify your hardware meets the benchmark metrics outlined in the table below:
Security Enforcement Verification Checklist
| Check ID | Security Control | Verification Command |
|---|---|---|
| 01 | Firewall Active Ruleset | sudo ufw status verbose |
| 02 | Fail2ban active jails list | sudo fail2ban-client status sshd |
| 03 | Passwordless Login Check | cat /etc/ssh/sshd_config | grep PasswordAuthentication |
