Should I disable SSH password login on a new VPS?

Yes — after you confirm key-based login works. Set PasswordAuthentication no in sshd_config and restart sshd. Keep one console session open while testing.

Is UFW enough for a public VPS in India?

UFW is a solid default for allowlisting 22, 80, and 443. Add Fail2ban for brute-force protection and review rules when you expose game or custom UDP ports.

How often should I patch a HostStack VPS?

Enable unattended-upgrades for security updates. Schedule monthly reboot windows for kernel patches and snapshot before major upgrades.

What backup strategy do you recommend?

Combine provider snapshots with off-site rsync or restic to another region or object storage. Test restores quarterly — backups you never restore are wishful thinking.

Do I need CrowdSec on Indian VPS hosts?

Optional but useful for shared threat intelligence on SSH and web attacks. Pair with Fail2ban if you want lighter weight.

Linux VPS Hardening — First Steps for Indian Production Servers

By HostStack Editorial · Last updated: May 2026 · All posts

Every week we see fresh HostStack VPS credentials used with password auth and port 22 open to the world. Indian IP ranges get scanned constantly — bots do not care that your box is "just staging." This guide is the baseline we wish every customer ran before installing Docker, panels, or game servers.

Assumes Ubuntu 22.04/24.04 as root. Adapt package names for Debian. KB tie-in: snapshots & backups.

1. SSH key-only login

On your laptop, generate a key if you do not have one:

ssh-keygen -t ed25519 -C "[email protected]"

Copy the public key to the server (replace IP):

ssh-copy-id root@YOUR_VPS_IP

Verify key login works in a second terminal, then disable passwords:

sed -i 's/^#\\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
sed -i 's/^#\\?PermitRootLogin.*/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config
systemctl reload sshd

2. UFW firewall — default deny

apt update && apt install -y ufw
ufw default deny incoming
ufw default allow outgoing
ufw allow OpenSSH
ufw allow 80/tcp
ufw allow 443/tcp
ufw enable
ufw status verbose

Add game or custom ports only when services are ready. For UDP game traffic, allow specific ports rather than wide ranges.

3. Fail2ban for SSH (and nginx later)

apt install -y fail2ban
cat > /etc/fail2ban/jail.local <<'EOF'
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 4
bantime = 1h
EOF
systemctl enable --now fail2ban

4. Automatic security updates

apt install -y unattended-upgrades
dpkg-reconfigure -plow unattended-upgrades

Schedule a monthly reboot window after kernel updates. Snapshot first on HostStack panel.

5. CrowdSec (optional threat intel)

For busier hosts, CrowdSec adds community blocklists tuned for SSH and web probes:

curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | bash
apt install -y crowdsec
cscli collections install crowdsecurity/linux
systemctl enable --now crowdsec

6. Let's Encrypt TLS

apt install -y certbot python3-certbot-nginx
certbot --nginx -d yourdomain.in -d www.yourdomain.in

Use DNS-01 if you terminate TLS on a load balancer elsewhere.

7. Monitoring — UptimeRobot + Netdata

UptimeRobot — HTTP/TCP checks from outside India; alerts to email/Telegram.
Netdata — bash <(curl -Ss https://my-netdata.io/kickstart.sh) for live CPU/RAM/disk; lock dashboard to VPN or SSH tunnel.

Public status for customers: hoststack.in/status.

8. Backup strategy — rsync + remote copy

apt install -y rsync
rsync -avz --delete /var/www/ user@backup-host:/backups/vps1/www/

Combine with HostStack snapshots before risky changes. Test a full restore yearly.

9. Post-hardening checklist

Password SSH disabled; keys only
UFW enabled; only required ports open
Fail2ban active
Unattended upgrades enabled
TLS live on public sites
External uptime check configured
Backup job logged and restore tested

Ready to deploy? Order Ryzen KVM VPS or read the India VPS buying guide first.