Lock down your Linux VPS using UFW and Fail2Ban

In this video, we are going to secure our fresh Linux server by implementing a robust "firewall strategy." You will lock down open ports and set up automated protection against brute-force attacks. We start by addressing the main problem: a default Linux server accepts traffic on every single port, making it vulnerable to attacks. I’ll show you how to configure UFW (Uncomplicated Firewall) to block all incoming traffic by default, while explicitly allowing only the necessary connections, specifically, your SSH port. This is a critical step, and I’ll highlight exactly how to do this without accidentally locking yourself out of your own server. Next, we add a layer of intelligence to our security using Fail2Ban. Even with a firewall, bots can still spam your SSH port with password guesses. You’ll see how Fail2Ban monitors your server logs in real-time and automatically updates firewall rules to ban IP addresses that show malicious behavior. I will walk you through creating a jail.local configuration file to customize the ban duration and retry limits, ensuring attackers are blocked for a full day rather than just 10 minutes. Finally, I will demonstrate how to use the DigitalOcean Recovery Console. This is your safety net, if you ever misconfigure your firewall or lose your SSH keys, this web-based terminal will allow you to regain access and fix the issue. Here is the link to the GitHub repository (Handbook): https://github.com/ImadSaddik/FullStackDeploymentHandbook Don't forget to like, subscribe, and leave a comment if you have any questions or feedback! ⭐️ Contents ⭐️ (00:00) Intro: The problem with fresh servers (00:38) The Firewall Strategy Plan (01:39) Theory: How Fail2Ban works (04:24) The Handbook & Practice Session Start (04:55) Analyzing server logs for attacks (07:08) Checking UFW status (08:06) IMPORTANT: Allowing SSH before enabling (08:44) Enabling the UFW Firewall (10:58) Installing Fail2Ban (11:49) Configuring Fail2Ban (jail.local) (17:03) Using the DigitalOcean Recovery Console (20:02) What is next?