Step 1
Patch the base system
Install current security fixes and reboot if the kernel or core libraries require it.
apt update && apt full-upgrade -y
apt install -y ufw fail2ban unattended-upgradesStep 2
Create a named sudo user
Use a unique account and install your public key before restricting password access.
adduser <admin-user>
usermod -aG sudo <admin-user>
install -d -m 700 -o <admin-user> -g <admin-user> /home/<admin-user>/.sshStep 3
Allow only required ports
Allow SSH before enabling UFW. Add application ports only when the service is ready.
ufw default deny incoming
ufw default allow outgoing
ufw allow OpenSSH
ufw enable
ufw status verboseStep 4
Enable updates and verify fail2ban
Confirm both services are active and review their logs after the first day.
dpkg-reconfigure -plow unattended-upgrades
systemctl enable --now fail2ban
fail2ban-client status sshd