VPS Security Checklist: Hardening Your Server for 2026
The moment you spin up a VPS in Mumbai or Singapore, it is being scanned. Bots from across the globe will attempt to brute-force your SSH root password within minutes.
With Nepal's new Cyber Regulation By-Laws 2081 requiring stricter log retention and access controls, "default settings" are no longer enough. Here is the mandatory 15-minute hardening guide for any Nepali developer.
1. Kill the Password (SSH Keys Only)
Passwords can be brute-forced. SSH Keys cannot.
ssh-keygen -t ed25519 -C "your-email"
ssh-copy-id root@your-server-ip
Once copied, disable password authentication in /etc/ssh/sshd_config:
PermitRootLogin prohibit-password
2. The Firewall (UFW)
Ubuntu comes with UFW (Uncomplicated Firewall). Turn it on, but don't lock yourself out!
ufw allow 'Nginx Full'
ufw enable
3. Fail2Ban (The Bouncer)
Fail2Ban monitors your logs. If someone tries to guess your password 3 times, it bans their IP address instantly.
Compliance Note: This satisfies the "Intrusion Detection" requirement of the new IT directives.
sudo systemctl enable fail2ban
4. Auto-Updates (Unattended Upgrades)
Don't be the dev who gets hacked because of a 2-year-old SSL bug.
sudo dpkg-reconfigure -plow unattended-upgrades
Final Step: Backups
Security is useless if you delete your own database. Enable "Snapshots" in your VPS provider's dashboard (usually $1-$2/month).