Will a firewall block my SSH?

Only if you enable it without allowing port 22 first. Inside the VPS, SSH is on 22 (the 5xxxx number is just the external forward). Allow 22, then enable the firewall.

Do I need fail2ban if I use keys?

Less critical once passwords are off, but it still trims log noise and blocks brute-force attempts. It's a one-line install.

I locked myself out — now what?

Use the panel console at vps.overnight.host to get back in, or reinstall. See: recover access to your server.

Home / Help / Secure your VPS (the 10-minute checklist)

Secure your VPS (the 10-minute checklist)

A fresh VPS is yours to lock down. Do these four things right after you connect and you've shut out almost all of the noise.

Keep your current SSH session open while you do this, so a mistake can't lock you out before you've tested a new one.

1. Update everything

Debian/Ubuntu: apt update && apt -y upgrade. AlmaLinux/Rocky: dnf -y upgrade. Reboot if a kernel updated.

2. Use SSH keys, then turn off passwords

Add your key (see Connect over SSH), confirm key login works in a second terminal, then in /etc/ssh/sshd_config set PasswordAuthentication no and systemctl restart ssh.

3. Turn on a firewall

Important: inside your VPS, SSH listens on port 22 (the 5xxxx port in your welcome email is the external forward). Allow 22 before enabling the firewall or you'll lock yourself out.

Ubuntu/Debian with ufw: ufw allow 22/tcp → allow any other ports your app needs → ufw enable

4. Add fail2ban (optional but nice)

apt -y install fail2ban — it bans IPs that hammer your SSH with bad logins. Sensible defaults work out of the box.

Good habits

Run apps as a non-root user, not root.
Only open ports you actually use (ask us to forward inbound ports you need).
Snapshot before big changes — reinstall is one click if it goes wrong.