Hong Kong VPS has become the preferred choice for many website owners, foreign trade companies, cross-border business developers, and API service deployers. However, Hong Kong data centers are often located in complex network environments, frequently encountering malicious scans, brute-force attacks, CC traffic surges, port scanning, and script injection attempts. Many users focus only on business deployment after receiving the server, neglecting the most crucial security hardening steps, leading to SSH brute-force attacks, service intrusion, website tampering, and even direct VPS paralysis. To ensure the stability and security of a VPS, a comprehensive security strategy must be built, and firewall configuration, Fail2ban intrusion prevention, and disabling root login are the three most basic and critical measures.

　　In the initial stage of deploying a Hong Kong VPS, the system often has many open ports by default, with the SSH port exposed to the public internet. Attackers can use automated scripts to scan open ports globally within seconds and attempt to brute-force SSH passwords. Therefore, a strict firewall strategy is the first layer of security protection. Taking the common firewall tool ufw as an example, the system may not have the firewall enabled; users can check the status using the following command:

sudo ufw status

　　If the firewall is not enabled, it is recommended to configure the default policy first, allowing only necessary access, before officially enabling it. To avoid being locked out of the server after enabling the firewall, the first step is to allow SSH ports to pass through:

sudo ufw allow 22/tcp

　　Next, set a default denial policy to deny all ports that are not explicitly allowed:

sudo ufw default deny incoming
sudo ufw default allow outgoing

　　If web services are involved, then ports 80 and 443 need to be allowed:

sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

　　Once the rules are configured, the firewall can be enabled.

sudo ufw enable

　　At this point, basic access control for the VPS is established, allowing only necessary ports to be accessed externally. Other ports, even if scanned, cannot be exploited, significantly reducing the risk of intrusion. Building upon the firewall, more powerful tools like iptables or firewalld can be used for finer-grained management, such as limiting the access frequency of a specific IP address, preventing CC attacks, or blocking abnormal ports. iptables is highly efficient and can limit the connection rate of a single IP address in the following ways:

sudo iptables -A INPUT -p tcp --dport 80 -m limit --limit 30/s --limit-burst 100 -j ACCEPT

　　These rules can effectively reduce the impact of malicious CC traffic on servers, providing an extra layer of protection for web services. Hong Kong VPS, due to the widespread and complex external network requests, especially require well-defined firewall filtering policies to enable the system to defend against malicious access from the ground up.

　　Simply relying on a firewall can only address port-level risks, but it cannot handle continuous brute-force attacks. For example, when attackers repeatedly try SSH passwords, even if they fail, it can lead to rapid increases in system logs and CPU usage, potentially even impacting business performance. To address this, Fail2ban can be used. This automated intrusion prevention tool monitors system logs and automatically blocks attacker IPs when it detects consecutive failed attempts. Fail2ban supports monitoring various services such as SSH, Nginx, Apache, and Postfix, making it an essential security component for VPS.

　　Installing Fail2ban is very simple:

sudo apt install fail2ban -y

　　After installation, Fail2ban will enable the basic configuration by default. To further enhance protection, you need to edit the jail.local configuration file:

sudo nano /etc/fail2ban/jail.local

　　You can configure SSH protection policies, for example:

[sshd]
enabled = true
port = 22
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
bantime = 3600
findtime = 600

　　This means that an IP address that submits 5 incorrect passwords within 10 minutes will be banned for 1 hour. On Hong Kong servers frequently subjected to malicious scans, this automatic blocking mechanism saves a significant amount of time on manual checks and prevents brute-force attacks from continuing to attempt password combinations, providing highly effective protection. It will take effect immediately after restarting Fail2ban.

sudo systemctl restart fail2ban

　　To view currently blocked IPs, you can use:

sudo fail2ban-client status sshd

　　Fail2ban offers flexible and powerful defense capabilities. It can also handle situations like Nginx being compromised, API call overload, and attempted backend logins through custom regular expression rules, enabling VPS systems to proactively "fight back" and shift from passive defense to proactive risk identification.

　　Even after restricting ports in the firewall and enabling Fail2ban, a very high-risk vulnerability remains: direct SSH login using the root account. Root is the highest-privilege account on the system. Once compromised, attackers can not only completely control the server but also delete logs, deploy reverse proxy trojans, implant mining programs, and even launch lateral movement attacks. Disabling root login is an essential step in VPS security hardening and can significantly increase the difficulty of cracking SSH.

　　To prevent direct root login, you need to first create a regular administrator user and grant it sudo privileges:

sudo adduser admin
sudo usermod -aG sudo admin

　　Next, modify the SSH configuration file to disable root login:

sudo nano /etc/ssh/sshd_config

　　Find and modify the following content:

PermitRootLogin no
PasswordAuthentication no

　　The second option disables password login, allowing only key-based login, which significantly improves SSH security. Restart the SSH service after making the changes:

sudo systemctl restart sshd

　　Using a login method with a regular user account and SSH key virtually eliminates the possibility of successful brute-force attacks. Furthermore, even if an attacker knows the server IP address, they cannot attempt password attempts, thus completely blocking the risk of intrusion at the SSH level. For scenarios where some businesses require root access, privilege escalation can be achieved through the sudo mechanism, avoiding direct exposure of the root entry point.

　　Hong Kong VPS, due to its high degree of network openness, requires even more robust security measures. A security system comprised of three basic measures—firewall, Fail2ban, and disabling root login—can generally defend against most malicious attacks from the public internet. However, true security goes beyond basic protection and requires in-depth optimization based on operational needs. This includes regularly updating system patches, closing unused ports, configuring HTTPS for web services, security headers, firewall rate limiting rules, and multi-layered protection measures such as database remote access restrictions, directory permission control, and Nginx anti-crawler configuration. For business-sensitive enterprise users, more advanced security systems such as WAF, IDS/IPS, Zero Trust, and port brute-force prevention algorithms can be deployed.