🛡️ Hetzner VPS Hardening Guide (2026 Edition)
Securing a server isn't a one-time task—it’s about building layers. By moving from the network perimeter down to the OS kernel, you ensure that even if one layer is bypassed, the rest of your system remains resilient.
Here is a step-by-step guide to securing your Hetzner Cloud instance.
1. Network Layer: Hetzner Cloud Firewall
The first line of defense is the stateless firewall provided by Hetzner. This drops malicious packets before they even reach your server's CPU.
Recommended Inbound Rules
| Service | Port | Source | Description |
|---|---|---|---|
| SSH | 22 (or custom) | Your Local IP | Restricts management access to you only. |
| Web (HTTP) | 80 | Any IPv4/IPv6 | Standard web traffic. |
| Web (HTTPS) | 443 | Any IPv4/IPv6 | Encrypted web traffic. |
| Default | All | Deny | Implicitly block everything else. |
2. Identity & Access: SSH Hardening
Passwords are a vulnerability. We’ll use Ed25519 keys for superior security and disable password-based entry entirely.
Generate Modern Keys (Local Machine)
ssh-keygen -t ed25519 -C "[email protected]"
Apply Hardening (Server Side)
Edit /etc/ssh/sshd_config with these high-security parameters:
PermitRootLogin no: Disable direct root-level login.PasswordAuthentication no: Disable password-based entry.MaxAuthTries 3: Limit login attempts per connection.Port 2222: (Optional) Use a non-standard port to reduce automated bot noise.
[!WARNING] Test before you exit: Always test your connection in a new terminal window before closing your current session to avoid being locked out.
3. OS Level Protection: UFW & Fail2Ban
Layering a local firewall and an automated banning system ensures your OS remains secure even if the network firewall is misconfigured.
Configure Uncomplicated Firewall (UFW)
sudo apt update && sudo apt install ufw -y
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 2222/tcp # Match your SSH port
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw --force enable
Install Fail2Ban
Fail2Ban automatically bans IPs that show brute-force behavior patterns.
sudo apt install fail2ban -y
sudo systemctl enable fail2ban
4. Maintenance: Unattended Upgrades
Security is dynamic. Automate your patching to stay ahead of zero-day vulnerabilities.
sudo apt install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades
This configuration ensures that the security repository is updated and applied every 24 hours.
5. Automation: The Cloud-Init Script
Use this User Data script when creating a new server on Hetzner to automate the entire hardening process instantly.
#cloud-config
users:
- name: developer
groups: sudo
shell: /bin/bash
sudo: ['ALL=(ALL) NOPASSWD:ALL']
ssh_authorized_keys:
- ssh-ed25519 YOUR_PUBLIC_KEY_HERE
package_update: true
package_upgrade: true
packages:
- ufw
- fail2ban
- unattended-upgrades
runcmd:
- ufw default deny incoming
- ufw default allow outgoing
- ufw allow 22/tcp
- ufw --force enable
- |
sed -i 's/^#PermitRootLogin.*/PermitRootLogin no/' \
/etc/ssh/sshd_config
- |
sed -i 's/^#PasswordAuthentication.*/PasswordAuthentication no/' \
/etc/ssh/sshd_config
- systemctl restart ssh
Quick Reference: Root Access
With root login disabled, use these patterns for administrative tasks:
- Single Command:
sudo <command> - Full Root Shell:
sudo -i - Safe File Editing:
sudoedit /path/to/file