I hardened my Hetzner VPS from scratch — here's everything I did (and the tools I built along the way)

I run a production server on Hetzner (Ubuntu 24.04) and get hit with thousands of attack attempts daily. After 3 months of hardening, I've blocked 8,000+ IPs from 132 countries with zero successful intrusions. Here's every step I applied, what actually worked, and the open-source tools I built to make it easier. 1. SSH (biggest single impact) # /etc/ssh/sshd_config Port 2222 PasswordAuthentication no PubkeyAuthentication yes MaxAuthTries 3 LoginGraceTime 30 AllowUsers myuser Moving SSH port sounds like security through obscurity, but it dropped 90% of automated scans overnight . Real attackers scan all ports anyway — this just filters out the lazy bots. 2. Firewall + IP blacklisting # Create ipset blacklist ipset create blacklist_set hash :ip hashsize 65536 maxelem 131072 # Add to iptables iptables -I INPUT -m set --match-set blacklist_set src -j DROP # Atomic swap for zero-downtime updates ipset create blacklist_tmp hash :ip hashsize 65536 maxelem 131072 # ... populate blacklist_tmp .