Securing Your New Hetzner Server: The First Hour

A new server is a clean slate. It feels full of potential. But a new server from Hetzner or any provider is also a target. The moment it gets a public IP address automated bots start scanning it for vulnerabilities. They are looking for open ports and weak passwords.

Your job in the first hour is to build a basic wall around your server. You need to make it a much harder target before you even think about deploying your application. The good news is that this is not complicated. You only need to do a few simple things right. This guide will walk you through them.

Step 1 Update Everything

The first thing you should do after logging in as root is update all the software packages. The base image you used to create the server might be days or weeks old. Security patches are released constantly.

You need to get the latest versions of everything.

apt update
apt upgrade -y

This ensures you are not exposed to any known vulnerabilities that have already been fixed. Do this before you do anything else.

Step 2 Create a User for Yourself

Operating as the root user is dangerous. The root user can do anything including accidentally deleting the entire file system. You should create a personal user account for your daily work and give it the ability to run commands as root when needed.

First create the new user. Replace yourname with a username you like.

adduser yourname

The system will ask you to set a password and some other optional information. After the user is created you need to give it sudo privileges. This allows your user to run commands as the root user by typing sudo before the command.

usermod -aG sudo yourname

Now you should log out of your root session and log back in with your new user account to make sure it works. From this point on you will do everything as this new user.

Step 3 Set Up a Basic Firewall

A firewall controls what traffic is allowed to enter or leave your server. By default a new server might not have an active firewall which means any service you start is potentially exposed to the world.

The easiest way to manage a firewall on Ubuntu or Debian is with ufw which stands for Uncomplicated Firewall.

First you should deny all incoming traffic by default. Then you can specifically allow the traffic you need. The most important service to allow is SSH. If you forget to allow SSH you will lock yourself out of your server.

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh

Most likely you will also need to run a web server. You can allow HTTP and HTTPS traffic as well.

sudo ufw allow http
sudo ufw allow https

Now you can enable the firewall. It will ask you to confirm because enabling the firewall can disrupt existing connections.

sudo ufw enable

You can check the status of your firewall at any time to see the rules you have in place.

sudo ufw status

This simple setup is a huge step forward. It means only the services you explicitly permit are reachable from the internet.

Step 4 Harden SSH Access

Your SSH server is the front door to your machine. Right now it is probably protected by a password. Passwords can be guessed or brute forced. A much more secure method is to use SSH keys.

SSH keys are a pair of cryptographic keys. A public key which you place on the server and a private key which you keep safely on your local computer. The server will only allow someone to log in if they have the corresponding private key. This is practically impossible to brute force.

If you don’t have an SSH key pair you can generate one on your local machine.

ssh-keygen -t rsa -b 4096

Once you have your key you need to copy the public part to your new server. The ssh-copy-id command is the easiest way to do this. Run this from your local computer.

ssh-copy-id yourname@your_server_ip

After you have copied your key and confirmed you can log in with it you should disable the old less secure login methods. You will edit the SSH configuration file on your server.

sudo nano /etc/ssh/sshd_config

You need to find and change two lines in this file.

First find PermitRootLogin and change it to no. This prevents anyone from logging in as the root user directly. This is a critical security measure.

PermitRootLogin no

Next find PasswordAuthentication and change it to no. This disables logging in with a password entirely and forces everyone to use SSH keys.

PasswordAuthentication no

Save the file and exit the editor. Then you must restart the SSH service for the changes to take effect.

sudo systemctl restart ssh

Before you log out open a new terminal window and try to connect to the server. Make sure your key based login still works. Once you have confirmed it you have successfully hardened your primary access point.

Step 5 Install Fail2Ban

Fail2Ban is a small utility that scans log files for malicious activity. It looks for things like repeated failed login attempts and then automatically blocks the offending IP address at the firewall.

It is an extra layer of automated defense that is very easy to set up.

sudo apt install fail2ban

That is it. Fail2Ban starts working out of the box with a default configuration that protects SSH. It will monitor your authentication logs and if it sees too many failed attempts from a single IP it will temporarily ban them.

These five steps do not make your server impenetrable. But they raise the bar significantly. They move you from being an easy target to a hardened one. You have closed the most common doors that automated attackers use. You now have a much safer foundation for your work.

— Rishi Banerjee
September 2025