Securing Your VPS: Simple Firewall Rules That Block 90% of Attacks Print

When you host a VPS, security is no longer optional — it’s essential. One of the easiest and most effective ways to secure your server is by implementing basic firewall rules. These simple rules can block over 90% of common attacks and drastically reduce your server’s exposure to threats.

Let’s walk through some practical, beginner-friendly firewall configurations that can help you stay safe.

1. Block All, Then Allow What You Need

The most effective firewall strategy is default-deny. That means blocking everything by default and only allowing trusted traffic.

In iptables, this looks like:

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

Then, allow only necessary ports like:

iptables -A INPUT -p tcp --dport 22 -j ACCEPT   # SSH
iptables -A INPUT -p tcp --dport 80 -j ACCEPT   # HTTP
iptables -A INPUT -p tcp --dport 443 -j ACCEPT  # HTTPS

This alone blocks most automated attacks scanning random open ports.

2. Rate-Limit SSH to Prevent Brute-Force Logins

SSH brute-force attacks are one of the most common. Add a rate-limit rule:

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 -j DROP

This blocks IPs that try to connect to SSH too frequently.

3. Block Ping (ICMP) if You Don’t Need It

Ping floods can be used for network scanning or DDoS.

iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

Optional — only if you’re sure your services don’t rely on ping.

4. Drop Invalid Packets

Attackers often send malformed packets to exploit kernel vulnerabilities.

iptables -A INPUT -m state --state INVALID -j DROP

5. Allow Localhost and Established Connections

Make sure your server can communicate internally and maintain existing connections:

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

6. Save Your Rules

On most systems (like Ubuntu), save rules using:

iptables-save > /etc/iptables/rules.v4

On CentOS or RHEL, consider using firewalld or nftables.

Bonus: Use CSF for Easy Firewall Management

If you’re not comfortable with raw iptables, CSF (ConfigServer Security & Firewall) is a beginner-friendly tool:

• Easily block IPs, countries, and ports

• Brute-force protection built-in

• Web UI available in DirectAdmin, cPanel, or Webmin

Final Tips

• Keep SSH on a non-standard port (e.g. 2222) for extra obscurity

• Disable root login via SSH

• Use fail2ban for additional protection against brute-force attempts

Conclusion

With just a few basic firewall rules, you can dramatically reduce the attack surface of your VPS. Whether you prefer iptables or a user-friendly tool like CSF, a proactive firewall strategy is one of the smartest moves you can make.

????️ Stay safe. Stay online. Stay in control.