Tools
Tools: Breaking: Securing Your Home Server — UFW, Fail2Ban, SSH Hardening, and Lessons Learned
Step 1: Set up UFW firewall properly
Step 2: Install and configure Fail2Ban
Step 3: Harden SSH
Change the SSH port
Disable root login
Disable password authentication (use keys only)
Apply the changes
Step 4: Enable automatic security updates
Step 5: Set up basic monitoring
Install Uptime Kuma
Step 6: Protect your Oracle VPS the same way
Lessons learned after running this for a while
The finished product
What's next In Part 4, your server went live on the internet. Which means within 24 hours, bots from around the world started probing it for weaknesses. This isn't paranoia — it's reality. Any public-facing server gets hit with hundreds of automated attacks daily. This is the final part of the series. We'll lock everything down so you can sleep at night. UFW (Uncomplicated Firewall) blocks every port except the ones you explicitly allow. Default-deny is the only sane approach for a public server. You should see only the ports you opened. Everything else is blocked. ⚠️ Don't enable UFW over an SSH session without allowing SSH first. You'll lock yourself out. Always sudo ufw allow 22/tcp before sudo ufw enable. Fail2Ban watches your log files and bans IPs that show malicious behavior (failed logins, brute-force attempts, etc.). Create a local config (never edit jail.conf directly — it gets overwritten on updates): Create the Nextcloud filter: Within a day or two, you'll see dozens of IPs banned — these are the bots constantly probing your server. SSH is the front door to your server. Default settings are a huge target for bots. Pick any port between 1024-49151 (I'm using 2299 as an example). This alone reduces bot attacks by ~90% since most bots only scan port 22. Before doing this, make sure your SSH key works. Generate one if you haven't: Copy the public key to your server: Once you confirm key login works, disable passwords in sshd_config: From now on, SSH with: Unpatched servers are the easiest targets. Set up automatic updates for security patches: Select Yes when prompted. Your server now automatically installs security updates overnight. You want to know when something breaks — not find out from a family member saying "the photos site is down." Uptime Kuma is a simple self-hosted monitoring tool. Add it to your Docker setup: Add this service below nextcloud: Open http://192.168.1.100:3001, create an admin account, and add monitors for: Set up email or Telegram notifications so you get pinged when anything goes down. Don't forget — your Oracle VPS is also public-facing. SSH into it and apply the same hardening: Both servers need the same level of security. The chain is only as strong as its weakest link. Things I wish I'd known on day one: Use Ethernet if the server is anywhere near your router. WiFi drops happen. They're rare but always at the worst time — usually when you're traveling and need a file. Wired connections are boringly reliable. Set BIOS to auto-power-on. After a power cut, you want the server to boot itself. Look for "AC Power Recovery" or "Restore on AC Power Loss" in BIOS and set to "Always On." All your services (Docker, frpc, Tailscale) will auto-start on boot, so full recovery takes 2-3 minutes with zero intervention. Back up Nextcloud's config directory. If your server's drive fails, the data is gone but losing the config directory means you can't even rebuild. I rsync ~/server/config to an external drive weekly. Tailscale is the unsung hero. If I had to cut any part of this stack, the public VPS path would go. Tailscale alone covers 95% of real-world use. The VPS exists only so family members can open a link in a browser. Don't expose services you don't need. Every open port is a potential vulnerability. If you don't need Samba accessible remotely, don't expose it. Only Nextcloud goes through the public tunnel. Docker makes recovery easy. When something breaks, I can nuke the container and rebuild from docker-compose.yml in 30 seconds. All state lives in mounted volumes. This is the biggest practical advantage of running services in containers. Monitor what matters. Disk space is the #1 thing to watch. Photos pile up fast. When your drive hits 90%, things start failing silently. Uptime Kuma + a simple disk space check saves you from nasty surprises. After 5 posts, you have: ✅ A complete personal cloud on an old laptop
✅ Phone auto-backup replacing Google Photos✅ Desktop sync replacing Google Drive✅ NAS file sharing via Samba✅ Private remote access via Tailscale✅ Public access via custom domain with SSL✅ Firewall, brute-force protection, and SSH hardening✅ Automated monitoring✅ Total recurring cost: ~₹850/year for a domain All running on hardware that was collecting dust. The series is done, but the server isn't. Things I'm planning to add over the coming months: I'll write about each of these as I add them. If any of it sounds interesting, follow me here. All config files from this entire series are on GitHub:
👉 github.com/sasrath/homecloud Thanks for following along with this series. Whether you built the whole thing or just read for context, I hope it was useful. Questions, feedback, or your own war stories from self-hosting? Drop them in the comments. I read and reply to everything. Your cloud. Your data. Your house. 🏠 Templates let you quickly answer FAQs or store snippets for re-use. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse
