Post cover image
fail2ban blocked IPs

June 16, 2026

The Overlooked Security Gap

Why Developers Focus on API Security but Neglect VPS Protection

Ravi Mishra

4 min read

Everyone Secures Their APIs. Almost Nobody Secures Their VPS.

A few days ago, while operating and deploying my project, IsCodeSearch, on a cloud VPS, I ran into an issue that completely changed how I think about infrastructure security.

Like most developers, I spent hours contemplating:

  • API authentication
  • JWT tokens
  • Database security
  • Rate limiting
  • Frontend vulnerabilities
  • Secrets management

What I didn't consider thoroughly enough was the machine itself — the VPS. And then, one evening, my site became unreachable. SSH stopped responding.

My first reaction was: "Azure is down." It wasn't.

"The VPS was the last thing I suspected. It should have been the first."

That incident sent me down a rabbit hole that every developer deploying their own infrastructure should understand.

The Forgotten Security Layer

Modern developers devote substantial effort to securing:

Frontend → Backend → Database

But often ignore:

Internet → VPS → Everything Else

The VPS is the foundation. If someone gains root access to your server, it doesn't matter how elegant your authentication system is. Game over.

The Reality of a Public IP

None

My VPS had been online for a while. I eventually installed Fail2Ban and checked the statistics. Within hours:

  • Total failed attempts: 675
  • Total banned IPs: 6

"The internet doesn't discover your startup. It discovers your IP address."

The interesting part? The project wasn't famous. The domain wasn't popular. Nobody knew it existed. The attacks happened because:

Public IP + Port 22 Open

That's all it takes. The internet continuously scans entire IPv4 ranges looking for vulnerable machines. Not your project. Not your startup. Your IP address.

What Attackers Actually Want

Most SSH scanners are looking for:

  • Weak passwords
  • Default credentials
  • Forgotten accounts
  • Misconfigured servers

Common usernames include:

  • root
  • admin
  • ubuntu
  • oracle
  • git
  • test
  • postgres

If they find a vulnerable machine, they usually:

  • Install crypto miners
  • Join botnets
  • Send spam
  • Use the machine as a proxy
  • Search for cloud credentials

They are not targeting you personally. They are targeting every machine.

The First Security Check

Before doing anything else: Check how SSH authentication works. On Ubuntu:

sudo grep -E "^(PasswordAuthentication|PermitRootLogin)" \
/etc/ssh/sshd_config \
/etc/ssh/sshd_config.d/* 2>/dev/null

You want:

PasswordAuthentication no

This means SSH keys are required. Without your private key, attackers cannot authenticate. This single setting eliminates the vast majority of brute-force attacks.

Install Fail2Ban Immediately

If your VPS has public SSH access, Fail2Ban should be one of the first packages you install. It monitors authentication failures and automatically bans abusive IPs. Example configuration:

[sshd]
enabled = true
backend = systemd
maxretry = 7
findtime = 10m
bantime = 604800

This means:

  • 7 failures within 10 minutes
  • 7-day ban

After installation, I immediately started seeing bans from:

  • Alibaba Cloud
  • Oracle Cloud
  • Residential ISPs
  • Hosting providers across multiple countries

The internet is noisy. Fail2Ban filters that noise.

Which Ports Should Be Open?

A surprisingly useful rule: Open only what you absolutely need. Typical web application:

  • 22 SSH
  • 80 HTTP
  • 443 HTTPS

Everything else:

Closed

Do NOT expose:

  • 5432 PostgreSQL
  • 6379 Redis
  • 6333 Qdrant
  • 27017 MongoDB
  • 9200 Elasticsearch

to the public internet. If your database can be reached from the internet, you've already made a mistake.

The Tailscale Discovery

While troubleshooting, I rediscovered something I had installed years ago and completely forgotten: Tailscale. Tailscale creates a private encrypted network between devices. Instead of:

Laptop → Public Internet → Azure VPS

You get:

Laptop → Private Tailnet → Azure VPS

None

My devices ended up looking like:

  • Laptop: 100.x.x.x
  • Azure VPS: 100.x.x.x
  • AWS VPS: 100.x.x.x

And suddenly:

ssh azureuser@100.x.x.x

worked from anywhere. No public IP required.

The Most Surprising Use Case

The biggest realization wasn't SSH. It was GPUs. Suppose you have:

Gaming PC with RTX GPU at Home

With Tailscale:

Azure VPS → Private Network → Home GPU

Your VPS can serve users. Your home GPU can perform:

  • LLM inference
  • Embeddings
  • Image generation
  • Transcription

No static IP. No port forwarding. No router configuration. For many solo builders, this can significantly reduce cloud GPU costs.

"Tailscale didn't make my infrastructure more powerful. It made it smaller."

Should You Close Port 22?

Eventually, yes. But not immediately. Recommended progression:

Stage 1

SSH Key Authentication + Fail2Ban + Public SSH

Stage 2

SSH Key Authentication + Fail2Ban + Tailscale + Public SSH Backup

Stage 3

SSH Key Authentication + Fail2Ban + Tailscale + Port 22 Closed

Many developers jump straight to Stage 3. I prefer spending a few days validating the setup first. Always keep a recovery path.

Other Security Measures Worth Considering

  • Disable Root Login
  • PermitRootLogin no
  • Automatic Security Updates

On Ubuntu:

sudo apt install unattended-upgrades

Change SSH Port

Not true security. But reduces log noise significantly. Example:

48221 instead of 22

Swap Configuration

Not directly security related. But operational stability matters. A VPS that survives memory pressure is a VPS that stays online. Example:

sudo fallocate -l 4G /swapfile

Security Isn't Just About Code

Most developers think security starts here:

Frontend → Backend → Database

In reality, it starts here:

Internet → VPS → Operating System → Docker → Backend → Database

Your APIs can be perfect. Your JWT implementation can be flawless. Your authorization system can be beautiful. If your server is compromised, none of that matters. The biggest lesson from my recent VPS troubleshooting wasn't learning a new tool. It was realizing that infrastructure security deserves the same attention we already give application security. The internet starts probing your server the moment it receives a public IP. Whether you're ready or not.

"Security doesn't start at the API. It starts at the machine."

This incident happened while running IsCodeSearch, a semantic code search platform built for developers. The irony wasn't lost on me: I had spent months securing the application while giving far less attention to securing the machine it was running on.