Why Most VPSs Get Hacked in the First 72 Hours and How to Stop It in Under 2 Hours
Every week I clean up freshly deployed servers that were compromised in under 3 days. Here are the exact mistakes that get people hacked and the dead simple fixes that stop 99% of attacks.
Why Most VPSs Get Hacked in the First 72 Hours and How to Stop It in Under 2 Hours
Hi, I’m Marcello RHCSA certified Linux sysadmin and the guy people call when their server is already bleeding.
Every single week I get at least one emergency message that looks like this:
“I launched a $5 DigitalOcean/UHetzner/Linode droplet yesterday and today it’s sending spam / mining crypto / part of a botnet. Help!”
99% of the time the server was compromised in less than 72 hours after the first root login.
And 99% of the time it was 100% preventable in under 2 hours.
Here are the six mistakes I see literally every single time (and how I fix them before I even install the first application).
1. Root login with password over SSH (the #1 killer)
Still the most common way people get owned in 2025 / 2026.
What you probably did:
Created the droplet → copied the root password → logged in with password.
What attackers do 60 seconds later:
Run a dictionary attack with 10 million common passwords. They succeed in minutes.
Fix (60 seconds):
# Disable password authentication completely
sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
sed -i 's/#PermitRootLogin yes/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config
systemctl restart sshd
From this moment on, only SSH keys work. Game over for 95% of bots.
2. Port 22 open to 0.0.0.0/0
firewall-cmd --permanent --remove-service=ssh
firewall-cmd --permanent --add-service=ssh --source=YOUR.IP.ADDRESS.HERE/32
firewall-cmd --reload
Or move SSH to a high port (recommended on the exam too):
semanage port -a -t ssh_port_t -p tcp 60022
sed -i 's/#Port 22/Port 60022/' /etc/ssh/sshd_config
systemctl restart sshd
firewall-cmd --permanent --add-port=60022/tcp
firewall-cmd --reload
3. No brute-force protection
dnf install fail2ban -y
systemctl enable --now fail2ban
The default jail.local already bans after 5 failures on sshd. Done.
4. Running outdated packages on day zero
dnf update -y
dnf install dnf-automatic -y
systemctl enable --now dnf-automatic-install.timer
5. No proper firewall (or “I only opened HTTP/HTTPS”)
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --permanent --remove-service=cockpit # if you don't use it
firewall-cmd --permanent --set-default-zone=drop # optional nuclear mode
firewall-cmd --reload
6. Still logging in as root every day
useradd -m marcello
usermod -aG wheel marcello
passwd marcello # strong password
# Upload your public key to ~marcello/.ssh/authorized_keys
chmod 700 ~marcello/.ssh
chmod 600 ~marcello/.ssh/authorized_keys
chown -R marcello:marcello ~marcello/.ssh
From now on: ssh marcello@server → sudo only when needed.
My Exact 2-Hour RHCSA-Grade Secure Server Recipe
This is literally what I run for every $399 client on Rocky/AlmaLinux:
- Create limited user + SSH keys
- Disable root & password login
- Move SSH to high port + restrict source IP in firewalld
- fail2ban + dnf-automatic
- Lock firewalld to only needed services
- Full stack install (Docker, Podman, LEMP, etc.)
- firewalld + SELinux enforced
- podman/rootless where possible
- Handover with sosreport summary and documentation
Zero compromises across 100+ servers in the last 18 months.
Want This Done For You – RHCSA Guaranteed?
I’ll lock your Rocky/AlmaLinux/CentOS server exactly like this in 24–48 h.
→ Basic Secure Server Setup (Red Hat family) – $399
→ Emergency Hack Cleanup – $1,299
Click here for accurate prices and services.
Lock it down now → Basic Server Setup Package
Stay dangerous (to attackers),
Marcello
Linux Shield
P.S. Yes, I still love Ubuntu for some clients, but when someone hires an RHCSA, they get firewalld, SELinux, and the Red Hat way.