The moment a VPS gets a public IP, it's under attack — scanners hit SSH and common paths within minutes. Here's the layered defense I run, none of it exotic.

1. The front door

SSH is key-only, root login disabled. Obvious, but the single highest-value change.

2. CrowdSec at the edge

CrowdSec parses my reverse-proxy logs, detects patterns (credential stuffing, path scanning, bad bots), and feeds a Traefik bouncer that drops offenders — plus a community blocklist, so I'm pre-protected against IPs already attacking others.

3. A WAF in front of the apps

ModSecurity runs in detection mode against the OWASP core ruleset, so I get visibility into suspicious requests before flipping anything to blocking.

4. Egress, not just ingress

The piece people forget: outbound rules. Untrusted workloads get a policy that blocks them from reaching my other services, the cloud metadata endpoint, and SMTP. If something gets popped, it can't pivot or phone home.

The mindset

Assume breach. Each layer is cheap; together they turn a soft target into a boring one — and boring is exactly what a public box should be.