VPS Security: Defending Against Brute Force Attacks

Defense Strategy

Community Reports 1. Firewall (UFW/iptables) 2. Fail2Ban Automation 3. Cloudflare Tunnel (ZTA)

Community feedback indicates that many users deploying on VPS (AWS, DigitalOcean, etc.) face automated brute force sweeps within hours of deployment. Attacks targeting port 18789 can reach over 8,500 attempts per minute if left unprotected.

Community Reports & Trends

High-Frequency Sweeps

Users report receiving 30+ failed login attempts within minutes of their IP being indexed by Shodan. Without a firewall, these probes eventually find "sitting ducks"—instances with zero-auth or default credentials—leading to immediate credential breaches and API account abuse.

mDNS & Shodan Indexing

Attackers leverage mDNS leakage and Shodan scans to find instances on public IPs. A single unprotected instance can attract thousands of automated "prompt injection" attempts designed to leak environment variables or home directory structures.

1. Hardware/Software Firewall (UFW)

Restrict access to port 18789 to only local traffic or trusted IPs. This is the simplest way to kill brute force noise.

                # Install and enable UFW

                sudo apt install ufw

                sudo ufw allow ssh

                sudo ufw enable

                # Deny public access to gateway

                sudo ufw deny 18789

                # (Optional) Allow only your trusted IP

                sudo ufw allow from YOUR_IP to any port 18789

2. Fail2Ban: Automated IP Blocking

Automatically ban IPs that exhibit brute force behavior (e.g., 5 failed attempts in 1 minute).

Filter Configuration (/etc/fail2ban/filter.d/clawdbot.conf):

[Definition]
failregex = ^.*Failed login attempt from <HOST>.*$

Jail Configuration (/etc/fail2ban/jail.local):

[clawdbot]
enabled = true
port = 18789
maxretry = 5
bantime = 3600

3. Cloudflare Tunnel: Zero Exposure

Highly Recommended. This method completely hides your VPS port. You access the gateway via a secured Cloudflare domain, and the tunnel handles the connection to localhost:18789.

No Public Ports: All incoming traffic from the internet is blocked except via the tunnel.
Zero Trust: You can add an email authentication layer (Cloudflare Access) so only you can access the URL.
Encrypted: Traffic is encrypted end-to-end.

Security Summary

Don't be a "sitting duck." Combine UFW with a secure tunnel and mandatory authentication. Always run clawdbot security audit --deep --fix after any deployment update. If you suspect an intrusion, immediately rotate all API keys and check your VPS logs for persistence mechanisms.