Dokploy Remote Server — Security Hardening (EC2 Ubuntu)

Flips the UFW / SSH / Fail2Ban flags green in Dokploy's server security panel. Run everything as root (or with sudo).

⚠️ Do NOT enable UFW before allowing SSH — you'll lock yourself out. Keep your current SSH session open and test a second login before closing it.

1. UFW (firewall)

The Swarm ports are mandatory — Dokploy's overlay network breaks without them.

ufw default deny incoming
ufw default allow outgoing
ufw allow OpenSSH          # port 22 — MUST be before `ufw enable`
ufw allow 80/tcp           # HTTP  (Traefik)
ufw allow 443/tcp          # HTTPS (Traefik)
ufw allow 2377/tcp         # Docker Swarm management
ufw allow 7946             # Swarm node comms (tcp + udp)
ufw allow 4789/udp         # Swarm overlay network
ufw enable

Check: ufw status verbose

2. SSH (disable password + PAM)

Key auth must already work (your .pem) before running this.

sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
sed -i 's/^#\?UsePAM.*/UsePAM no/' /etc/ssh/sshd_config
# AWS drops an override that re-enables passwords — neutralize it too:
sed -i 's/^PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config.d/*.conf 2>/dev/null
systemctl restart ssh

Verify before logging out — open a NEW terminal and confirm:

ssh -i key.pem ubuntu@<ec2-ip>     # should still work via key

3. Fail2Ban (brute-force protection, aggressive SSH mode)

apt update && apt install -y fail2ban
printf '[sshd]\nenabled = true\nmode = aggressive\n' > /etc/fail2ban/jail.local
systemctl enable --now fail2ban

Check: fail2ban-client status sshd

4. Finish

Re-run Dokploy's Setup Server (or refresh the server security panel) — UFW, SSH, and Fail2Ban flags should now show green.

Notes