I run a very small VPS to host demos for my open source work. Traffic is minimal (maybe 10–20 users), so I assumed no one really cared.

After checking the logs, I realized that assumption was wrong.

Even with almost no real users, the server was constantly scanned: SSH brute-force attempts, HTTP probing for .env, AWS credential paths, and random endpoints.

Nothing broke, but it was clear I wasn’t really watching.

I explored a few options and ended up using CrowdSec. At first it felt heavy and not very friendly for a Docker + Kamal setup, but after some trial and error I got it working and automated.

I wrote up what I learned:

what SSH and HTTP logs actually look like on a “no-man’s” VPS

why repeated 404/403 probing matters

why temporary bans are safer than permanent ones

how I automated the setup so it’s repeatable

Article: https://muthuishere.medium.com/securing-a-production-vps-in-...

Video walkthrough: https://youtu.be/hSiMfbJ4c0Q

Automation / source code: https://github.com/muthuishere/automated-crowdsec-kamal

Sharing this in case it helps someone else running a small public server who assumes it’s too boring to be attacked. Happy to answer questions or hear how others handle this.