So you’ve decided to spin up a cloud server. Brave soul. The internet is full of curious visitors — and by “curious visitors” we mean automated bots that will start hammering your SSH port approximately 4 seconds after your server gets a public IP. This guide walks through setting up a production-grade, reasonably paranoid Ubuntu 24.04 server on Hetzner Cloud: Apache 2.4 + PHP 8.3 FPM + MariaDB, protected by UFW, fail2ban, ModSecurity, and Cloudflare. Pour yourself a coffee or crack open a Battery Energy Drink. We have work to do.
🔐 The Golden Rule
Everything gets configured and locked down before we open the traffic gates. No half-built server exposed to the internet. We install, we configure, we test, then — and only then — we open the door.
Everything gets configured and locked down before we open the traffic gates. No half-built server exposed to the internet. We install, we configure, we test, then — and only then — we open the door.
What We’re Building
- A Hetzner Cloud VM running Ubuntu 24.04 LTS
- SSH locked down to your own ISP IP range from day one
- UFW firewall — SSH allow added before enabling, everything else locked until ready
- Apache 2.4 + PHP 8.3 FPM
- ModSecurity 2 with OWASP CRS — configured before opening web ports
- mod_remoteip for Cloudflare — configured before activating Cloudflare proxy
- MariaDB — hardened before any public traffic
- Let’s Encrypt SSL via Certbot
- fail2ban watching SSH and Apache — running before 443 opens
- UFW opened for HTTP/HTTPS only after all of the above is done