After checking the logs, I realized that assumption was wrong.
Even with almost no real users, the server was constantly scanned: SSH brute-force attempts, HTTP probing for .env, AWS credential paths, and random endpoints.
Nothing broke, but it was clear I wasn’t really watching.
I explored a few options and ended up using CrowdSec. At first it felt heavy and not very friendly for a Docker + Kamal setup, but after some trial and error I got it working and automated.
I wrote up what I learned:
what SSH and HTTP logs actually look like on a “no-man’s” VPS
why repeated 404/403 probing matters
why temporary bans are safer than permanent ones
how I automated the setup so it’s repeatable
Article: https://muthuishere.medium.com/securing-a-production-vps-in-...
Video walkthrough: https://youtu.be/hSiMfbJ4c0Q
Automation / source code: https://github.com/muthuishere/automated-crowdsec-kamal
Sharing this in case it helps someone else running a small public server who assumes it’s too boring to be attacked. Happy to answer questions or hear how others handle this.