Skip to content

Instance Setup & Hardening

Step-by-step guide for launching and hardening an Oracle Cloud Free Tier VM in the Toronto region.

Launch Checklist

  • Confirm home region is Canada Southeast (Toronto) — ca-toronto-1
  • Create a dedicated compartment (optional but recommended)
  • Generate SSH key pair before launch
  • Choose shape: VM.Standard.A1.Flex (Ampere, ARM64) — 4 OCPU, 24 GB RAM free
  • OS: Ubuntu 22.04 or 24.04 LTS (minimal)
  • Boot volume: 50 GB (200 GB total free across all volumes)
  • Assign public IP: Yes (ephemeral or reserved)
  • Add your SSH public key during launch

Capacity note

A1 instances can occasionally show "out of capacity" in Toronto. Retry at off-peak hours or try a smaller OCPU/RAM split first, then resize.

First Login

ssh -i ~/.ssh/oci_key ubuntu@<public-ip>

Hardening Steps

1. System Update

sudo apt update && sudo apt upgrade -y
sudo reboot

2. SSH Hardening

Edit /etc/ssh/sshd_config:

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
X11Forwarding no
MaxAuthTries 3

sudo systemctl restart sshd

3. Firewall — UFW + OCI Security List

OCI has two firewall layers: OS-level (UFW) and OCI Security Lists. Both must allow traffic.

sudo apt install ufw -y
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp
sudo ufw allow 51820/udp
sudo ufw enable

Then update the OCI Security List in the console to match.

Warning

If you skip the OCI Security List update, traffic is blocked even if UFW allows it.

4. fail2ban

sudo apt install fail2ban -y
sudo systemctl enable fail2ban --now
sudo fail2ban-client status sshd

5. Automatic Security Updates

sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure --priority=low unattended-upgrades

Install Docker

curl -fsSL https://get.docker.com | sh
sudo usermod -aG docker $USER
newgrp docker

Verify Hardening

sudo ufw status verbose
sudo fail2ban-client status
sudo ss -tulnp
sudo lastb | head -20