server security

It is no secret that most people would prefer the Linux server over the Windows one when given a choice. Why? The common opinion is that Linux would have better security. However, we should remember that either option is only secure when you set the proper configuration on it. Let's get right to the tips for better security of your server.

 

Important steps towards better security

Make sure your system is up to date

First of all, it is important to check if your system is up to date. There are frequent software updates for better security, and you shouldn't neglect them. That is why your first key point should be ensuring that your distribution is updated. What should you do for that? It takes only two steps.

 

For Debian/Ubuntu:

Update the package list:

apt-get update

Update the packages themselves:

apt-get upgrade

 

For CentOS/AlmaLinux:

yum update

Update your system regularly, and you will not experience any problems from this side.

 

Use non-standard (non-default) SSH port

You probably know that by default the SSH service's listening port is set to port 22. If you don't change that, it is common to become a target of server hacking attempts because port 22 is the main target of automated attacks. You would only need to modify thе service configuration file as shown below.

nano /etc/ssh/sshd_config

You will see something similar to the following lines.

# What ports, IPs and protocols we listen for
Port 22

Here you need to replace the number 22 with a desired different number. Please note that you shouldn't use a port number that is already used on your system. Save and exit the configuration file. Then, restart the service:

systemctl restart sshd

It should be enough to apply the changes. Please, have in mind you need to indicate the new port every time you request an SSH connection to your server.

You can find more information about changing the SSH port in one of our articles.

 

Create a user with restricted rights

Generally speaking, you don't need root privileges to perform the tasks via a standard user. You can create a new user with the command shown below.

adduser CustomUserName

After that, fill in the requested information (name, password, and so on). This new user will be allowed to log in via SSH. Now, when you establish a connection, use the specified credentials.

When you are logged in, to perform operations that require root permission, simply type the following command:

su root

Then, type the password, and the active login will be switched to the root user.

 

Disable login with root user

Having root access means having the most permissions on an operating system. We strongly recommend you disable direct root user access via the SSH protocol. It is dangerous to leave access to your server via root only because this account can create some irreversible damages. Don't forget to create another user before you follow the steps below to disable the server access via the root user.

Firstly, modify the SSH configuration file as we described earlier.

nano /etc/ssh/sshd_config

Locate the section shown below.

# Authentication: 
LoginGraceTime 120
PermitRootLogin yes 
StrictModes yes

On the line PermitRootLogin, replace yes with no.

To apply the changes, you need to restart the SSH service:

systemctl restart sshd

Once it's done, you will notice that connections to your server via the root user will be rejected.

 

Use the security keys for identification

Using Security Keys (SSH Keys) has the following advantages. First, you can access your terminal without having to enter your password. And second, you can completely disable logging with the password, and then the password would not be required to connect to the server. This step protects your server against some possible attacks (e.g., brute force attacks). You can read more about the SSH keys here.

 

Install Fail2ban

Another great thing you can do to secure your server is to install Fail2ban. This software is lightweight and prevents intrusion designed to block unknown IP addresses that are trying to penetrate your system. Use the following command to install the software package:

 

For Ubuntu/Debian:

apt-get install fail2ban

 

For CentOS:

yum install epel-release
yum install fail2ban

When the package is installed, you need to customize its configuration file to your usage. Before that, we recommend you create a backup of the configuration file using the following command:

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.backup

If you want to open the configuration file:

nano /etc/fail2ban/jail.conf

When you are done editing the config file, restart the service with the following command:

service fail2ban restart

If you need additional information regarding Fail2ban, take a look at its official documentation here.

 

Configure the internal firewall

Linux distributions come with a firewall service named iptables. It doesn't have any active rules by default. To verify it, type the following command:

iptables -L

We recommend you create and adjust firewall rules to your needs. If you would like to know more about what can be done, please refer to the official documentation of the distribution that you are using. You can find more information here.

 

Backup your system and your data

Security does not only refer to protecting your system against attacks, although that is essential. That's why another important aspect of security is to regularly back up your system on a remote server.

Choose your service now with instant activation.

Get started with no risk - we offer 30-day moneyback guarantee.

Get started