It is no secret that most people would prefer the Linux server over the Windows one when given a choice. Why? The common opinion is that Linux would have better security. However, we should remember that either option is only secure when you set the proper configuration on it. Let's get right to the tips for better security of your server.
Important steps towards better security
Make sure your system is up to date
First of all, it is important to check if your system is up to date. There are frequent software updates for better security, and you shouldn't neglect them. That is why your first key point should be ensuring that your distribution is updated. What should you do for that? It takes only two steps.
Update the package list:
Update the packages themselves:
Update your system regularly, and you will not experience any problems from this side.
Use non-standard (non-default) SSH port
You probably know that by default the SSH service's listening port is set to port 22. If you don't change that, it is common to become a target of server hacking attempts because port 22 is the main target of automated attacks. You would only need to modify thе service configuration file as shown below.
You will see something similar to the following lines.
# What ports, IPs and protocols we listen for Port 22
Here you need to replace the number 22 with a desired different number. Please note that you shouldn't use a port number that is already used on your system. Save and exit the configuration file. Then, restart the service:
systemctl restart sshd
It should be enough to apply the changes. Please, have in mind you need to indicate the new port every time you request an SSH connection to your server.
You can find more information about changing the SSH port in one of our articles.
Create a user with restricted rights
Generally speaking, you don't need root privileges to perform the tasks via a standard user. You can create a new user with the command shown below.
After that, fill in the requested information (name, password, and so on). This new user will be allowed to log in via SSH. Now, when you establish a connection, use the specified credentials.
When you are logged in, to perform operations that require root permission, simply type the following command:
Then, type the password, and the active login will be switched to the root user.
Disable login with root user
Having root access means having the most permissions on an operating system. We strongly recommend you disable direct root user access via the SSH protocol. It is dangerous to leave access to your server via root only because this account can create some irreversible damages. Don't forget to create another user before you follow the steps below to disable the server access via the root user.
Firstly, modify the SSH configuration file as we described earlier.
Locate the section shown below.
# Authentication: LoginGraceTime 120 PermitRootLogin yes StrictModes yes
On the line PermitRootLogin, replace yes with no.
To apply the changes, you need to restart the SSH service:
systemctl restart sshd
Once it's done, you will notice that connections to your server via the root user will be rejected.
Use the security keys for identification
Using Security Keys (SSH Keys) has the following advantages. First, you can access your terminal without having to enter your password. And second, you can completely disable logging with the password, and then the password would not be required to connect to the server. This step protects your server against some possible attacks (e.g., brute force attacks). You can read more about the SSH keys here.
Another great thing you can do to secure your server is to install Fail2ban. This software is lightweight and prevents intrusion designed to block unknown IP addresses that are trying to penetrate your system. Use the following command to install the software package:
apt-get install fail2ban
yum install epel-release yum install fail2ban
When the package is installed, you need to customize its configuration file to your usage. Before that, we recommend you create a backup of the configuration file using the following command:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.backup
If you want to open the configuration file:
When you are done editing the config file, restart the service with the following command:
service fail2ban restart
If you need additional information regarding Fail2ban, take a look at its official documentation here.
Configure the internal firewall
Linux distributions come with a firewall service named iptables. It doesn't have any active rules by default. To verify it, type the following command:
We recommend you create and adjust firewall rules to your needs. If you would like to know more about what can be done, please refer to the official documentation of the distribution that you are using. You can find more information here.
Backup your system and your data
Security does not only refer to protecting your system against attacks, although that is essential. That's why another important aspect of security is to regularly back up your system on a remote server.