David Serrano Canales
David Serrano

David Serrano

How to secure a server

How to secure a server

8 steps for Linux server security

David Serrano Canales
·Jul 9, 2022·

8 min read

Table of contents

  • Access and update
  • Change the default SSH port
  • Enable firewall
  • Change root password
  • Replace the default user
  • Apply restrictions via SSH
  • Force login with SSH key
  • Install fail2ban
  • Conclusion

There are many reasons why one day you may decide that you want to have your own server, perhaps it is because you need to deploy the application you have been developing and want full control of the machine, or perhaps you have decided to stop using a cloud service to host it yourself.

For example, there are many people who decide to stop using Google Drive to start using Nextcloud, since it offers an infinitely higher level of privacy. There are people who host their private instance of Bitwarden to have the management of their passwords under their control. In my case, I have recently decided to host an instance of Umami on my VPS to be able to evaluate the service and replace Google Analytics for my applications once and for all; which will result in a great improvement in the levels of privacy that I am offering to my users.

Whatever the reason why one decides to hire (or buy) a private server, the first thing to do is secure it properly. An unauthorized access can lead to theft of sensitive data, loss of money due to abuse of the system, or even the use of this server for illegal or fraudulent activities. In order to be able to guarantee that only we and the people we decide can access that server, in this article I am going to show you the first actions that you should do when you contract your server. These actions are not intended to be exhaustive, but I do consider that they are a good and general basis for most types of servers. My recommendation is that you do all these actions at the beginning of having your machine if it is exposed to the internet.

These instructions that you will see below have been done on Ubuntu Server, but should also work on any debian-based distribution. For the rest of the distributions it's possible that some command is different, but the general idea is the same.

📽 Video version available on YouTube and Odysee

Access and update

The first thing we are going to do is access the server via SSH with the command ssh user@serverip. For this, our supplier will have had to give us a username, a password and an IP address. If you have installed the server yourself then you already have that data, you must also ensure that you have installed the SSH service. If you are using Windows you can use Putty, if you are on Mac just open a terminal and run the command, on Linux most distributions come with the ssh package already installed.

For example if the user is ubuntu and the IP is 185.15.58.224 we would connect with:

ssh ubuntu@185.15.58.224

Once connected, the first thing we should do is update the system:

sudo apt update

You will be prompted for your password, leave this command update and then:

sudo apt upgrade

This is a crucial action and one that we should repeat from time to time to download the latest updates in order to apply the latest security patches.

Change the default SSH port

This action consists of modifying the standard port for SSH connections. This can hinder a possible attack in which the attacker wants to access through this protocol.

Note: from this point of the tutorial we are going to modify some files. In my case I am going to use the vim program for it but you can do it with the text editor that you like the most. If you don't know any text editor, I recommend that you use nano, which is perhaps one of the easiest to use.

sudo vim /etc/ssh/sshd_config

We locate the Port entry and choose a random port between 0 and 65535. For this example I will use 13970:

Port 13970

IMPORTANT ⚠: Save the port you just entered, because you will need it later to re-enter the machine.

Once this change has been done and the file is saved, we restart the SSH service:

sudo /etc/init.d/ssh restart

Now exit the machine with exit and try to enter again using the same command as before, if you have made this change correctly it will not let you enter because by default SSH uses port 22, so now to enter you will have to specify the new port:

ssh -p 13970 ubuntu@185.15.58.224

Enable firewall

Now we are going to activate a firewall, which will allow us to block all those ports that do not interest us. For this we will use the Uncomplicated Firewall (ufw).

The first thing we have to do is apply a rule for the SSH service, otherwise we would not be able to reconnect:

sudo ufw allow OpenSSH

And now we create a rule with the port set above:

sudo ufw allow 13970/tcp

Now we can activate it with the following command:

sudo ufw enable

Note: Keep in mind that from now on all other ports are closed. If you are going to install a web service you will have to open their respective ports, typically port 80 for http and port 443 for https.

Change root password

This step is especially important if you have not installed the operating system yourself. Let's change the password of the root user:

sudo passwd root

Please choose a strong password, it should contain a minimum of 16 characters, contain letters, numbers and symbols, and be randomly generated. I recommend that you store this password securely in a password manager.

Replace the default user

Like the previous step, this step is important if you haven't installed the system yourself. We are going to create a new user that is the one that we are going to use from now on to connect to the machine:

sudo adduser newUser

Just like the previous step, make sure you choose a strong password and keep it safe. Let's give permissions to execute sudo commands to the new user:

sudo adduser newUser sudo

Now exit the machine with exit and try to connect with this new user:

ssh -p 13970 newUser@185.15.58.224

If you have been able to connect successfully check that you can run sudo commands, you can run for example sudo apt update. If you don't get any errors then you can already delete the previous user:

sudo userdel -r ubuntu

Apply restrictions via SSH

Now we are going to restrict the SSH connections much more. Let's edit the configuration file:

sudo vim /etc/ssh/sshd_config

In this file, locate and modify the following values:

  • set LoginGraceTime to 2m
  • set StrictMode to yes
  • set MaxAuthTries to 5
  • set MaxSessions to 1

If you plan on having multiple people use the server at the same time, then alter the MaxSessions value to the maximum number of people.

Restart the SSH service:

sudo /etc/init.d/ssh restart

Force login with SSH key

Now we will prohibit the access with password and instead we will force the use of an SSH key. In this way a potential attacker would be forced to obtain said key to enter.

To do this, the first step is to generate the key in our local system, not on the server:

ssh-keygen -t rsa -b 4096 -C "your@email.com"

Follow the steps that this command tells you, optionally you can set a password to unlock the key.

Make sure to make a backup (or several) of this key, if you lose it you will not be able to re-enter the server.

In order to use this key you have to modify its permissions scheme, if you have used the default nomenclature it would be:

chmod 600 id_rsa

Now reconnect to the server, and in your home directory create the following folder:

mkdir ~/.ssh

Now create the following file:

vim ~/.ssh/authorized_keys

In this file you have to paste the content of your public key. If you have left the default name we are talking about the content of the id_rsa.pub file.

Now edit the /etc/ssh/sshd_config file again and set the value of PubkeyAuthentication to yes. Restart the SSH service with sudo /etc/init.d/ssh restart.

At this point it is important that you verify that it works, to do this exit the server with exit and try to log in with the SSH key:

ssh -p 13970 -i path/to/your/private/key/id_rsa newUser@185.15.58.224

When you run this command for the first time the system will ask you if you want to trust the remote machine, say yes.

If you have been able to enter correctly with the SSH key, that is, you have not had to enter your password; then you can proceed to disable password connections.

Re-edit the /etc/ssh/sshd_config file and set the value of PasswordAuthentication to no. Restart the SSH service with /etc/init.d/ssh restart. Now it should not let you enter if you try to enter without the SSH key.

Install fail2ban

The fail2ban program allows you to block malicious attempts to access the system. It scans log files and blocks IPs that show harmful attitudes (too many failed passwords, etc.). Install it with:

sudo apt install fail2ban.

From here on, there are several configurations that can done, but in order to not complicate this tutorial any further, we are going to leave it with its default values.

Conclusion

This is all for this fundamental tutorial on how to secure a Linux server. I remind you that there is no perfect system, in this tutorial we have applied a basic security scheme at the operating system level, but to ensure the integrity of your system you must also properly secure the applications that run on it.

I hope it has been useful to you.

Regards!

Did you find this article valuable?

Support David Serrano Canales by becoming a sponsor. Any amount is appreciated!

See recent sponsors Learn more about Hashnode Sponsors