Linux servers are widely known for their stability, flexibility, and security. However, no system is completely invulnerable, and securing your server is essential to protect sensitive data, prevent unauthorized access, and maintain system integrity.
In this guide on How to Secure Your Linux Server, we will walk you through seven simple yet effective steps to fortify your server against potential threats. Whether you’re a beginner or an experienced administrator, these security measures will help you enhance your Linux server’s defenses.
How to Secure Your Linux Server
1. Update Your Server
Begin by fortifying your server through the timely application of updates. This involves refreshing local repositories and upgrading both the operating system and installed applications using the latest patches. Execute the following commands based on your distribution:
On Ubuntu and Debian:
$ sudo apt update && sudo apt upgrade -y
On Fedora, CentOS, or RHEL:
$ sudo dnf upgrade
2. Create a New Privileged User Account
Avoid logging into your server as root. Instead, create a new user account with sudo rights for secure access. Use the following commands to achieve this:
$ adduser
After creating a limited access user account, give your user sudo permissions by appending (-a) the sudo group (-G).
$ usermod -a -G sudo
3. Upload Your SSH Key
Enhance security by utilizing an SSH key for server access. Upload your pre-generated SSH key with the following command:
$ ssh-copy-id@ip_address
Now, enjoy password-free access to your server.
4. Secure SSH
Take these three crucial steps to secure your SSH configuration:
- Disable SSH password authentication
- Restrict root from remote login
- Specify IPv4 or IPv6 access
Modify the /etc/ssh/sshd_config file accordingly and restart the SSH service:
PasswordAuthentication yes
PermitRootLogin yes
Now, change this configuration to:
PasswordAuthentication no
PermitRootLogin no
Subsequently, limit the SSH service to operate exclusively on either IPv4 or IPv6 by adjusting the AddressFamily option. If you prefer to use only IPv4 (a suitable choice for the majority of users), effectuate this modification:
AddressFamily inet
Reboot the SSH service to apply your modifications. It is advisable to ensure two active connections to your server before initiating the SSH service restart. This additional connection provides a safety net to address any issues that may arise during the restart.
For Ubuntu:
$ sudo service ssh restart
For Fedora, CentOS, or any system employing Systemd:
$ sudo systemctl restart ssh
5. Enable a Firewall
Install and configure Uncomplicated Firewall (UFW) to control network traffic. Allow specific connections such as SSH, HTTP, and HTTPS:
Uncomplicated Firewall (UFW) serves as a user-friendly interface to iptables, streamlining the firewall configuration process.
Install UFW by running:
$ sudo apt install ufw
By default, UFW denies all incoming connections while allowing all outgoing connections. This configuration ensures that applications on your server can access the internet, but inbound connections are restricted.
Prioritize login access by enabling SSH, HTTP, and HTTPS:
$ sudo ufw allow ssh
Allow HTTP access:
$ sudo ufw allow http
Permit HTTPS connections:
$ sudo ufw allow https
Subsequently, activate UFW using the following command:
$ sudo ufw enable
Check the status of allowed and denied services:
$ sudo ufw status
If the need arises to disable UFW, execute the following command:
$ sudo ufw disable
Additionally, some distributions come equipped with firewall-cmd, offering an alternative method for firewall management.
6. Install Fail2ban
Fail2ban is a security application designed to scrutinize server logs for signs of repetitive or automated attacks. Upon detection, it dynamically adjusts the firewall settings to either permanently block the attacker’s IP address or impose a specified time-based restriction.
Install Fail2ban with the following command:
$ sudo apt install fail2ban -y
Subsequently, duplicate the provided configuration file using the following command:
$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
And restart Fail2ban by running:
$ sudo service fail2ban restart
Monitor banned IP addresses with:
$ sudo fail2ban-client status ssh
7. Remove Unused Network-Facing Services
Identify and eliminate unnecessary network services using the `ss` command:
$ sudo ss -atpu
The output generated by the ‘ss’ command varies depending on your operating system. The following example illustrates what you might observe, indicating that the SSH (sshd) and Nginx (nginx) services are actively listening and prepared for connections:
tcp LISTEN 0 128 *:http *:* users:(("nginx",pid=22563,fd=7))
tcp LISTEN 0 128 *:ssh *:* users:(("sshd",pid=685,fd=3))
Remove services based on your distribution:
On Debian/Ubuntu:
$ sudo apt purge
On Red Hat/CentOS:
$ sudo yum remove
Verify removal with:
$ sudo ss -atup
Final Thoughts
Implementing proper security practices is crucial in safeguarding your Linux server from cyber threats. By following these seven simple steps, you can significantly reduce vulnerabilities and ensure a more secure server environment. Remember, security is an ongoing process—regular updates, monitoring, and proactive measures are key to maintaining a well-protected system. With this guide on How to Secure Your Linux Server, you now have the foundational knowledge to enhance your server’s security and keep it running safely.
How to Secure Your Linux Server: FAQs
Why is it important to update my Linux server regularly?
Regular updates ensure that your server has the latest security patches, which protect against known vulnerabilities and exploits. Keeping your server up-to-date minimizes the risk of security breaches.
How can I update my Linux server on Debian/Ubuntu?
You can update your server on Debian/Ubuntu with the following commands:
$ sudo apt update && sudo apt upgrade -y
How do I create a new privileged user account?
To create a new privileged user account:
Add a new user:
$ adduser
Grant sudo privileges:
$ usermod -a -G sudo
Why should I use an SSH key instead of a password for server access?
Using an SSH key enhances security by eliminating the need for password-based authentication, which can be susceptible to brute-force attacks. SSH keys provide a more secure and convenient way to access your server.
How do I upload my SSH key to my server?
Upload your SSH key with the following command:
$ ssh-copy-id@ip_address
What steps should I take to secure SSH access?
To secure SSH access:
Disable password authentication:
PasswordAuthentication no
Restrict root login:
PermitRootLogin no
Limit SSH to IPv4 or IPv6:
AddressFamily inet
How can I restart the SSH service after making configuration changes?
For Ubuntu:
$ sudo service ssh restart
For Fedora, CentOS, or systems using Systemd:
$ sudo systemctl restart ssh
What is UFW and how do I use it?
UFW (Uncomplicated Firewall) is a user-friendly interface to iptables for managing firewall rules. To use UFW:
Install UFW:
$ sudo apt install ufw
Allow specific connections:
$ sudo ufw allow ssh
$ sudo ufw allow http
$ sudo ufw allow https
Enable UFW:
$ sudo ufw enable
How can I check the status of UFW?
Check the status of UFW with:
$ sudo ufw status
What is Fail2ban and how does it enhance server security?
Fail2ban is a security application that monitors server logs for repeated or automated attack attempts. It temporarily or permanently bans IP addresses by modifying firewall rules, thus preventing further attacks.
How do I install and configure Fail2ban?
Install and configure Fail2ban with:
Install Fail2ban:
$ sudo apt install fail2ban -y
Copy the configuration file:
$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Restart Fail2ban:
$ sudo service fail2ban restart
How can I monitor banned IP addresses using Fail2ban?
Monitor banned IP addresses with:
$ sudo fail2ban-client status ssh
How do I remove unused network-facing services?
Identify and remove unnecessary services with:
List active services:
$ sudo ss -atpu
Remove services on Debian/Ubuntu:
$ sudo apt purge
Remove services on Red Hat/CentOS:
$ sudo yum remove
Verify removal:
$ sudo ss -atup
What additional security measures can I take beyond the basics?
Beyond the basics, consider:
- Configuring individual applications securely
- Implementing intrusion detection systems
- Enforcing two-factor authentication
- Regularly auditing server logs and security configurations
How to Configure Nginx as a Reverse Proxy on Ubuntu: 4 Easy Steps