Securing Your VPS or Dedicated Server: Essential Steps for Popular Linux Distributions

When you first provision a VPS (Virtual Private Server) or a dedicated server, the excitement of having a new environment to deploy your projects can be overwhelming. However, before jumping into your development work, it’s crucial to secure your server. By taking some fundamental security steps early on, you can protect your server from unauthorized access and potential vulnerabilities.

Here’s a guide to securing your new server across several popular Linux distributions, including Ubuntu, CentOS, and Debian.

  1. Update the System The first step is ensuring your server is up-to-date with the latest security patches. Each Linux distribution has a slightly different way of handling this.

    Ubuntu/Debian

    sudo apt update && sudo apt upgrade -y

    CentOS

    sudo yum update -y

Regular updates are your first line of defense against vulnerabilities that can be exploited by attackers.

  1. Create a New User and Disable Root Login Direct root login is a significant security risk. Instead, create a new user with administrative privileges and disable root access.

Ubuntu/Debian

sudo adduser newuser
sudo usermod -aG sudo newuser

CentOS

sudo adduser newuser
sudo usermod -aG wheel newuser

Next, disable root login by editing the SSH configuration file.

bash sudo nano /etc/ssh/sshd_config

Find the line: PermitRootLogin yes

Change it to: PermitRootLogin no

Save the file and restart the SSH service.

sudo systemctl restart sshd

  1. Set Up a Firewall Configuring a firewall can help control the traffic entering and leaving your server, providing an additional layer of security.

Ubuntu/Debian with UFW

sudo ufw allow OpenSSH
sudo ufw enable

CentOS with firewalld

sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --reload

Make sure only the necessary ports are open to minimize potential attack vectors.

  1. Enable SSH Key Authentication Password-based authentication is vulnerable to brute force attacks. SSH keys provide a more secure alternative.

Generate SSH Key Pair on Local Machine

ssh-keygen -t rsa -b 4096

Copy Public Key to Server

ssh-copy-id newuser@your_server_ip

After this, ensure password authentication is disabled by editing the SSH config file.

sudo nano /etc/ssh/sshd_config

Find the line:

PasswordAuthentication yes

Change it to:

PasswordAuthentication no

Restart SSH to apply the changes.

sudo systemctl restart sshd
  1. Install Fail2Ban Fail2Ban is a useful tool that helps to protect your server from brute-force attacks by banning IP addresses that exhibit suspicious behavior.

Ubuntu/Debian

sudo apt install fail2ban -y

CentOS

sudo yum install epel-release -y
sudo yum install fail2ban -y

Fail2Ban comes with a default configuration that is usually good enough to start with, but you can always customize it to suit your needs.

  1. Secure Shared Memory Preventing programs from being executed in shared memory can mitigate certain types of attacks.

Edit fstab

sudo nano /etc/fstab

Add the following line:

tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0

This will ensure that shared memory cannot be executed, providing an extra layer of security.

  1. Change the Default SSH Port Changing the default SSH port from 22 to something less obvious can deter automated attacks.

Edit SSH Config File

sudo nano /etc/ssh/sshd_config

Find the line:

#Port 22

Uncomment it and change the number to a port of your choice (between 1024 and 65535).

For example:

Port 2200

Restart the SSH service to apply the changes.

sudo systemctl restart sshd
  1. Install and Configure Unattended Upgrades Automating security updates ensures that your server is always protected against the latest threats without manual intervention.

Ubuntu/Debian

sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure unattended-upgrades

This setup will automatically install security updates, keeping your server protected with minimal maintenance.

By following these steps, you’ll significantly enhance the security of your new VPS or dedicated server. Remember that security is an ongoing process; regularly review and update your server's security measures. Whether you're on Ubuntu, CentOS, or Debian, the principles remain the same: stay updated, limit access, and monitor for potential threats.