When you first provision a VPS (Virtual Private Server) or a dedicated server, the excitement of having a new environment to deploy your projects can be overwhelming. However, before jumping into your development work, it’s crucial to secure your server. By taking some fundamental security steps early on, you can protect your server from unauthorized access and potential vulnerabilities.
Here’s a guide to securing your new server across several popular Linux distributions, including Ubuntu, CentOS, and Debian.
Update the System The first step is ensuring your server is up-to-date with the latest security patches. Each Linux distribution has a slightly different way of handling this.
Ubuntu/Debian
sudo apt update && sudo apt upgrade -y
CentOS
sudo yum update -y
Regular updates are your first line of defense against vulnerabilities that can be exploited by attackers.
- Create a New User and Disable Root Login Direct root login is a significant security risk. Instead, create a new user with administrative privileges and disable root access.
Ubuntu/Debian
sudo adduser newuser
sudo usermod -aG sudo newuser
CentOS
sudo adduser newuser
sudo usermod -aG wheel newuser
Next, disable root login by editing the SSH configuration file.
bash sudo nano /etc/ssh/sshd_config
Find the line: PermitRootLogin yes
Change it to: PermitRootLogin no
Save the file and restart the SSH service.
sudo systemctl restart sshd
- Set Up a Firewall Configuring a firewall can help control the traffic entering and leaving your server, providing an additional layer of security.
Ubuntu/Debian with UFW
sudo ufw allow OpenSSH
sudo ufw enable
CentOS with firewalld
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --reload
Make sure only the necessary ports are open to minimize potential attack vectors.
- Enable SSH Key Authentication Password-based authentication is vulnerable to brute force attacks. SSH keys provide a more secure alternative.
Generate SSH Key Pair on Local Machine
ssh-keygen -t rsa -b 4096
Copy Public Key to Server
ssh-copy-id newuser@your_server_ip
After this, ensure password authentication is disabled by editing the SSH config file.
sudo nano /etc/ssh/sshd_config
Find the line:
PasswordAuthentication yes
Change it to:
PasswordAuthentication no
Restart SSH to apply the changes.
sudo systemctl restart sshd
- Install Fail2Ban Fail2Ban is a useful tool that helps to protect your server from brute-force attacks by banning IP addresses that exhibit suspicious behavior.
Ubuntu/Debian
sudo apt install fail2ban -y
CentOS
sudo yum install epel-release -y
sudo yum install fail2ban -y
Fail2Ban comes with a default configuration that is usually good enough to start with, but you can always customize it to suit your needs.
- Secure Shared Memory Preventing programs from being executed in shared memory can mitigate certain types of attacks.
Edit fstab
sudo nano /etc/fstab
Add the following line:
tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0
This will ensure that shared memory cannot be executed, providing an extra layer of security.
- Change the Default SSH Port Changing the default SSH port from 22 to something less obvious can deter automated attacks.
Edit SSH Config File
sudo nano /etc/ssh/sshd_config
Find the line:
#Port 22
Uncomment it and change the number to a port of your choice (between 1024 and 65535).
For example:
Port 2200
Restart the SSH service to apply the changes.
sudo systemctl restart sshd
- Install and Configure Unattended Upgrades Automating security updates ensures that your server is always protected against the latest threats without manual intervention.
Ubuntu/Debian
sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure unattended-upgrades
This setup will automatically install security updates, keeping your server protected with minimal maintenance.
By following these steps, you’ll significantly enhance the security of your new VPS or dedicated server. Remember that security is an ongoing process; regularly review and update your server's security measures. Whether you're on Ubuntu, CentOS, or Debian, the principles remain the same: stay updated, limit access, and monitor for potential threats.