Linux is one of the best operating systems, especially for servers. The reason is simple. It is one of the most secure operating systems and is available for free, unlike Windows for which you need to pay a monthly license fee.
Like other operating systems, Linux is also not immune to different threats. That is why you should know how to Secure Linux Server to get the best out of it.
We have used the following setup to test our Linux server and this article is written based on this setup. The tips mentioned here may also apply to other setups, but you need to test it before going live.
- Operating System: Ubuntu ( Linux)
- Server: Open Lite Speed ( Free Version of Lite Speed Server)
- Cache: Lite Speed Cache
- Firewall: CSF / UFS ( Depending on your preference)
- Control Panel: Cyber panel ( You can choose not to use Cyberpanel and do everything using CLI)
- Tested On: Vultr, Digital Ocean, Linode
Before we go ahead and talk about how to Secure Linux Server, let us learn how to set up a Linux server.
In the following example, we have decided to pick Vultr. However, the process will be more or less similar for other vendors too.
Here are the tips that you can implement to secure your Linux server.
Access Server On SSH
It is always better to access your server over SSH than passwords. Passwords can be easily cracked. They are also vulnerable to brute-force attacks, phishing, and human errors.
SSH uses a key pair set up which is very difficult to hack. To authenticate, you need to match the public key available on the server with the private key available on your computer.
Anyone who wants to access your server should have a private key in their system. Even you can not log in to the server from other computers if that computer does not have the private key.
Here are some of the commands that you should use for Ubuntu
To update package index files.
sudo apt-get update
To upgrade the newest versions of all installed packages.
sudo apt-get upgrade
To reboot a Linux machine.
To access the server on SSH, type the following command in the command prompt. You need to change the IP address with your own IP address
You may see the error “Host key verification failed” If you have changed the IP address or if you have rebuilt the server. In that case, run the following command before you connect to your server. Replace the following IP address with your new IP address
ssh-keygen -R 22.214.171.124
In case you get the error that the private key does not have an allowed IP address, then run the following command.
ssh -o HostKeyAlias=126.96.36.199 firstname.lastname@example.org
Install And Set UFW Firewall (Ubuntu Only)
You should install the UFW firewall only if you are using Ubuntu and have no control panel installed. Usually, control panels come with their own firewall. Installing two firewalls is not recommended.
Enable iP6 (If it is not enabled by default)
Run the following command to enable iP6
sudo nano /etc/default/ufw
Find the following line and change it.
To install UFW, run the following command
sudo apt install ufw
Set UFW Default Policies
The following default policies say that all incoming connections will be blocked unless you allow some specific connections. All outgoing connections will be opened by default.
ufw default deny incoming ufw default allow outgoing
To allow SSH connection, use the following firewall role in UFW
sudo ufw allow ssh
To allow SSH default port 22, use the following command ( Please note that port 22 is the default SSH port in Linux, you should never keep port 22 open for security reasons)
sudo ufw allow 22
if you want to allow any other port other than port 22, you can use the following command. Add port number as required.
sudo ufw allow 1111 sudo ufw allow 1200
To allow HTTP and HTTPS ports, you should add the following rule
sudo ufw allow 80 sudo ufw allow 443
To allow Cyber Panel, open port 8090. However, it would help if you changed the cyber panel port too for security reasons
sudo ufw allow 8090/tcp
To enable UFW, run the following command
sudo ufw enable
To see the UFW status, run the following command
To see the UFW firewall status, run the following command
sudo ufw status
To see the detailed UFW firewall rules, run the following command
sudo ufw status verbose
To disable the UFW firewall, run the following command
sudo ufw disable
To reset the UFW firewall, run the following command
sudo ufw reset
sudo service sshd restart
Disable Port 22 For SSH [ Securing SSH]
Port 22 is the default port for SSH connection. Hackers often attack through this port. That is why, we need to disable this port 22 and assign another port for SSH connection.
First of all, connect to your server and run the following command. This will open the ssh config file.
sudo nano /etc/ssh/sshd_config
Find the #Port 22 line and replace it with another port number of your choice. Don’t forget to remove the # before Port.
Restart the SSH service
sudo service sshd restart
Now open another command prompt window and check if the new port is working or not.
ssh email@example.com -p 3450
If everything is working fine reboot the machine
Enjoy! Now you can connect to your server using your new SSH port.
Add New User And Disable Root Login
For any Linux server, “root” is the default user. That is why hackers use this root login to access your server. You need to disable root login for server security.
But before that, you need to create a new user and give him the root access so that it can perform all the duties that the root user performs.
First of all, log in to your server using an SSH connection
Add a New User using the following command. For example, here we are adding a new user named “sampleuser”. When you run the following command, you will be asked a few questions that you need to answer.
sudo adduser sampleuser
Add the new user to the SUDO group will basically give him the root access
sudo usermod -aG sudo sampleuser
Test if Sudo access is given or not
su - sampleuser sudo ls -la /root
You should see the following screen that tells that the new user has root access.
Add an SSH Key for the new user so that he can authenticate himself while connecting to the server.
For that, You should first create a directory for storing the SSH public key.
su - sampleuser sudo mkdir ~/.ssh
Open the authorized key file and add your SSH public key to that. You will get the ssh public key in C:\users\xxx\.ssh.The following command will basically open the authorized key file.
sudo nano ~/.ssh/authorized_keys
Restart the SSH service
sudo service sshd restart
Now you can connect to your server using the new user login
Now it’s time to disable the root login. To do that, first of all, open the SSH config file by running the following command.
sudo nano /etc/ssh/sshd_config
Find the following line in that file that says ” PermitRootLogin yes” and change it to the following.
Save the file and restart the SSH service. That’s it, your server root login is disabled.
Implement Droplet/ Instance Level Firewall
Digital Ocean, Vultr, or Linode, almost all vendors provide a droplet-level firewall. It is very important that we implement that. That is your first level of security to protect the server. It is basically the first tool gate for any hackers.
Here is what the Vultr firewall looks like. Please make sure that you are allowing all the essential ports that you need. For example, SSH port, HTTP port, and HTTPS port.
Install CSF (ConfigServer Security and Firewall)
By far, CSF is the best firewall for Linux. Though it is a little complicated to implement, once you do it, your server will be much safer than before.
The best way to install CSF is by using control panels. I would suggest you to use Cyber Panel as it has options to install CSF with one click. To install CSF in the cyber panel, you need to go to your cyber panel dashboard and find the option for CSF on the left side.
ModSecurity is most commonly deployed to provide protections against generic classes of vulnerabilities using the OWASP ModSecurity Core Rule Set (CRS)
You can install ModSecurity using Cyber Panel very easily.
Secure Control Panel
Here we are taking the example of Cyber Panel as it is one of the best free control panels available for servers. Please ensure that you are using the Cyberpanel image when you create a droplet or instances. That will ensure that you don’t have to install Cyber Panel separately.
If not, you can run the following command to install Cyber Panel
sudo su - -c "sh <(curl https://cyberpanel.net/install.sh || wget -O - https://cyberpanel.net/install.sh)"
To get the root password you need to run the following command. The default user name is “Admin” that you need to change later to protect the cyber panel
sudo cat /root/.litespeed_password
When you install Cyber Panel, There could be a number of prompts where you need to answer many questions. All questions are self-explanatory.
If not, you can watch this video to understand how to install Cyber Panel.
Change Cyber Panel Port
By default, Cyber Panel opens on port 8090, You need to change it to something else to protect your server.
To do that, go to Cyber Panel Dashboard->Server Status->Change port
Use A CDN
Using a CDN adds a second layer of security to your Linux server. Your IP won’t be exposed to the world as it will be masked by the CDN.
You will also get the benefit of a CDN-level firewall that will stop your hackers from even touching your server. If you use a CDN, here is the roadmap that any hackers have to go through before they can do any damage to your server.
CDN Firewall-> Droplet Firewall-> Operating System Firewall-> Application Firewall.
It is very difficult to break this kind of strong firewall chain. So it is almost assured that your Linux server will be secured if you follow the steps I mentioned in this article.
It is preferable to use Cloudflare CDN as it is one of the best and fastest CDN. For images, you can use Bunny CDN.
Conclusion: Secure Linux Server
People were scared of using unmanaged VPS due to security concerns. But the fact is that it is not very difficult to secure a VPS on your own.
The steps mentioned in this article are good enough to protect your server. The internet is flooded with articles to secure Linux servers. Why pay more for managed hosting when you can do everything on your own and have better control of your server?
If you have any questions, you are always welcome to write it down in the comment section and I will be happy to help.