How To Secure Linux Server (10 Useful Tips)

May 24, 2023

Linux is one of the best operating systems, especially for servers. The reason is simple. It is one of the most secure operating systems and is available for free, unlike Windows for which you need to pay a monthly license fee.

Like other operating systems, Linux is also not immune to different threats. That is why you should know how to Secure Linux Server to get the best out of it.

The following instruction is good for Ubuntu Linux Distribution along with the Lite LiteSpeed / Open Lite Speed server. We have tested this setup on Vultr, Digital Ocean, and Linode.

The Setup

We have used the following setup to test our Linux server and this article is written based on this setup. The tips mentioned here may also apply to other setups, but you need to test it before going live.

Operating System: Ubuntu ( Linux)
Server: Open Lite Speed ( Free Version of Lite Speed Server)
Cache: Lite Speed Cache
Firewall: CSF / UFS ( Depending on your preference)
Control Panel: Cyber panel ( You can choose not to use Cyberpanel and do everything using CLI)
Tested On: Vultr, Digital Ocean, Linode

Before we go ahead and talk about how to Secure Linux Server, let us learn how to set up a Linux server.

In the following example, we have decided to pick Vultr. However, the process will be more or less similar for other vendors too.

Here are the tips that you can implement to secure your Linux server.

There could be hundreds of other security measures that you may need to implement to secure your Linux server. The below 10 measures will give you the first level of security.

Table Of Contents

1Access Server On SSH

2Install And Set UFW Firewall (Ubuntu Only)

3Disable Port 22 For SSH [ Securing SSH]

4Add New User And Disable Root Login

5Implement Droplet/ Instance Level Firewall

6Install CSF (ConfigServer Security and Firewall)

7Install ModSecurity

8Secure Control Panel

9Use A CDN

Access Server On SSH

It is always better to access your server over SSH than passwords. Passwords can be easily cracked. They are also vulnerable to brute-force attacks, phishing, and human errors.

SSH uses a key pair set up which is very difficult to hack. To authenticate, you need to match the public key available on the server with the private key available on your computer.

Anyone who wants to access your server should have a private key in their system. Even you can not log in to the server from other computers if that computer does not have the private key.

To generate an SSH key, you can use OpenSSH Client available for Windows. The detailed process can be found here.

If you are logging in as root, you don’t need to add sudo before every command. However, if you are a privatized root user, you need to add sudo before every command

Here are some of the commands that you should use for Ubuntu

To update package index files.

sudo apt-get update

To upgrade the newest versions of all installed packages.

sudo apt-get upgrade

To reboot a Linux machine.

sudo reboot

To access the server on SSH, type the following command in the command prompt. You need to change the IP address with your own IP address

ssh [email protected]

You may see the error “Host key verification failed” If you have changed the IP address or if you have rebuilt the server. In that case, run the following command before you connect to your server. Replace the following IP address with your new IP address

ssh-keygen -R 202.30.40.60

In case you get the error that the private key does not have an allowed IP address, then run the following command.

ssh -o HostKeyAlias=202.30.40.60 root@202.30.40.60

Install And Set UFW Firewall (Ubuntu Only)

You should install the UFW firewall only if you are using Ubuntu and have no control panel installed. Usually, control panels come with their own firewall. Installing two firewalls is not recommended.

Enable iP6 (If it is not enabled by default)

Run the following command to enable iP6

sudo nano /etc/default/ufw

Find the following line and change it.

IPV6=yes

Install UFW

To install UFW, run the following command

sudo apt install ufw

Set UFW Default Policies

The following default policies say that all incoming connections will be blocked unless you allow some specific connections. All outgoing connections will be opened by default.

ufw default deny incoming
ufw default allow outgoing

Allow SSH

To allow SSH connection, use the following firewall role in UFW

sudo ufw allow ssh

To allow SSH default port 22, use the following command ( Please note that port 22 is the default SSH port in Linux, you should never keep port 22 open for security reasons)

sudo ufw allow 22

if you want to allow any other port other than port 22, you can use the following command. Add port number as required.

sudo ufw allow 1111
sudo ufw allow 1200

To allow HTTP and HTTPS ports, you should add the following rule

sudo ufw allow 80
sudo ufw allow 443

To allow Cyber Panel, open port 8090. However, it would help if you changed the cyber panel port too for security reasons

sudo ufw allow 8090/tcp

Enable UFW

To enable UFW, run the following command

sudo ufw enable

To see the UFW status, run the following command

UFW Status

To see the UFW firewall status, run the following command

sudo ufw status

To see the detailed UFW firewall rules, run the following command

sudo ufw status verbose

Disable UFW

To disable the UFW firewall, run the following command

sudo ufw disable

Reset UFW

To reset the UFW firewall, run the following command

sudo ufw reset

Always run the following command after you set up any firewall rules before logging off your server. Otherwise, you may get locked out of the system. the following command basically restarts the ssh service.

sudo service sshd restart

Disable Port 22 For SSH [ Securing SSH]

Port 22 is the default port for SSH connection. Hackers often attack through this port. That is why, we need to disable this port 22 and assign another port for SSH connection.

First of all, connect to your server and run the following command. This will open the ssh config file.

sudo nano /etc/ssh/sshd_config

Find the #Port 22 line and replace it with another port number of your choice. Don’t forget to remove the # before Port.

Port 3450

Restart the SSH service

sudo service sshd restart

Now open another command prompt window and check if the new port is working or not.

ssh root@202.30.40.50 -p 3450

If everything is working fine reboot the machine

sudo reboot

Enjoy! Now you can connect to your server using your new SSH port.

For any Linux server, “root” is the default user. That is why hackers use this root login to access your server. You need to disable root login for server security.

But before that, you need to create a new user and give him the root access so that it can perform all the duties that the root user performs.

First of all, log in to your server using an SSH connection

Add a New User using the following command. For example, here we are adding a new user named “sampleuser”. When you run the following command, you will be asked a few questions that you need to answer.

sudo adduser sampleuser

Add the new user to the SUDO group will basically give him the root access

sudo usermod -aG sudo sampleuser

Test if Sudo access is given or not

su - sampleuser
sudo ls -la /root

You should see the following screen that tells that the new user has root access.

Add an SSH Key for the new user so that he can authenticate himself while connecting to the server.

For that, You should first create a directory for storing the SSH public key.

su - sampleuser
sudo mkdir ~/.ssh

Open the authorized key file and add your SSH public key to that. You will get the ssh public key in C:\users\xxx\.ssh.The following command will basically open the authorized key file.

sudo nano ~/.ssh/authorized_keys

Restart the SSH service

sudo service sshd restart

Now you can connect to your server using the new user login

ssh sampleuser@202.30.40.50

Now it’s time to disable the root login. To do that, first of all, open the SSH config file by running the following command.

sudo nano /etc/ssh/sshd_config

Find the following line in that file that says ” PermitRootLogin yes” and change it to the following.

PermitRootLogin no

Save the file and restart the SSH service. That’s it, your server root login is disabled.

Implement Droplet/ Instance Level Firewall

Digital Ocean, Vultr, or Linode, almost all vendors provide a droplet-level firewall. It is very important that we implement that. That is your first level of security to protect the server. It is basically the first tool gate for any hackers.

Here is what the Vultr firewall looks like. Please make sure that you are allowing all the essential ports that you need. For example, SSH port, HTTP port, and HTTPS port.

Install CSF (ConfigServer Security and Firewall)

Please don’t install UFW firewall if you plan to use CSF. Both firewalls will conflict with each other and will break your server.

By far, CSF is the best firewall for Linux. Though it is a little complicated to implement, once you do it, your server will be much safer than before.

The best way to install CSF is by using control panels. I would suggest you to use Cyber Panel as it has options to install CSF with one click. To install CSF in the cyber panel, you need to go to your cyber panel dashboard and find the option for CSF on the left side.

Install ModSecurity

ModSecurity is most commonly deployed to provide protections against generic classes of vulnerabilities using the OWASP ModSecurity Core Rule Set (CRS)

You can install ModSecurity using Cyber Panel very easily.

Secure Control Panel

Here we are taking the example of Cyber Panel as it is one of the best free control panels available for servers. Please ensure that you are using the Cyberpanel image when you create a droplet or instances. That will ensure that you don’t have to install Cyber Panel separately.

If not, you can run the following command to install Cyber Panel

sudo su - -c "sh <(curl https://cyberpanel.net/install.sh || wget -O - https://cyberpanel.net/install.sh)"

To get the root password you need to run the following command. The default user name is “Admin” that you need to change later to protect the cyber panel

sudo cat /root/.litespeed_password

When you install Cyber Panel, There could be a number of prompts where you need to answer many questions. All questions are self-explanatory.

If not, you can watch this video to understand how to install Cyber Panel.

Change Cyber Panel Port

By default, Cyber Panel opens on port 8090, You need to change it to something else to protect your server.

To do that, go to Cyber Panel Dashboard->Server Status->Change port

Use A CDN

Using a CDN adds a second layer of security to your Linux server. Your IP won’t be exposed to the world as it will be masked by the CDN.

You will also get the benefit of a CDN-level firewall that will stop your hackers from even touching your server. If you use a CDN, here is the roadmap that any hackers have to go through before they can do any damage to your server.

CDN Firewall-> Droplet Firewall-> Operating System Firewall-> Application Firewall.

It is very difficult to break this kind of strong firewall chain. So it is almost assured that your Linux server will be secured if you follow the steps I mentioned in this article.

It is preferable to use Cloudflare CDN as it is one of the best and fastest CDN. For images, you can use Bunny CDN.

Conclusion: Secure Linux Server

People were scared of using unmanaged VPS due to security concerns. But the fact is that it is not very difficult to secure a VPS on your own.

The steps mentioned in this article are good enough to protect your server. The internet is flooded with articles to secure Linux servers. Why pay more for managed hosting when you can do everything on your own and have better control of your server?

If you have any questions, you are always welcome to write it down in the comment section and I will be happy to help.