How To Secure Linux Server (10 Useful Tips)

Linux is one of the best operating systems, especially for servers. The reason is simple. It is one of the most secure operating systems and is available for free, unlike Windows, for which you need to pay a monthly license fee.

Like other operating systems, Linux is also not immune to different threats. That is why you should know how to Secure Linux Server to get the best out of it.

The following instructions suit Ubuntu Linux Distribution and the Lite LiteSpeed / Open Lite Speed server. We have tested this setup on Vultr, Digital Ocean, and Linode.

The Setup

We used the following setup to test our Linux server, and this article is based on this setup. The tips mentioned here may also apply to other setups, but you must test them before going live.

  • Operating System: Ubuntu ( Linux)
  • Server: Open Lite Speed ( Free Version of Lite Speed Server)
  • Cache: Lite Speed Cache
  • Firewall: CSF / UFS ( Depending on your preference)
  • Control Panel: Cyber panel ( You can choose not to use Cyberpanel and do everything using CLI)
  • Tested On: Vultr, Digital Ocean, Linode

Before we discuss how to Secure a Linux Server, let’s learn how to set one up.

In the following example, we have decided to pick Vultr. However, the process will be similar for other vendors, too.

Here are the tips that you can implement to secure your Linux server.

There are hundreds of other security measures that you may need to implement to secure your Linux server. The 10 measures below will give you the first level of security.

1. Access Server On SSH

It is always better to access your server over SSH than using passwords. Passwords can be easily cracked and are also vulnerable to brute-force attacks, phishing, and human errors.

SSH uses a key pair that is very difficult to hack. To authenticate, you need to match the public key available on the server with the private key available on your computer.

Anyone who wants to access your server should have a private key in their system. You can not even log in to the server from other computers if that computer does not have the private key.

To generate an SSH key, you can use the OpenSSH Client for Windows. The detailed process can be found here.

If logging in as root, you don’t need to add sudo before every command. However, if you are a privatized root user, you must add sudo before every command.

Here are some of the commands that you should use for Ubuntu

To update package index files.

sudo apt-get update

To upgrade the newest versions of all installed packages.

sudo apt-get upgrade

To reboot a Linux machine.

sudo reboot

To access the server on SSH, type the following command in the command prompt. You need to change the IP address with your IP address.

ssh [email protected]

If you have changed the IP address or rebuilt the server, you may see the error “Host key verification failed.” In that case, run the following command before you connect to your server. Replace the following IP address with your new IP address.

ssh-keygen -R 202.30.40.60

If you get the error that the private key does not have an allowed IP address, run the following command.

ssh -o HostKeyAlias=202.30.40.60 root@202.30.40.60

2. Install And Set UFW Firewall (Ubuntu Only)

You should install the UFW firewall only if you use Ubuntu and have no control panel installed. Control panels usually come with their firewall. Installing two firewalls is not recommended.

Enable iP6 (If it is not enabled by default)

Run the following command to allow iP6

sudo nano /etc/default/ufw

Please find the following line and change it.

IPV6=yes

Install UFW

To install UFW, run the following command

sudo apt install ufw

Set UFW Default Policies

The following default policies say that all incoming connections will be blocked unless you allow some specific connections. All outgoing connections will be opened by default.

ufw default deny incoming
ufw default allow outgoing

Allow SSH

To allow SSH connection, use the following firewall role in UFW

sudo ufw allow ssh

To enable SSH default port 22, use the following command ( Please note that port 22 is the default SSH port in Linux; you should never keep port 22 open for security reasons)

sudo ufw allow 22

if you want to allow any port other than port 22, you can use the following command. Add port number as required.

sudo ufw allow 1111
sudo ufw allow 1200

To allow HTTP and HTTPS ports, you should add the following rule

sudo ufw allow 80
sudo ufw allow 443

To allow Cyber Panel,Portn port 8090. However, it would help if you changed the cyber panel port, too, for security reasons

sudo ufw allow 8090/tcp

Enable UFW

To enable UFW, run the following command

sudo ufw enable

To see the UFW status, run the following command

UFW Status

To see the UFW firewall status, run the following command

sudo ufw status

To see the detailed UFW firewall rules, run the following command

sudo ufw status verbose

Disable UFW

To disable the UFW firewall, run the following command

sudo ufw disable

Reset UFW

To reset the UFW firewall, run the following command

sudo ufw reset
Always run the following command after you set up any firewall rules before logging off your server. Otherwise, you may get locked out of the system. The following command restarts the ssh service.

sudo service sshd restart

3. Disable Port 22 For SSH [ Securing SSH]

Port 22 is the default port for an SSH connection. Hackers often attack throughPorts port. That is why we need to disable port 22 and assign another port for an SSH connection.

First, connect to your server and run the following command. This will open the SSH config file.

sudo nano /etc/ssh/sshd_config

Find the #Port 22 line and replace it with another port number you choose. Don’t forget to remove the # bPorte Port.

Port 3450

Restart the SSH service

sudo service sshd restart

Now open another command prompt window and check if the new port works.

ssh root@202.30.40.50 -p 3450

If everything is working fine, reboot the machine

sudo reboot

Enjoy! Now, you can connect to your server using your new SSH port.

4. Add A New User And Disable The Root Login

For any Linux server, “root” is the default user. That is why hackers use this root login to access your server. You need to disable root login for server security.

But before that, you need to create a new user and give him the root access so that it can perform all the duties that the root user performs.

First of all, log in to your server using an SSH connection

Add a New User using the following command. For example, we are adding a new user named “sampleuser”. When you run the following command, you will be asked a few questions that you need to answer.

secure linux server
sudo adduser sampleuser

Add the new user to the SUDO group will give him root access

sudo usermod -aG sudo sampleuser

Test if Sudo access is given or not

su - sampleuser
sudo ls -la /root

You should see the following screen showing the new user has root access.

secure linux server

Add an SSH Key for the new user to authenticate himself while connecting to the server.

To do so, you should first create a directory to store the SSH public key.

su - sampleuser
sudo mkdir ~/.ssh

Open the authorized key file and add your SSH public key to that. You will get the ssh public key in C:\users\xxx\.ssh.The following command will open the authorized key file.

sudo nano ~/.ssh/authorized_keys

Restart the SSH service.

sudo service sshd restart

Now you can connect to your server using the new user login

ssh sampleuser@202.30.40.50

Now, it’s time to turn off the root login. First, open the SSH config file by running the following command to do that.

sudo nano /etc/ssh/sshd_config

Find the following line in that file that says ” PermitRootLogin yes” and change it to the following.

PermitRootLogin no

Save the file and restart the SSH service. That’s it. Your server root login is disabled.

5. Implement Droplet/ Instance Level Firewall

Almost all vendors provide a droplet-level firewall for Digital Ocean, Vultr, or Linode. We must implement that. That is your first level of security to protect the server. It is the first tollgate for any hacker.

Here is what the Vultr firewall looks like. Please make sure that you are allowing all the essential ports that you need, such as the SSH port, HTTP port, and HTTPS port.

secure linux server

6. Install CSF (ConfigServer Security and Firewall)

Please don’t install a UFW firewall if you plan to use CSF. Both firewalls will conflict and break your server.

CSF is by far the best firewall for Linux. Though it is a little complicated to implement, your server will be much safer once you do it.

The best way to install CSF is by using control panels. I suggest you use Cyber Panel, as it has options to install CSF with one click. To install CSF in the Cyber Panel, go to your Cyber Panel dashboard and find the CSF option on the left side.

secure linux server

7. Install ModSecurity

ModSecurity is most commonly deployed to provide protections against generic classes of vulnerabilities using the OWASP ModSecurity Core Rule Set (CRS)

You can install ModSecurity using Cyber Panel very quickly.

secure linux server

8. Secure Control Panel

Here, we are taking the Cyber Panel example as it is one of the best free control panels available for servers.

Please ensure that you use the Cyberpanel image when you create a droplet or instances. This will prevent you from having to install Cyber Panel separately.

If not, you can run the following command to install the Cyber Panel

sudo su - -c "sh <(curl https://cyberpanel.net/install.sh || wget -O - https://cyberpanel.net/install.sh)"

To get the root password, you need to run the following command. The default user name is “Admin,” which you need to change later to protect the cyber panel

sudo cat /root/.litespeed_password

When you install Cyber Panel, several prompts could prompt you to answer many questions. All questions are self-explanatory.

Change Cyber Panel Port

The Cyber Panel opens on port 8090 by default, but you must change it to something else to protect your server.

To do that, go to Cyber Panel Dashboard->Server Status->Change port

Cyber Panel port change

9. Use A CDN

Using a CDN adds a second layer of security to your Linux server. The CDN will mask your IP address, keeping it from being exposed to the world.

You will also benefit from a CDN-level firewall that will stop hackers from touching your server. If you use a CDN, here is the roadmap that hackers must follow before they can damage your server.

CDN Firewall-> Droplet Firewall-> Operating System Firewall-> Application Firewall.

It is tough to break this kind of strong firewall chain. So, it is almost assured that your Linux server will be secured if you follow the steps I mentioned in this article.

It is preferable to use Cloudflare CDN as it is one of the best and fastest CDNs. For images, you can use Bunny CDN.

Conclusion: Secure Linux Server

People were scared of using unmanaged VPSs due to security concerns. However, it is not very difficult to secure a VPS on your own.

The steps mentioned in this article are reasonable enough to protect your server. The internet is flooded with articles about secure Linux servers.

Why pay more for managed hosting when you can do everything independently and better control your server?

If you have any questions, you are always welcome to write them down in the comment section, and I will be happy to help.

Rajib
Rajib

Rajib Is The Founder Of RiansTech. A Seasonal Blogger And A Full-Time Product Designer For Over Two Decades. A Technology Freak And Loves To Write About It. RiansTech Is A Online Home For Him Where He Documents His Experiences And Learnings So That Others Can Get Benefited From It.

      RiansTech
      Logo