How to secure a server

Configuring your server securely is one of the most important tasks for administrators. This applies not only to self-managed servers but also to rented hardware. Measures such as password protection, robust SSH settings, and regular updates create a comprehensive security package.

Who is responsible for secure server configuration?

Hosting your own server provides maximum freedom when it comes to configuration. An adequate alternative is root servers, which many providers offer and grant root account access. In both scenarios, critical tasks like installation, structuring, and maintenance fall entirely on the renter. Errors in the root area can lead to significant issues. However, adhering to the correct procedures can establish an ideal foundation for a reliable, high-performance, and secure server.

How to secure your server step by step

Whether you want to secure a Windows, Ubuntu, or Debian server, several universal steps can help establish a solid security foundation. Below, we summarize the most important steps.

Step 1: Perform a minimal installation

Even before you start taking protective measures and configuring your server, you can influence your project’s future security potential. Regardless of whether you’re using a Windows or Linux operating system, apply this principle during installation: Your server should only contain the software it needs to perform its tasks.

The reason is that every installed application poses a potential security risk and may negatively impact performance. To minimize vulnerabilities, install only the necessary system components and rely exclusively on verified third-party software.

Step 2: Set a strong password

After installation, your first action should be to set a strong admin (Windows) or root password (Linux). By default, no value is defined, so the administrator account remains blocked until you provide input. Most operating systems prompt you to create an account with a password immediately after installation, which will act as your administrator or root login.

If you rented your Linux server from a provider and received a pre-existing root login, change the password immediately. Log in to your server via SSH and enter the following command in the terminal:

passwd

After installing your secure password, you will need to verify it. Make sure to choose a password that is as long as possible and includes a mix of letters, special characters, and numbers. It’s also recommended to use a password manager to store the password securely for easy access if needed.

Step 3: Change the SSH port

By default, SSH access uses TCP/UDP port 22, which is pre-configured during system installation. Hackers often focus their automated login attempts on this port. To reduce the risk of unauthorized access, assign a different port for encrypted remote connections.

To do this, edit the SSH configuration file sshd_config using any text editor. For example, to use the nano editor, run the following command:

nano /etc/ssh/sshd_config

Search for the line labeled “Port” and replace port number 22 with the number of your choice. Keep in mind that there are various other standard ports reserved for different services (e.g., port 80 for HTTP).

Step 4: Disable SSH login for admin accounts

To further secure your server, it is advisable to disable SSH login for the root or administrator account. Otherwise, if an attacker gains access to the password, they could use the account for remote access.

Before implementing this measure, ensure that there is at least one other account that can connect to the server to avoid locking yourself out. For Linux systems, create an account like this using the following command:

useradd -g users -d /home/user1 -m -s /bin/bash user1

This creates an example user account named “user1”. Next, assign a secure password to the account:

passwd user1

Test whether the login with the created user account works. If successful, proceed with the main task: disabling the root account. Open the SSH configuration file sshd_config again using your preferred editor. Locate the entry PermitRootLogin yes and replace it with PermitRootLogin no. After restarting the SSH service, remote access for the root account will no longer be possible.

Using the AllowGroups entry in the configuration file, you can also specify which users are allowed to connect via SSH. To do this, simply create a group (addgroup) and add the desired users to it (adduser). Then, include the chosen group name in the sshd_config (e.g., AllowGroups ssh_users).

Step 5: Set up email notifications for SSH logins

Regardless of the specific steps you take to secure SSH access, you should continuously monitor all remote activities afterward. This ensures you can verify that the SSH service on your server is properly secured and detect unauthorized access attempts early, enabling you to respond appropriately. A simple shell script can automatically send a notification email to your address after every successful remote login to your server.

Here is an example script /opt/shell-login.sh for Linux, which you can easily create yourself:

#!/bin/bash
echo "Login on $(hostname) on $(date +%Y-%m-%d) at $(date +%H:%M)"
echo "User: $USER"
echo
finger

Next, add the following line to the /etc/profile file:

/opt/shell-login.sh | mailx -s "SSH login on the server" youremail@example.com

This entry ensures that the script executes and sends a notification email to the specified address whenever an SSH login occurs. To achieve this, the script must be assigned permission 755 (read and execute permissions for all users, and write permissions for the owner). You can set this permission with the following command:

chmod 755 /opt/shell-login.sh

Step 6: Block unused ports

Open ports generally don’t pose a significant security risk, as they are essential for communication with various services and applications. For instance, ports 80 and 443 are necessary for HTTP and HTTPS connections, as is your chosen SSH port. However, these interfaces can become vulnerabilities if the associated programs have security flaws, which attackers can exploit.

If you’ve performed a minimal system installation and installed only a limited number of third-party applications, the number of additional required ports should be small. To protect your server from attacks, you should block all unnecessary open ports in your firewall settings. Most major operating systems include packet-filtering software, such as iptables, by default. This tool allows you to define rules to regulate data traffic, including specifying allowed and blocked ports.

Step 7: Update software regularly

Known security vulnerabilities in applications are typically addressed quickly with updates. By staying informed about updates for your operating system and installed applications and applying them promptly, you ensure optimal protection for your server. Most server systems also offer features to automatically download and install critical security updates in the background.

For instance, if you’re securing a Windows server, the Windows Update section lets you configure specific policies for automatic updates. This includes defining when and how often updates are checked, whether they should be installed immediately, and when the system should restart. Linux systems offer tools like apt-listchanges or the apticron shell script to notify you of new available software packages daily and download them. Additional scripts like unattended-upgrades can handle automatic installation.

Step 8: Protect Windows and Linux servers from brute-force attacks

One of the simplest and most common attack methods is the brute-force attack. In this type of attack, hackers use tools to repeatedly attempt password guesses. By implementing strong password management practices, you can significantly reduce the likelihood of this method succeeding.

However, if your server provides services requiring user logins, you cannot assume that all users follow strong password practices. Analysis tools can help mitigate this risk: Solutions like Fail2ban (Linux/POSIX systems) or RdpGuard (Windows) monitor server log files, detect unusual behavior, and block suspicious IP addresses. You can configure the number of failed attempts allowed before blocking and the duration of the block.

Step 9: Use monitoring tools

To maintain server security, it’s crucial to ensure that hardware and software interactions function as intended. This is not a one-time task but an ongoing responsibility that requires constant attention. With the high number of different system processes, using monitoring tools from the beginning is advisable. These tools track all server activities and alert you to anomalies.

A straightforward, easy-to-configure program for this purpose is Monit, which can be installed via the package manager on many Linux distributions. This open-source application (GNU-AGPL license) can monitor processes, files, clouds, hosts, programs, or scripts, as well as system resources like CPU and memory usage. For more comprehensive monitoring, consider Nagios, an open-source tool available for Linux and Windows. Nagios can also be extended with Nagios plugins.

Step 10: Set up backups

The recommended configuration steps significantly enhance your server’s security. However, even the best configurations and diligent maintenance cannot guarantee 100% protection. A comprehensive backup strategy is a critical component of your security system, enabling you to restore files in case of data loss.

Many robust tools are available to help you create and restore backups. One free option is the open-source synchronization tool rsync, compatible with most major platforms (macOS, Windows, Linux). This tool keeps your backup updated in real-time by mirroring any changes made to the original data.

In addition to a general server backup, ensure that you also back up your databases.