How to secure a server
Configuring your server securely is one of the most important tasks for administrators. This applies not only to self-managed servers but also to rented hardware. Measures such as password protection, robust SSH settings, and regular updates create a comprehensive security package.
Who is responsible for secure server configuration?
Hosting your own server provides maximum freedom when it comes to configuration. An adequate alternative is root servers, which many providers offer and grant root account access. In both scenarios, critical tasks like installation, structuring, and maintenance fall entirely on the renter. Errors in the root area can lead to significant issues. However, adhering to the correct procedures can establish an ideal foundation for a reliable, high-performance, and secure server.
- Dedicated enterprise hardware
- Intel® Xeon® or AMD processors
- Leading security technologies
How to secure your server step by step
Whether you want to secure a Windows, Ubuntu, or Debian server, several universal steps can help establish a solid security foundation. Below, we summarize the most important steps.
Step 1: Perform a minimal installation
Even before you start taking protective measures and configuring your server, you can influence your project’s future security potential. Regardless of whether you’re using a Windows or Linux operating system, apply this principle during installation: Your server should only contain the software it needs to perform its tasks.
The reason is that every installed application poses a potential security risk and may negatively impact performance. To minimize vulnerabilities, install only the necessary system components and rely exclusively on verified third-party software.
Step 2: Set a strong password
After installation, your first action should be to set a strong admin (Windows) or root password (Linux). By default, no value is defined, so the administrator account remains blocked until you provide input. Most operating systems prompt you to create an account with a password immediately after installation, which will act as your administrator or root login.
If you rented your Linux server from a provider and received a pre-existing root login, change the password immediately. Log in to your server via SSH and enter the following command in the terminal:
After installing your secure password, you will need to verify it. Make sure to choose a password that is as long as possible and includes a mix of letters, special characters, and numbers. It’s also recommended to use a password manager to store the password securely for easy access if needed.
If a root password has already been set for your Linux system and you don’t know it, you can change it in recovery mode. Start the recovery mode by pressing the Shift key during the boot process. From the “root” menu entry, access the “Root” prompt where you will have administrator privileges to modify the password.
Step 3: Change the SSH port
By default, SSH access uses TCP/UDP port 22, which is pre-configured during system installation. Hackers often focus their automated login attempts on this port. To reduce the risk of unauthorized access, assign a different port for encrypted remote connections.
To do this, edit the SSH configuration file sshd_config
using any text editor. For example, to use the nano editor, run the following command:
Search for the line labeled “Port” and replace port number 22 with the number of your choice. Keep in mind that there are various other standard ports reserved for different services (e.g., port 80 for HTTP).
Before the changes in the sshd_config
file take effect, you have to restart the SSH service. On Debian, you can do this using the command etc/init.d/ssh restart
. For Ubuntu users, restart the service with service ssh restart
.
Step 4: Disable SSH login for admin accounts
To further secure your server, it is advisable to disable SSH login for the root or administrator account. Otherwise, if an attacker gains access to the password, they could use the account for remote access.
Before implementing this measure, ensure that there is at least one other account that can connect to the server to avoid locking yourself out. For Linux systems, create an account like this using the following command:
This creates an example user account named “user1”. Next, assign a secure password to the account:
Test whether the login with the created user account works. If successful, proceed with the main task: disabling the root account. Open the SSH configuration file sshd_config
again using your preferred editor. Locate the entry PermitRootLogin yes
and replace it with PermitRootLogin no
. After restarting the SSH service, remote access for the root account will no longer be possible.
Using the AllowGroups
entry in the configuration file, you can also specify which users are allowed to connect via SSH. To do this, simply create a group (addgroup
) and add the desired users to it (adduser
). Then, include the chosen group name in the sshd_config
(e.g., AllowGroups ssh_users
).
An alternative to disabling SSH login for root accounts is to prohibit password-based login entirely and instead use public-key authentication with SSH keys.
Step 5: Set up email notifications for SSH logins
Regardless of the specific steps you take to secure SSH access, you should continuously monitor all remote activities afterward. This ensures you can verify that the SSH service on your server is properly secured and detect unauthorized access attempts early, enabling you to respond appropriately. A simple shell script can automatically send a notification email to your address after every successful remote login to your server.
Here is an example script /opt/shell-login.sh
for Linux, which you can easily create yourself:
#!/bin/bash
echo "Login on $(hostname) on $(date +%Y-%m-%d) at $(date +%H:%M)"
echo "User: $USER"
echo
finger
txtNext, add the following line to the /etc/profile
file:
/opt/shell-login.sh | mailx -s "SSH login on the server" youremail@example.com
txtThis entry ensures that the script executes and sends a notification email to the specified address whenever an SSH login occurs. To achieve this, the script must be assigned permission 755 (read and execute permissions for all users, and write permissions for the owner). You can set this permission with the following command:
If a user establishes an SSH connection using a program like WinSCP, which doesn’t perform a full login, the described shell script will not send an email!
Step 6: Block unused ports
Open ports generally don’t pose a significant security risk, as they are essential for communication with various services and applications. For instance, ports 80 and 443 are necessary for HTTP and HTTPS connections, as is your chosen SSH port. However, these interfaces can become vulnerabilities if the associated programs have security flaws, which attackers can exploit.
Learn how to test your ports in our dedicated article to get an overview of all open ports.
If you’ve performed a minimal system installation and installed only a limited number of third-party applications, the number of additional required ports should be small. To protect your server from attacks, you should block all unnecessary open ports in your firewall settings. Most major operating systems include packet-filtering software, such as iptables, by default. This tool allows you to define rules to regulate data traffic, including specifying allowed and blocked ports.
Step 7: Update software regularly
Known security vulnerabilities in applications are typically addressed quickly with updates. By staying informed about updates for your operating system and installed applications and applying them promptly, you ensure optimal protection for your server. Most server systems also offer features to automatically download and install critical security updates in the background.
For instance, if you’re securing a Windows server, the Windows Update section lets you configure specific policies for automatic updates. This includes defining when and how often updates are checked, whether they should be installed immediately, and when the system should restart. Linux systems offer tools like apt-listchanges
or the apticron
shell script to notify you of new available software packages daily and download them. Additional scripts like unattended-upgrades
can handle automatic installation.
Even when using an automated update process, ensure you keep track of completed updates. This helps identify and address errors that might occur during the update process.
Step 8: Protect Windows and Linux servers from brute-force attacks
One of the simplest and most common attack methods is the brute-force attack. In this type of attack, hackers use tools to repeatedly attempt password guesses. By implementing strong password management practices, you can significantly reduce the likelihood of this method succeeding.
However, if your server provides services requiring user logins, you cannot assume that all users follow strong password practices. Analysis tools can help mitigate this risk: Solutions like Fail2ban (Linux/POSIX systems) or RdpGuard (Windows) monitor server log files, detect unusual behavior, and block suspicious IP addresses. You can configure the number of failed attempts allowed before blocking and the duration of the block.
For additional security, consider setting up two-factor authentication. This method requires a second authentication factor, such as a smartphone, smart card, or TAN list, in addition to the password.
Step 9: Use monitoring tools
To maintain server security, it’s crucial to ensure that hardware and software interactions function as intended. This is not a one-time task but an ongoing responsibility that requires constant attention. With the high number of different system processes, using monitoring tools from the beginning is advisable. These tools track all server activities and alert you to anomalies.
A straightforward, easy-to-configure program for this purpose is Monit, which can be installed via the package manager on many Linux distributions. This open-source application (GNU-AGPL license) can monitor processes, files, clouds, hosts, programs, or scripts, as well as system resources like CPU and memory usage. For more comprehensive monitoring, consider Nagios, an open-source tool available for Linux and Windows. Nagios can also be extended with Nagios plugins.
Try out your VPS for 30 days. If you're not satisfied, you get your money back.
Step 10: Set up backups
The recommended configuration steps significantly enhance your server’s security. However, even the best configurations and diligent maintenance cannot guarantee 100% protection. A comprehensive backup strategy is a critical component of your security system, enabling you to restore files in case of data loss.
Many robust tools are available to help you create and restore backups. One free option is the open-source synchronization tool rsync, compatible with most major platforms (macOS, Windows, Linux). This tool keeps your backup updated in real-time by mirroring any changes made to the original data.
In addition to a general server backup, ensure that you also back up your databases.
For maximum backup security, store backups on external storage devices (e.g., portable hard drives, additional servers) rather than the server being secured.