Linux servers are already extremely secure by default; that’s why 100% of supercomputers, most of the top 1 million servers, and top 25% of websites on the internet run on Linux. Besides having security tools in place, users should follow a few steps to further secure Linux servers.
As we all know, nothing is perfect. Things can go wrong if proper precautions are not taken. Once in a while, Linux tools encounter serious vulnerabilities, and due to the nature of these tools (open-source), all tools quickly receive security fixes.
When it comes to compromising a Linux server, users’ actions are responsible for most of the time. After the compromise, we know we could easily prevent the compromise by implementing a simple firewall rule.
In this article, I will mention 10 steps to secure a Linux server.
By default, Ubuntu and other Linux servers set up a root user upon installation. Once the root user is logged in, it does not need authentication to perform any action on the server. The root user is considered insecure about logging in; instead, the administrator should set up the privileged user(s) under ‘sudo’ group that requires authentication to make important changes on the server.
After this, one should log on to the server using the username and password, but it can not perform administrative tasks.
For it, add the user to ‘sudo’ group.
usermod -aG sudo lau
After adding the user to sudo group, you should be able to use sudo to perform any administrative task followed by the user password.
sudo apt upgrade
New users often set easy-to-remember passwords that are insecure and can be brute-forced. Make sure to set up a strong password that combines numbers, letters, and symbols. You can use a password manager to generate a secure password. It could be difficult to remember, but it’s secure.
To avoid typing password each time logging in to the server, set up SSH key.
SSH key is a more secure and easier method of accessing a remote server. Instead of typing a password, we generate public and private keys. The public key is transferred to the server while the private key remains on our local computer.
ssh-keygen -t rsa
It will ask the user to provide the path to store the key. By default, it will save the key file in
/home/lau/.ssh/id_rsa. To use the default path, hit enter.
Next, enter the passphrase. If somebody compromises your private key, the passphrase will prevent unauthorized users from accessing the server. If you want to skip passphrase, hit enter without typing passphrase though it is less secure.
Next, upload the public key to the server by using
ssh-copy-id -i ~/.ssh/id_rsa.pub username@ip_address
Replace username with your server’s username and ip_address with your server’s IP address if you changed the default SSH port, use -p option with the port number to connect to the SSH port.
If the IP address is correct, it’ll ask to enter the user password. Please enter the password; it’ll copy the public key to the server and ask for the user password last time. Enter the password again, and that’s it. You have set up an SSH key to log in to the server.
Linux distributions receive frequent security updates. Make sure your server is configured to check & install unattended updates automatically.
Install required packages –
sudo apt install unattended-upgrades apt-listchanges bsd-mailx update-notifier-common
Enable automatic updates –
sudo dpkg-reconfigure --priority=low unattended-upgrades
This is it. The system will now regularly check for unattended updates and install them automatically. If an update such as a kernel update requires a system reboot, you can also enable an automatic system reboot.
/etc/apt/apt.conf.d/50unattended-upgrades and set
To receive reboot notification on email, remove // in front of
firstname.lastname@example.org with your own email address where the notification should be sent.
That’s it. Your Ubuntu server will update, perform the required reboot, and send email notifications automatically. To test your configuration, use the following command –
sudo unattended-upgrades --dry-run
For more configuration options, please head over to this guide.
Unlike desktop computers, a server should only have required applications/services installed. Any unnecessary package can pose a security threat to the server.
While installing a package on the server, double-check the functionality provided by the package is not already provided by the packages installed. Installing multiple services for performing the same tasks may increase system instability.
Each port on the server allows the specific type of traffic on the server. If you have unnecessary ports open on the server, it will pose security threats. Hackers’ bots continuously scan servers for open ports and perform different exploits to gain access to the server.
Instead of blocking ports one by one set a system firewall to block all ports. Once done, only open the ports that are required.
Malicious bots try to compromise servers by using exploits on the server IP. If your server has an unpatched vulnerability, the bots may upload arbitrary code to gain server access.
Fail2Ban is a tool designed to analyze system logs and block malicious attacks & IP addresses trying to execute those attacks. Fail2Ban also stops brute-force attacks that try to guess passwords repeatedly.
sudo apt-get install fail2ban
If you are using any other distribution, use its package manager to install fail2ban. It is available in all Linux servers’ repositories.
fail2ban is a highly customizable tool. You can create jails to monitor only the necessary services that you have on your server. For example, if you have an apache server, you can set up jail to monitor apache logs and block malicious IP addresses trying to log in.
Once installed, fail2ban will start monitoring ssh service and ban IP addresses that have provided the wrong credentials for a specific amount of time. By default, fail2ban bans an IP that performs 5 failed attempts. This setting can be increased or decreased by the admin. Admin can also mention for how long an IP should be banned.
Fail2Ban stores configuration files under
/etc/fail2ban directory. Move into the directory and notice a couple of configuration files and directories. We need to focus on only two files named fail2ban.conf and jail.conf.
fail2ban.conf and jail.conf stores configuration options, especially jail.conf that holds what services should be monitored and vice-versa.
We should make a copy of both these files in the same directory. fail2ban.conf and jail.conf files are overwritten whenever fail2ban updates. If you modify the original files, it will destroy all your changes in the update.
sudo cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
jail.local file to modify settings and add configurations to monitor specific services.
sudo nano /etc/fail2ban/jail.local
See the above screenshot of jail.local file. In here, you can modify bantime, findtime, maxretry (number of failed attempts before an IP is banned), and so on.
If your mail server is configured, you can also receive email notifications for bans. Scroll down the configuration and enter your email address.
Scroll down to the most important section of the configuration, JAIL.
Under JAIL section, it mentions sshd, dropbear, selinux-ssh, and many more services. Each of these services is called jail. If a jail is enabled, fail2ban will monitor its log for authentication failures and block hosts trying to authenticate.
SSH is the most important service on the server because it allows access to the server. fail2ban by default, monitors sshd for authentication failures.
sudo fail2ban-client status
To enable other jails, add enabled = true below the jail name, for example, [dropbear].
Remember, do not enable all the services as it will definitely cause the system to fail. Only monitor services that are currently installed & running on the server.
Two-factor authentication, aka. 2FA is an additional layer of security for authenticating users on the server. If you use a graphical interface such as cPanel to monitor & control your server, enable 2FA.
2FA requires an additional one-time password sent on the user’s email after entering the correct username & password. The 2FA activation process is simple, and you can find the option in your cPanel settings.
Different services open their ports to accept connections from the outside network. I suggest changing the default ports of some services that are more likely to be targeted. SSH & FTP is one of those services. SSH is used to access the remote server. FTP is a file transfer protocol used to transfer files to and from the remote server.
By default, SSH accepts connections through port 22. You can change the port from the SSH config file that exists at
sudo nano /etc/ssh/ssh_config
Find # Port 22 and remove #. Now change 22 to any port between 0-65353. Make sure the port you specify is not already in use by any other package on the server.
Finally, restart the ssh daemon to apply changes.
sudo service ssh restart
After this, you need to specify the port in the ssh command when trying to connect to the server.
ssh root@ip_address -p 2557
FTP can be set up using different tools. Here I assume you’ve set up proftpd.
To change FTP port, open proftpd config file located at
/etc/proftpd/proftpd.conf. Find the Port 21 line and change the port from 21 to anything between 0-65353.
Do not enter the port that’s already being used by any other package on the server.
If you have set up an email server, it’s necessary to install SpamAssassin to scan all incoming emails and block spam & malicious emails.
sudo apt install spamassassin
After SpamAssassin is installed, download the latest ruleset using the following command –
If successful, the above command will return a new line. For more information on how to use SpamAssassin, visit wiki.
Security is not a one-time thing. It would be best if you audited server security from time to time to make sure everything is working as expected. Most of the time, users forget to auto-start important services on system reboot, so when the server restarts, security tools do not start at all. So make sure fail2ban, SpamAssassin, and other security tools start on system boot.
Monitor server storage, memory usage, and system log manually. If the server runs out of memory, the database server will crash. So always keep an eye on system resources.
Besides the above steps, here are a few bonus tips to improve system security and stability.
We should regularly back up server files and databases. It is recommended to store backup files on third-party storage services like an S3 instance. If your server has old backup files and configuration files, delete them or move them locally from the server.
When you host a website on your server, the domain name can reveal the server IP address. It is recommended to mask IP address behind a cloud firewall such as Cloudflare. Cloudflare and other similar cloud firewalls can mask the origin server IP address behind their IP address. Cloud firewalls help mitigate DDoS attacks, block exploits and stop bots using server bandwidth, improving server performance.
Last but not least, install Kernel updates without rebooting the server. Since Ubuntu 16.04, all the versions include Livepatch support that allows applying kernel updates without the server reboot. If you are using Debian, CentOS, and other Linux servers, use third-party tools to gain the same functionality.
For more information on how to enable livepatch in Ubuntu, read this article.