Server Security Best Practices

From Server rental store
Jump to navigation Jump to search

Server security best practices are critical for any internet-facing server. An unsecured server can be compromised within hours of deployment. This guide covers essential security measures every server administrator should implement.

SSH Hardening

SSH is the primary access method for Linux servers and the most common attack vector.

Change the Default Port

Edit /etc/ssh/sshd_config: 

Port 2222

While not true security (security through obscurity), this eliminates 90% of automated brute-force attempts.

Disable Root Login

PermitRootLogin no

Create a regular user with sudo privileges instead.

Use Key-Based Authentication

PasswordAuthentication no
PubkeyAuthentication yes

Generate an SSH key pair on your local machine: 

ssh-keygen -t ed25519 -C "[email protected]"

Copy the public key to the server: 

ssh-copy-id -p 2222 user@your-server

Additional SSH Settings

MaxAuthTries 3
LoginGraceTime 30
AllowUsers yourusername

Firewall Configuration

UFW (Uncomplicated Firewall)

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 2222/tcp    # SSH
sudo ufw allow 80/tcp      # HTTP
sudo ufw allow 443/tcp     # HTTPS
sudo ufw enable

iptables

For more granular control, use iptables directly or tools like firewalld on CentOS/RHEL systems.

Fail2Ban

Fail2Ban monitors log files and bans IPs that show malicious behavior.

Install and configure: 

sudo apt install fail2ban

Create /etc/fail2ban/jail.local: 

[sshd]
enabled = true
port = 2222
maxretry = 3
bantime = 3600
findtime = 600

This bans any IP that fails 3 SSH login attempts within 10 minutes for 1 hour.

System Updates

Keep your system patched: 

# Debian/Ubuntu
sudo apt update && sudo apt upgrade -y

# CentOS/RHEL
sudo dnf update -y

Enable automatic security updates: 

# Ubuntu
sudo apt install unattended-upgrades
sudo dpkg-reconfigure unattended-upgrades

Backup Strategy

Follow the 3-2-1 rule:

  • 3 copies of your data
  • 2 different storage media
  • 1 offsite backup

Automate backups with tools like rsync, borgbackup, or restic: 

# Daily backup with rsync
rsync -avz --delete /important/data/ backup-server:/backups/daily/

Additional Measures

  • Install and configure intrusion detection — use AIDE or rkhunter
  • Disable unused servicessudo systemctl disable service-name
  • Use SELinux or AppArmor — mandatory access control adds an extra security layer
  • Monitor logs — check /var/log/auth.log and /var/log/syslog regularly
  • Two-factor authentication — use Google Authenticator or similar for SSH

See Also

Retrieved from "https://serverrental.store/index.php?title=Server_Security_Best_Practices&oldid=5749"