Server Security Best Practices
Server security best practices are critical for any internet-facing server. An unsecured server can be compromised within hours of deployment. This guide covers essential security measures every server administrator should implement.
SSH Hardening
SSH is the primary access method for Linux servers and the most common attack vector.
Change the Default Port
Edit /etc/ssh/sshd_config:
Port 2222
While not true security (security through obscurity), this eliminates 90% of automated brute-force attempts.
Disable Root Login
PermitRootLogin no
Create a regular user with sudo privileges instead.
Use Key-Based Authentication
PasswordAuthentication no PubkeyAuthentication yes
Generate an SSH key pair on your local machine:
ssh-keygen -t ed25519 -C "your-email@example.com"
Copy the public key to the server:
ssh-copy-id -p 2222 user@your-server
Additional SSH Settings
MaxAuthTries 3 LoginGraceTime 30 AllowUsers yourusername
Firewall Configuration
UFW (Uncomplicated Firewall)
sudo ufw default deny incoming sudo ufw default allow outgoing sudo ufw allow 2222/tcp # SSH sudo ufw allow 80/tcp # HTTP sudo ufw allow 443/tcp # HTTPS sudo ufw enable
iptables
For more granular control, use iptables directly or tools like firewalld on CentOS/RHEL systems.
Fail2Ban
Fail2Ban monitors log files and bans IPs that show malicious behavior.
Install and configure:
sudo apt install fail2ban
Create /etc/fail2ban/jail.local:
[sshd] enabled = true port = 2222 maxretry = 3 bantime = 3600 findtime = 600
This bans any IP that fails 3 SSH login attempts within 10 minutes for 1 hour.
System Updates
Keep your system patched:
# Debian/Ubuntu sudo apt update && sudo apt upgrade -y
# CentOS/RHEL sudo dnf update -y
Enable automatic security updates:
# Ubuntu sudo apt install unattended-upgrades sudo dpkg-reconfigure unattended-upgrades
Backup Strategy
Follow the 3-2-1 rule:
- 3 copies of your data
- 2 different storage media
- 1 offsite backup
- Install and configure intrusion detection — use AIDE or rkhunter
- Disable unused services —
sudo systemctl disable service-name - Use SELinux or AppArmor — mandatory access control adds an extra security layer
- Monitor logs — check
/var/log/auth.logand/var/log/syslogregularly - Two-factor authentication — use Google Authenticator or similar for SSH
- Linux Server Administration Guide
- First Steps with Your New Dedicated Server
- Basic Server Administration Skills for Beginners
Automate backups with tools like rsync, borgbackup, or restic:
# Daily backup with rsync rsync -avz --delete /important/data/ backup-server:/backups/daily/