Update your Linux Server
Keeping your Server upto date with the latest security patches secure your Server
This update will take place in two steps:
- Updating the package list
- Updating the packages themselves
Once this step is complete, your system is up-to-date. This operation needs to be performed regularly.
Change the default SSH listening port
One of the first things to do on your server is to configure the SSH service listening port. By default, listening is set to port 22. It is, therefore, advisable to change it and not to leave it set to default values. This is because most server hacking attempts are made by robots that target port 22 by default. By modifying this setting, you make it harder for these robots to hack you, and your server will be a more difficult target.
Here is the command to modify the service configuration file:
nano is given as an example; you can use the
vim command, or any other command that allows you to edit the sshd_config file.
You then need to find the following line:
# What ports, IPs and protocols we listen for Port 22
Replace the number 22 with the port number of your choice. Please do not enter a port number already used on your system. Save, and exit the configuration file.
You then need to restart your service:
Now, when you request an SSH connection on your machine, you will have to indicate the new port:
ssh root@Server_IP -p NewPort
Change the password associated with the user “root”
When a distribution or operating system is installed, a password is automatically created for root access. It is strongly recommended that you customize it by modifying it. To do this, once you are logged in, simply enter the following command:
Your system will then ask you to enter your new password twice to validate it. Please note - for security reasons, the password will not be displayed when you are typing it. You will, therefore, not be able to see the characters you type.
Once this is done, you must enter the new password the next time you log in to the system.
Creating a user with restricted rights, and intervening in the system with root rights
You can create a new user with the following command:
Then fill in the information requested by the system (password, name, etc.).
This user will be allowed to log in to your system via SSH, with the password specified when the account was created.
Once you are logged in to your system with these credentials, if you want to perform operations that require root rights, simply type the following command:
You must then enter the password associated with the root user to validate the operation.
Disable server access via the root user
The root user is created by default on UNIX systems, and is the user with the most rights on your system. It is not advisable and even dangerous to leave your VPS accessible only through this user, as this account can perform irreversible operations on your server.
We recommend that you disable direct root-user access via the SSH protocol.
To perform this operation, you need to modify the SSH configuration file in the same way you did previously when you modified the access port to your VPS:
Then locate the following section:
# Authentication: LoginGraceTime 120 PermitRootLogin yes StrictModes yes
Replace the yes with no on the line
For this modification to be taken into account, you need to restart the SSH service:
Now, in order to log in to your system, use the account credentials (user) you have just created.
Install and configure the Fail2ban package
Fail2ban is an intrusion prevention software framework designed to block unknown IP addresses that are trying to penetrate your system. This software package is recommended, even essential, to guard against any brute force attacks on your services.
To install the software package, use the following command:
apt-get install fail2ban
Once the software package is installed, you need to modify its configuration file to customise it to your usage. Before you make any changes, we would recommend that you make a backup of the configuration file by entering the following command:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.backup
Then make your changes to the file:
Once you have completed these changes, restart the service using this command:
For any additional queries and information concerning Fail2Ban, please refer to the official documentation for this tool.
Configure the internal firewall: iptables
Linux and UNIX distributions come with a firewall service named iptables. By default, this service does not have any active rules. You can verify this by typing the following command:
It is recommended that you create and adjust rules on this firewall, to fit your needs. For more detailed information on the variety of manipulations that are possible, please refer to the relevant section in the official documentation of the distribution used.
Configuring the Firewall Network
Install the CFS firewall. all Network.
We also have a guide on configuring this firewall Click here.