How to secure a server

Con­fig­ur­ing your server securely is one of the most important tasks for ad­min­is­trat­ors. This applies not only to self-managed servers but also to rented hardware. Measures such as password pro­tec­tion, robust SSH settings, and regular updates create a com­pre­hens­ive security package.

Who is re­spons­ible for secure server con­fig­ur­a­tion?

Hosting your own server provides maximum freedom when it comes to con­fig­ur­a­tion. An adequate al­tern­at­ive is root servers, which many providers offer and grant root account access. In both scenarios, critical tasks like in­stall­a­tion, struc­tur­ing, and main­ten­ance fall entirely on the renter. Errors in the root area can lead to sig­ni­fic­ant issues. However, adhering to the correct pro­ced­ures can establish an ideal found­a­tion for a reliable, high-per­form­ance, and secure server.

How to secure your server step by step

Whether you want to secure a Windows, Ubuntu, or Debian server, several universal steps can help establish a solid security found­a­tion. Below, we summarise the most important steps.

Step 1: Perform a minimal in­stall­a­tion

Even before you start taking pro­tect­ive measures and con­fig­ur­ing your server, you can influence your project’s future security potential. Re­gard­less of whether you’re using a Windows or Linux operating system, apply this principle during in­stall­a­tion: Your server should only contain the software it needs to perform its tasks.

The reason is that every installed ap­plic­a­tion poses a potential security risk and may neg­at­ively impact per­form­ance. To minimise vul­ner­ab­il­it­ies, install only the necessary system com­pon­ents and rely ex­clus­ively on verified third-party software.

Step 2: Set a strong password

After in­stall­a­tion, your first action should be to set a strong admin (Windows) or root password (Linux). By default, no value is defined, so the ad­min­is­trat­or account remains blocked until you provide input. Most operating systems prompt you to create an account with a password im­me­di­ately after in­stall­a­tion, which will act as your ad­min­is­trat­or or root login.

If you rented your Linux server from a provider and received a pre-existing root login, change the password im­me­di­ately. Log in to your server via SSH and enter the following command in the terminal:

passwd

After in­stalling your secure password, you will need to verify it. Make sure to choose a password that is as long as possible and includes a mix of letters, special char­ac­ters, and numbers. It’s also re­com­men­ded to use a password manager to store the password securely for easy access if needed.

Step 3: Change the SSH port

By default, SSH access uses TCP/UDP port 22, which is pre-con­figured during system in­stall­a­tion. Hackers often focus their automated login attempts on this port. To reduce the risk of un­au­thor­ised access, assign a different port for encrypted remote con­nec­tions.

To do this, edit the SSH con­fig­ur­a­tion file sshd_config using any text editor. For example, to use the nano editor, run the following command:

nano /etc/ssh/sshd_config

Search for the line labelled ‘Port’ and replace port number 22 with the number of your choice. Keep in mind that there are various other standard ports reserved for different services (e.g., port 80 for HTTP).

Step 4: Disable SSH login for admin accounts

To further secure your server, it is advisable to disable SSH login for the root or ad­min­is­trat­or account. Otherwise, if an attacker gains access to the password, they could use the account for remote access.

Before im­ple­ment­ing this measure, ensure that there is at least one other account that can connect to the server to avoid locking yourself out. For Linux systems, create an account like this using the following command:

useradd -g users -d /home/user1 -m -s /bin/bash user1

This creates an example user account named ‘user1’. Next, assign a secure password to the account:

passwd user1

Test whether the login with the created user account works. If suc­cess­ful, proceed with the main task: disabling the root account. Open the SSH con­fig­ur­a­tion file sshd_config again using your preferred editor. Locate the entry PermitRootLogin yes and replace it with PermitRootLogin no. After re­start­ing the SSH service, remote access for the root account will no longer be possible.

Using the AllowGroups entry in the con­fig­ur­a­tion file, you can also specify which users are allowed to connect via SSH. To do this, simply create a group (addgroup) and add the desired users to it (adduser). Then, include the chosen group name in the sshd_config (e.g., AllowGroups ssh_users).

Step 5: Set up email no­ti­fic­a­tions for SSH logins

Re­gard­less of the specific steps you take to secure SSH access, you should con­tinu­ously monitor all remote activ­it­ies afterward. This ensures you can verify that the SSH service on your server is properly secured and detect un­au­thor­ised access attempts early, enabling you to respond ap­pro­pri­ately. A simple shell script can auto­mat­ic­ally send a no­ti­fic­a­tion email to your address after every suc­cess­ful remote login to your server.

Here is an example script /opt/shell-login.sh for Linux, which you can easily create yourself:

#!/bin/bash
echo "Login on $(hostname) on $(date +%Y-%m-%d) at $(date +%H:%M)"
echo "User: $USER"
echo
finger

Next, add the following line to the /etc/profile file:

/opt/shell-login.sh | mailx -s "SSH login on the server" youremail@example.com

This entry ensures that the script executes and sends a no­ti­fic­a­tion email to the specified address whenever an SSH login occurs. To achieve this, the script must be assigned per­mis­sion 755 (read and execute per­mis­sions for all users, and write per­mis­sions for the owner). You can set this per­mis­sion with the following command:

chmod 755 /opt/shell-login.sh

Step 6: Block unused ports

Open ports generally don’t pose a sig­ni­fic­ant security risk, as they are essential for com­mu­nic­a­tion with various services and ap­plic­a­tions. For instance, ports 80 and 443 are necessary for HTTP and HTTPS con­nec­tions, as is your chosen SSH port. However, these in­ter­faces can become vul­ner­ab­il­it­ies if the as­so­ci­ated programs have security flaws, which attackers can exploit.

If you’ve performed a minimal system in­stall­a­tion and installed only a limited number of third-party ap­plic­a­tions, the number of ad­di­tion­al required ports should be small. To protect your server from attacks, you should block all un­ne­ces­sary open ports in your firewall settings. Most major operating systems include packet-filtering software, such as iptables, by default. This tool allows you to define rules to regulate data traffic, including spe­cify­ing allowed and blocked ports.

Step 7: Update software regularly

Known security vul­ner­ab­il­it­ies in ap­plic­a­tions are typically addressed quickly with updates. By staying informed about updates for your operating system and installed ap­plic­a­tions and applying them promptly, you ensure optimal pro­tec­tion for your server. Most server systems also offer features to auto­mat­ic­ally download and install critical security updates in the back­ground.

For instance, if you’re securing a Windows server, the Windows Update section lets you configure specific policies for automatic updates. This includes defining when and how often updates are checked, whether they should be installed im­me­di­ately, and when the system should restart. Linux systems offer tools like apt-listchanges or the apticron shell script to notify you of new available software packages daily and download them. Ad­di­tion­al scripts like unattended-upgrades can handle automatic in­stall­a­tion.

Step 8: Protect Windows and Linux servers from brute-force attacks

One of the simplest and most common attack methods is the brute-force attack. In this type of attack, hackers use tools to re­peatedly attempt password guesses. By im­ple­ment­ing strong password man­age­ment practices, you can sig­ni­fic­antly reduce the like­li­hood of this method suc­ceed­ing.

However, if your server provides services requiring user logins, you cannot assume that all users follow strong password practices. Analysis tools can help mitigate this risk: Solutions like Fail2ban (Linux/POSIX systems) or RdpGuard (Windows) monitor server log files, detect unusual behaviour, and block sus­pi­cious IP addresses. You can configure the number of failed attempts allowed before blocking and the duration of the block.

Step 9: Use mon­it­or­ing tools

To maintain server security, it’s crucial to ensure that hardware and software in­ter­ac­tions function as intended. This is not a one-time task but an ongoing re­spons­ib­il­ity that requires constant attention. With the high number of different system processes, using mon­it­or­ing tools from the beginning is advisable. These tools track all server activ­it­ies and alert you to anomalies.

A straight­for­ward, easy-to-configure program for this purpose is Monit, which can be installed via the package manager on many Linux dis­tri­bu­tions. This open-source ap­plic­a­tion (GNU-AGPL license) can monitor processes, files, clouds, hosts, programs, or scripts, as well as system resources like CPU and memory usage. For more com­pre­hens­ive mon­it­or­ing, consider Nagios, an open-source tool available for Linux and Windows. Nagios can also be extended with Nagios plugins.

Step 10: Set up backups

The re­com­men­ded con­fig­ur­a­tion steps sig­ni­fic­antly enhance your server’s security. However, even the best con­fig­ur­a­tions and diligent main­ten­ance cannot guarantee 100% pro­tec­tion. A com­pre­hens­ive backup strategy is a critical component of your security system, enabling you to restore files in case of data loss.

Many robust tools are available to help you create and restore backups. One free option is the open-source syn­chron­isa­tion tool rsync, com­pat­ible with most major platforms (macOS, Windows, Linux). This tool keeps your backup updated in real-time by mirroring any changes made to the original data.

In addition to a general server backup, ensure that you also back up your databases.