A server offers you many interesting possibilities. However, when you purchase a server with root access, you are also responsible for its security, including all actions performed by the server. For this reason, it is very important that you secure your server as early as possible and increase the security level against cyber attacks in order to offer potential attackers as little attack surface as possible.
This series of articles explains some important security recommendations and security measures that can help increase the security level of your Linux server.
This article provides general security recommendations and tips for configuring and operating your Linux server securely. They are arranged in order of importance.
These security recommendations apply only to servers with root access.
Install Security Patches and Updates Regularly and Promptly
Usually, known vulnerabilities are closed with the help of timely updates/patches. However, this only works if you regularly keep yourself up-to-date with these security patches and updates for both your operating system and the programs installed, and you install them in time. You must also make sure to update the plugins you use with your programs.
Almost all operating systems offer the option to download and install important security updates automatically in the background. To receive information about new and available software packages on a daily basis and download them, you can use specific scripts (such as apt-listchanges or apticron). With the unattended-upgrades package (Ubuntu) or the program Yum-cron (CentOS 7) you can install the patches for your operating system automatically.
If necessary, you can test the security patches and updates for your applications and plug-ins prior to the installation in order to check the possible effects on your specific environment before installing them promptly on the server. Please note, that you need a second server to perfom such a test.
Using Public-Key Authentication Instead of Password Authentication
The network protocol SSH supports different variants of the login of the client on the server. In addition to the well-known classical authentication with user name and password, you can also use public-key authentication. Public-key authentication uses a private and public key for user authentication. The public key can be additionally protected by a passwopd.
The public key must be stored on the relevant server so that public key authentication can be set up. The private key is stored locally on your computer.
If you are using public-key authentication, you can use the public key to log on to the server without a password. If necessary, enter the requested password. To further increase the security level, you can also disable the SSH password authentication. Authentication by means of password input is only possible in this case that the user logs on to the server using the KVM console (Cloud Server and VPS) or the VNC console (Dedicated Server)
When you create a cloud server, you can store the public key in the Cloud Panel and assign it to the server while selecting the desired configuration. The public key is automatically entered into the /root/.ssh/authorized_keys file during server creation.
To further increase the security level, you can also disable the SSH password authentication. In this case, the users of the server can only log on using public-key authentication. Authentication by means of password entry is only possible in this case if the user logs on to the server using the KVM console (Cloud Server and VPS) or the VNC console (Dedicated Server).
Always Use Strong Passwords
Weak passwords can make it easier to potential attackers to gain access to your server. If such an attack is successful, the attacker can use your server for malicious activities, take advantage of your server's resources or possibly take control the server and lock you out.
You should therefore always use secure and complex passwords. Change the passwords regularly. The following criteria will help you to create a strong and secure password:
Use a separate password for each service and for each database running on the server.
Use a password that is not available in dictionaries.
Always use a password that is significantly different from previous passwords.
Do not use any personal data from your personal environment such as birthdays, names, etc..
Do not use a password that contains the user name or company name.
Do not give your password to any third party.
Combine different types of characters, such as letters, numbers, and special characters.
Do not reuse passwords for different services.
A secure password contains:
at least 8 characters
upper and lower case letters: a-z, A-Z
Develop an Appropriate Backup Strategy
The loss of data can cause profound and costly damage. For this reason, you should develop an appropriate backup strategy as early as possible. The development of a backup strategy is a technically very complex issue because many factors need to be considered. Some such important factors are the following examples:
Determination of the Risk Situation: The risk situation depends on the purpose of the server and the dependency on the database.
Classification of Data: What type of data is this? Is it necessary to create backups of system-relevant data or personal data?
Availability of Data: Which applications depend on the data and in what form? Do the applications also work without the relevant data?
In addition, you should consider and answer the following questions when developing your backup strategy:
Which data loss is acceptable?
How long would it take to reconstruct the data?
How much data do you handle at the moment? Will the amount increase in the future?
How must the data be backed up?
Are there any deletion and storage periods?
Is the data confidential? Is special access protection required? Are there any legal requirements?
When can the backup be created without negative effects on other processes?
How long do you need to keep the backups?
Another important point to consider when developing your backup strategy is the backup type. Basically we can differentiate between the following types of backup:
A full backup is a backup that contains all data selected for backup.
A differential backup contains all files that have changed or have been added since the last full backup. The changes are always made in relation to the full backup. Differential backups increase day by day until you perform a full backup again. However, they require less disk space than a full backup and can be performed faster.
To recover data from a differential backup, you must also have access to the last full backup. The individual differential backups can be handled independently of each other.
Incremental backups are very space-saving and can be performed quickly.
With an incremental backup, only the data that has been created or modified since the last backup is secured. In this context, it makes no difference, whether it is a full backup or an incremental backup.
As the backups are interdependent, you must also have access to other backups in the backup chain to restore an incremental backup. If you delete one of the previous incremental backups or a full backup, you cannot restore the entire group.
In addition to the development of an appropriate backup strategy and the creation of backups on a regular basis, you should also make sure that the recovery of the backups is tested regularly.
Make Sure That Local Services Listen Only to Localhost
Not all services need to be accessible via the network or the internet. Therefore, make sure that local services actually listen to localhost. For example, if you are running a local MySQL instance on your web server, the database should only listen to localhost. This same rule applies to any applications you test.
For technical reasons, you can only establish one connection to your cloud servers through a VPN. If you want to establish multiple VPN connections at the same time, you must configure a VPN connection for every local PC.
You can create the VPN in the Network > VPN section of the Cloud Panel.
To use the VPN, you must then install and configure the OpenVPN software on the local PC.
Additional information on the use of VPNs can be found here:
If possible, install applications only from official sources. Applications from unofficial sources may contain malware and/or viruses.
Monitor Your Server
Monitoring is an important tool to increase server security. The detection of a server failure or the failure of individual components or applications in time is only possible, if you monitor the server. This also applies to certain types of cyber attacks. If your server is attacked, a fast reaction is essential to stop the attack and minimize the damage caused.
Check Your Server Regularly for Malware and Viruses
Although Linux is generally less affected by malware and viruses than Windows, it is not immune to malicious software. For Linux systems, there are a number of malware and virus scanners that you can use to regularly check the integrity of your servers.
Please make sure that the antivirus and anti-malware signatures are updated on a regular basis.
More Articles on this topic
The second article of this series can be found here: