Maintaining security of your Linux server is extremely important, especially if you use your Linux server for production work for your business. These measures must be configured properly in order for the system to be difficult to hack, preventing any information from being stolen. When it comes to security, Linux-based operating systems have an advantage over other OSes such as Windows or macOS. There’s lots of great tools and features that help you secure your server from unwanted attackers. Let’s go over some of the best ways to secure your Linux server from attacks and hacks.
Table of Contents
Prerequisites
- A server with a Linux-based OS
- User privileges: root or non-root user with sudo privileges
What Can Happen If You Use Weak Security Practices
Neglecting your server’s security can lead to potential disaster for your server. There are countless automated machines out on the internet that scan all IP addresses and try to find any way to gain access to your server. As soon as one of those machines gains access (either through brute force or by knowing something about your server ahead of time), all sorts of bad things can happen.
Your data could get uploaded to a stranger’s server and held ransom for example. Your server’s resources could be abused. If you have sensitive information, it could even lead to your client’s data and security being compromised.
Set a Strong Root Password
After fresh installation of the Linux operating system, it is recommended the root password be set with at least 12 characters, including alphabetical, numerical, and even special characters. It is not recommended to use regular words, such as the name of your country or your first or last name. The best practice is to use random password generators so you can always be sure that your root password is strong enough.
Change SSH Port
If you are familiar with any Linux distro, you might already know that the default SSH port on a Linux server after fresh installation is port 22. Most attacks and login attempts are focused on that port since it would grant the attacker full access to your server. If you have a weak password, you might be easily hacked. That’s why we recommend for the port to be changed. For example, you can use port numbers 522, 6085, 9924, etc. Just make sure to not use a port that might be used by another service on your server, such as 3306 for your database or 80 and 443 for your web browser.
Disable Root Login
Using the superuser “root” can be dangerous, because it provides full unrestricted access to everything on your server. If the server has a weak root password, your server’s resources and data can easily be stolen and your server’s resources abused. We recommend that you create a new sudo user with an irregular name and grant “sudo” permissions to that user. After that, logging in using the “root” user can be disabled. You can do that like so:
Open your SSH daemon configuration file using the text editor of your choice. We’ll be using Nano:
sudo nano /etc/ssh/sshd_config
Then change the line containing the word PermitRootLogin
to no. Your line should look like this:
PermitRootLogin no
Then restart your SSH server:
sudo systemctl restart sshd
Now when you try to log in as root, it will always show as an incorrect login even when it is correct.
Set Up a Firewall
Enabling a firewall on a Linux server is one of the most common and important things that you need to do after a fresh installation of the OS. Linux firewalls offer reliability and huge customization. On top of that, they’re cost-effective because it is all open-source. Using a firewall can provide secure DNS, IP blocking, filtering, and much more. We recommend that you learn some of the common firewall rules and commands to help protect your server.
Reliable Software
Reliable and well-maintained software is also key in maintaining good security on your Linux server. As we all know, the most important use case for a server is hosting websites or applications. Your server should have software from reliable resources with security updates and patches to function properly. You should always try and update your software on Linux to their latest versions whenever possible. All other software that is EOL or cannot be updated should be replaced as soon as possible to patch out any attack vectors.
Restrict Access
Limiting access to the server is a great way to better secure your Linux server. For example, with the Firewall we can limit access to a specific port for only a few IP addresses, or some specific countries, etc. Also, we can change the ports used by your applications and close the default port for that application. That way the attacker won’t know which port to check for your services.
On top of that, depending on the applications you use, you can restrict access to certain IP addresses or certain users in the software that you use.
Set Safe File/Folder Permissions
When securing your server, all files used by software should never be owned by “root”. Similarly, you should never run any third-party services as the “root” user unless absolutely necessary. For example, if you run the web server as the root user, you’ll potentially be exposing your entire server’s files to the internet.
You should also get into the habit of keeping all folder and files permissions to 755 and 644 respectively. Assigning these permissions helps prevent data theft and malicious scripts from being uploaded to the server. The permissions you set determines who can read, write, or modify the files.
Use a CDN
A CDN (or Content Delivery Network) provides security protections across a broad range of attacks, such as DDoS attacks. Additionally, using a CDN helps prevent hacking or spam submitted to a blog or comment form on your website. A good CDN stops malicious traffic before it reaches your origin web server.
The added benefit of using a CDN is that your website should load faster, especially for the visitors that live far away from your server. This then helps your website’s page speed and can even improve your search ranking.
Get Expert Help
If knowing how to secure your Linux server is too time consuming for you, we recommend that you use something like a Managed Linux Hosting service that includes expert support in the hosting price. We specialize in supporting and caring for your server. We enable you to run your website without any technical knowledge. Our support team takes care of keeping your server up to date and safe from attackers. On top of the expert support, we also include the fastest NVMe SSDs, 100% uptime, and a 7-day money-back guarantee.
We hope you found this comprehensive guide on how to secure your Linux server helpful. If you have any other tips and ideas, feel free to leave them down in a comment! As always, we are here for you in case you have any questions. Thank you.