Con­fig­ur­ing your server securely is one of the most important tasks for ad­min­is­tra­tors. This applies not only to self-managed servers but also to rented hardware. Measures such as password pro­tec­tion, robust SSH settings, and regular updates create a com­pre­hen­sive security package.

Who is re­spon­si­ble for secure server con­fig­u­ra­tion?

Hosting your own server provides maximum freedom when it comes to con­fig­u­ra­tion. An adequate al­ter­na­tive is root servers, which many providers offer and grant root account access. In both scenarios, critical tasks like in­stal­la­tion, struc­tur­ing, and main­te­nance fall entirely on the renter. Errors in the root area can lead to sig­nif­i­cant issues. However, adhering to the correct pro­ce­dures can establish an ideal foun­da­tion for a reliable, high-per­for­mance, and secure server.

Dedicated Servers
Per­for­mance through in­no­va­tion
  • Dedicated en­ter­prise hardware
  • Con­fig­urable hardware equipment
  • ISO-certified data centers

How to secure your server step by step

Whether you want to secure a Windows, Ubuntu, or Debian server, several universal steps can help establish a solid security foun­da­tion. Below, we summarize the most important steps.

Step 1: Perform a minimal in­stal­la­tion

Even before you start taking pro­tec­tive measures and con­fig­ur­ing your server, you can influence your project’s future security potential. Re­gard­less of whether you’re using a Windows or Linux operating system, apply this principle during in­stal­la­tion: Your server should only contain the software it needs to perform its tasks.

The reason is that every installed ap­pli­ca­tion poses a potential security risk and may neg­a­tive­ly impact per­for­mance. To minimize vul­ner­a­bil­i­ties, install only the necessary system com­po­nents and rely ex­clu­sive­ly on verified third-party software.

Step 2: Set a strong password

After in­stal­la­tion, your first action should be to set a strong admin (Windows) or root password (Linux). By default, no value is defined, so the ad­min­is­tra­tor account remains blocked until you provide input. Most operating systems prompt you to create an account with a password im­me­di­ate­ly after in­stal­la­tion, which will act as your ad­min­is­tra­tor or root login.

If you rented your Linux server from a provider and received a pre-existing root login, change the password im­me­di­ate­ly. Log in to your server via SSH and enter the following command in the terminal:

passwd
bash

After in­stalling your secure password, you will need to verify it. Make sure to choose a password that is as long as possible and includes a mix of letters, special char­ac­ters, and numbers. It’s also rec­om­mend­ed to use a password manager to store the password securely for easy access if needed.

Tip

If a root password has already been set for your Linux system and you don’t know it, you can change it in recovery mode. Start the recovery mode by pressing the Shift key during the boot process. From the “root” menu entry, access the “Root” prompt where you will have ad­min­is­tra­tor priv­i­leges to modify the password.

Step 3: Change the SSH port

By default, SSH access uses TCP/UDP port 22, which is pre-con­fig­ured during system in­stal­la­tion. Hackers often focus their automated login attempts on this port. To reduce the risk of unau­tho­rized access, assign a different port for encrypted remote con­nec­tions.

To do this, edit the SSH con­fig­u­ra­tion file sshd_config using any text editor. For example, to use the nano editor, run the following command:

nano /etc/ssh/sshd_config
bash

Search for the line labeled “Port” and replace port number 22 with the number of your choice. Keep in mind that there are various other standard ports reserved for different services (e.g., port 80 for HTTP).

Note

Before the changes in the sshd_config file take effect, you have to restart the SSH service. On Debian, you can do this using the command etc/init.d/ssh restart. For Ubuntu users, restart the service with service ssh restart.

Step 4: Disable SSH login for admin accounts

To further secure your server, it is advisable to disable SSH login for the root or ad­min­is­tra­tor account. Otherwise, if an attacker gains access to the password, they could use the account for remote access.

Before im­ple­ment­ing this measure, ensure that there is at least one other account that can connect to the server to avoid locking yourself out. For Linux systems, create an account like this using the following command:

useradd -g users -d /home/user1 -m -s /bin/bash user1
bash

This creates an example user account named “user1”. Next, assign a secure password to the account:

passwd user1
bash

Test whether the login with the created user account works. If suc­cess­ful, proceed with the main task: disabling the root account. Open the SSH con­fig­u­ra­tion file sshd_config again using your preferred editor. Locate the entry PermitRootLogin yes and replace it with PermitRootLogin no. After restart­ing the SSH service, remote access for the root account will no longer be possible.

Using the AllowGroups entry in the con­fig­u­ra­tion file, you can also specify which users are allowed to connect via SSH. To do this, simply create a group (addgroup) and add the desired users to it (adduser). Then, include the chosen group name in the sshd_config (e.g., AllowGroups ssh_users).

Note

An al­ter­na­tive to disabling SSH login for root accounts is to prohibit password-based login entirely and instead use public-key au­then­ti­ca­tion with SSH keys.

Step 5: Set up email no­ti­fi­ca­tions for SSH logins

Re­gard­less of the specific steps you take to secure SSH access, you should con­tin­u­ous­ly monitor all remote ac­tiv­i­ties afterward. This ensures you can verify that the SSH service on your server is properly secured and detect unau­tho­rized access attempts early, enabling you to respond ap­pro­pri­ate­ly. A simple shell script can au­to­mat­i­cal­ly send a no­ti­fi­ca­tion email to your address after every suc­cess­ful remote login to your server.

Here is an example script /opt/shell-login.sh for Linux, which you can easily create yourself:

#!/bin/bash
echo "Login on $(hostname) on $(date +%Y-%m-%d) at $(date +%H:%M)"
echo "User: $USER"
echo
finger
txt

Next, add the following line to the /etc/profile file:

/opt/shell-login.sh | mailx -s "SSH login on the server" youremail@example.com
txt

This entry ensures that the script executes and sends a no­ti­fi­ca­tion email to the specified address whenever an SSH login occurs. To achieve this, the script must be assigned per­mis­sion 755 (read and execute per­mis­sions for all users, and write per­mis­sions for the owner). You can set this per­mis­sion with the following command:

chmod 755 /opt/shell-login.sh
bash
Note

If a user es­tab­lish­es an SSH con­nec­tion using a program like WinSCP, which doesn’t perform a full login, the described shell script will not send an email!

Step 6: Block unused ports

Open ports generally don’t pose a sig­nif­i­cant security risk, as they are essential for com­mu­ni­ca­tion with various services and ap­pli­ca­tions. For instance, ports 80 and 443 are necessary for HTTP and HTTPS con­nec­tions, as is your chosen SSH port. However, these in­ter­faces can become vul­ner­a­bil­i­ties if the as­so­ci­at­ed programs have security flaws, which attackers can exploit.

Tip

Learn how to test your ports in our dedicated article to get an overview of all open ports.

If you’ve performed a minimal system in­stal­la­tion and installed only a limited number of third-party ap­pli­ca­tions, the number of ad­di­tion­al required ports should be small. To protect your server from attacks, you should block all un­nec­es­sary open ports in your firewall settings. Most major operating systems include packet-filtering software, such as iptables, by default. This tool allows you to define rules to regulate data traffic, including spec­i­fy­ing allowed and blocked ports.

Step 7: Update software regularly

Known security vul­ner­a­bil­i­ties in ap­pli­ca­tions are typically addressed quickly with updates. By staying informed about updates for your operating system and installed ap­pli­ca­tions and applying them promptly, you ensure optimal pro­tec­tion for your server. Most server systems also offer features to au­to­mat­i­cal­ly download and install critical security updates in the back­ground.

For instance, if you’re securing a Windows server, the Windows Update section lets you configure specific policies for automatic updates. This includes defining when and how often updates are checked, whether they should be installed im­me­di­ate­ly, and when the system should restart. Linux systems offer tools like apt-listchanges or the apticron shell script to notify you of new available software packages daily and download them. Ad­di­tion­al scripts like unattended-upgrades can handle automatic in­stal­la­tion.

Note

Even when using an automated update process, ensure you keep track of completed updates. This helps identify and address errors that might occur during the update process.

Step 8: Protect Windows and Linux servers from brute-force attacks

One of the simplest and most common attack methods is the brute-force attack. In this type of attack, hackers use tools to re­peat­ed­ly attempt password guesses. By im­ple­ment­ing strong password man­age­ment practices, you can sig­nif­i­cant­ly reduce the like­li­hood of this method suc­ceed­ing.

However, if your server provides services requiring user logins, you cannot assume that all users follow strong password practices. Analysis tools can help mitigate this risk: Solutions like Fail2ban (Linux/POSIX systems) or RdpGuard (Windows) monitor server log files, detect unusual behavior, and block sus­pi­cious IP addresses. You can configure the number of failed attempts allowed before blocking and the duration of the block.

Tip

For ad­di­tion­al security, consider setting up two-factor au­then­ti­ca­tion. This method requires a second au­then­ti­ca­tion factor, such as a smart­phone, smart card, or TAN list, in addition to the password.

Step 9: Use mon­i­tor­ing tools

To maintain server security, it’s crucial to ensure that hardware and software in­ter­ac­tions function as intended. This is not a one-time task but an ongoing re­spon­si­bil­i­ty that requires constant attention. With the high number of different system processes, using mon­i­tor­ing tools from the beginning is advisable. These tools track all server ac­tiv­i­ties and alert you to anomalies.

A straight­for­ward, easy-to-configure program for this purpose is Monit, which can be installed via the package manager on many Linux dis­tri­b­u­tions. This open-source ap­pli­ca­tion (GNU-AGPL license) can monitor processes, files, clouds, hosts, programs, or scripts, as well as system resources like CPU and memory usage. For more com­pre­hen­sive mon­i­tor­ing, consider Nagios, an open-source tool available for Linux and Windows. Nagios can also be extended with Nagios plugins.

Free VPS Trial
30-day money-back guarantee

Try out your VPS for 30 days. If you're not satisfied, you get your money back.

Step 10: Set up backups

The rec­om­mend­ed con­fig­u­ra­tion steps sig­nif­i­cant­ly enhance your server’s security. However, even the best con­fig­u­ra­tions and diligent main­te­nance cannot guarantee 100% pro­tec­tion. A com­pre­hen­sive backup strategy is a critical component of your security system, enabling you to restore files in case of data loss.

Many robust tools are available to help you create and restore backups. One free option is the open-source syn­chro­niza­tion tool rsync, com­pat­i­ble with most major platforms (macOS, Windows, Linux). This tool keeps your backup updated in real-time by mirroring any changes made to the original data.

In addition to a general server backup, ensure that you also back up your databases.

Note

For maximum backup security, store backups on external storage devices (e.g., portable hard drives, ad­di­tion­al servers) rather than the server being secured.

Go to Main Menu