Configuring your server securely is one of the most important tasks for administrators. This applies not only to self-managed servers but also to rented hardware. Measures such as password protection, robust SSH settings, and regular updates create a comprehensive security package.

Who is responsible for secure server configuration?

Hosting your own server provides maximum freedom when it comes to configuration. An adequate alternative is root servers, which many providers offer and grant root account access. In both scenarios, critical tasks like installation, structuring, and maintenance fall entirely on the renter. Errors in the root area can lead to significant issues. However, adhering to the correct procedures can establish an ideal foundation for a reliable, high-performance, and secure server.

Dedicated Servers
Performance through innovation
  • Dedicated enterprise hardware
  • Intel® Xeon® or AMD processors
  • Leading security technologies

How to secure your server step by step

Whether you want to secure a Windows, Ubuntu, or Debian server, several universal steps can help establish a solid security foundation. Below, we summarize the most important steps.

Step 1: Perform a minimal installation

Even before you start taking protective measures and configuring your server, you can influence your project’s future security potential. Regardless of whether you’re using a Windows or Linux operating system, apply this principle during installation: Your server should only contain the software it needs to perform its tasks.

The reason is that every installed application poses a potential security risk and may negatively impact performance. To minimize vulnerabilities, install only the necessary system components and rely exclusively on verified third-party software.

Step 2: Set a strong password

After installation, your first action should be to set a strong admin (Windows) or root password (Linux). By default, no value is defined, so the administrator account remains blocked until you provide input. Most operating systems prompt you to create an account with a password immediately after installation, which will act as your administrator or root login.

If you rented your Linux server from a provider and received a pre-existing root login, change the password immediately. Log in to your server via SSH and enter the following command in the terminal:

passwd
bash

After installing your secure password, you will need to verify it. Make sure to choose a password that is as long as possible and includes a mix of letters, special characters, and numbers. It’s also recommended to use a password manager to store the password securely for easy access if needed.

Tip

If a root password has already been set for your Linux system and you don’t know it, you can change it in recovery mode. Start the recovery mode by pressing the Shift key during the boot process. From the “root” menu entry, access the “Root” prompt where you will have administrator privileges to modify the password.

Step 3: Change the SSH port

By default, SSH access uses TCP/UDP port 22, which is pre-configured during system installation. Hackers often focus their automated login attempts on this port. To reduce the risk of unauthorized access, assign a different port for encrypted remote connections.

To do this, edit the SSH configuration file sshd_config using any text editor. For example, to use the nano editor, run the following command:

nano /etc/ssh/sshd_config
bash

Search for the line labeled “Port” and replace port number 22 with the number of your choice. Keep in mind that there are various other standard ports reserved for different services (e.g., port 80 for HTTP).

Note

Before the changes in the sshd_config file take effect, you have to restart the SSH service. On Debian, you can do this using the command etc/init.d/ssh restart. For Ubuntu users, restart the service with service ssh restart.

Step 4: Disable SSH login for admin accounts

To further secure your server, it is advisable to disable SSH login for the root or administrator account. Otherwise, if an attacker gains access to the password, they could use the account for remote access.

Before implementing this measure, ensure that there is at least one other account that can connect to the server to avoid locking yourself out. For Linux systems, create an account like this using the following command:

useradd -g users -d /home/user1 -m -s /bin/bash user1
bash

This creates an example user account named “user1”. Next, assign a secure password to the account:

passwd user1
bash

Test whether the login with the created user account works. If successful, proceed with the main task: disabling the root account. Open the SSH configuration file sshd_config again using your preferred editor. Locate the entry PermitRootLogin yes and replace it with PermitRootLogin no. After restarting the SSH service, remote access for the root account will no longer be possible.

Using the AllowGroups entry in the configuration file, you can also specify which users are allowed to connect via SSH. To do this, simply create a group (addgroup) and add the desired users to it (adduser). Then, include the chosen group name in the sshd_config (e.g., AllowGroups ssh_users).

Note

An alternative to disabling SSH login for root accounts is to prohibit password-based login entirely and instead use public-key authentication with SSH keys.

Step 5: Set up email notifications for SSH logins

Regardless of the specific steps you take to secure SSH access, you should continuously monitor all remote activities afterward. This ensures you can verify that the SSH service on your server is properly secured and detect unauthorized access attempts early, enabling you to respond appropriately. A simple shell script can automatically send a notification email to your address after every successful remote login to your server.

Here is an example script /opt/shell-login.sh for Linux, which you can easily create yourself:

#!/bin/bash
echo "Login on $(hostname) on $(date +%Y-%m-%d) at $(date +%H:%M)"
echo "User: $USER"
echo
finger
txt

Next, add the following line to the /etc/profile file:

/opt/shell-login.sh | mailx -s "SSH login on the server" youremail@example.com
txt

This entry ensures that the script executes and sends a notification email to the specified address whenever an SSH login occurs. To achieve this, the script must be assigned permission 755 (read and execute permissions for all users, and write permissions for the owner). You can set this permission with the following command:

chmod 755 /opt/shell-login.sh
bash
Note

If a user establishes an SSH connection using a program like WinSCP, which doesn’t perform a full login, the described shell script will not send an email!

Step 6: Block unused ports

Open ports generally don’t pose a significant security risk, as they are essential for communication with various services and applications. For instance, ports 80 and 443 are necessary for HTTP and HTTPS connections, as is your chosen SSH port. However, these interfaces can become vulnerabilities if the associated programs have security flaws, which attackers can exploit.

Tip

Learn how to test your ports in our dedicated article to get an overview of all open ports.

If you’ve performed a minimal system installation and installed only a limited number of third-party applications, the number of additional required ports should be small. To protect your server from attacks, you should block all unnecessary open ports in your firewall settings. Most major operating systems include packet-filtering software, such as iptables, by default. This tool allows you to define rules to regulate data traffic, including specifying allowed and blocked ports.

Step 7: Update software regularly

Known security vulnerabilities in applications are typically addressed quickly with updates. By staying informed about updates for your operating system and installed applications and applying them promptly, you ensure optimal protection for your server. Most server systems also offer features to automatically download and install critical security updates in the background.

For instance, if you’re securing a Windows server, the Windows Update section lets you configure specific policies for automatic updates. This includes defining when and how often updates are checked, whether they should be installed immediately, and when the system should restart. Linux systems offer tools like apt-listchanges or the apticron shell script to notify you of new available software packages daily and download them. Additional scripts like unattended-upgrades can handle automatic installation.

Note

Even when using an automated update process, ensure you keep track of completed updates. This helps identify and address errors that might occur during the update process.

Step 8: Protect Windows and Linux servers from brute-force attacks

One of the simplest and most common attack methods is the brute-force attack. In this type of attack, hackers use tools to repeatedly attempt password guesses. By implementing strong password management practices, you can significantly reduce the likelihood of this method succeeding.

However, if your server provides services requiring user logins, you cannot assume that all users follow strong password practices. Analysis tools can help mitigate this risk: Solutions like Fail2ban (Linux/POSIX systems) or RdpGuard (Windows) monitor server log files, detect unusual behavior, and block suspicious IP addresses. You can configure the number of failed attempts allowed before blocking and the duration of the block.

Tip

For additional security, consider setting up two-factor authentication. This method requires a second authentication factor, such as a smartphone, smart card, or TAN list, in addition to the password.

Step 9: Use monitoring tools

To maintain server security, it’s crucial to ensure that hardware and software interactions function as intended. This is not a one-time task but an ongoing responsibility that requires constant attention. With the high number of different system processes, using monitoring tools from the beginning is advisable. These tools track all server activities and alert you to anomalies.

A straightforward, easy-to-configure program for this purpose is Monit, which can be installed via the package manager on many Linux distributions. This open-source application (GNU-AGPL license) can monitor processes, files, clouds, hosts, programs, or scripts, as well as system resources like CPU and memory usage. For more comprehensive monitoring, consider Nagios, an open-source tool available for Linux and Windows. Nagios can also be extended with Nagios plugins.

Free VPS Trial
30-day money-back guarantee

Try out your VPS for 30 days. If you're not satisfied, you get your money back.

Step 10: Set up backups

The recommended configuration steps significantly enhance your server’s security. However, even the best configurations and diligent maintenance cannot guarantee 100% protection. A comprehensive backup strategy is a critical component of your security system, enabling you to restore files in case of data loss.

Many robust tools are available to help you create and restore backups. One free option is the open-source synchronization tool rsync, compatible with most major platforms (macOS, Windows, Linux). This tool keeps your backup updated in real-time by mirroring any changes made to the original data.

In addition to a general server backup, ensure that you also back up your databases.

Note

For maximum backup security, store backups on external storage devices (e.g., portable hard drives, additional servers) rather than the server being secured.

Was this article helpful?
Go to Main Menu