November 25, 2022 • 3 min read • 592 words
This article will guide you through the process of securing your server. It will cover the following topics:
Automatic updates are a great way to keep your server up to date. It will automatically install security updates and bug fixes. It will also automatically reboot your server if needed.
To install automatic updates, run the following command:
sudo apt install unattended-upgrades
To configure automatic updates, run the following command:
sudo dpkg-reconfigure -plow unattended-upgrades
You will be asked to choose the update settings. You can choose the default settings by pressing enter.
To enable automatic reboots, run the following command:
sudo sed -i 's|//Unattended-Upgrade::Automatic-Reboot "false";|Unattended-Upgrade::Automatic-Reboot "true";|g' /etc/apt/apt.conf.d/50unattended-upgrades
To enable automatic reboots with a delay, run the following command:
sudo sed -i 's|//Unattended-Upgrade::Automatic-Reboot-Time "02:00";|Unattended-Upgrade::Automatic-Reboot-Time "02:00";|g' /etc/apt/apt.conf.d/50unattended-upgrades
SSH is a protocol that allows you to connect to your server remotely. It is a very powerful tool, but it can also be dangerous if not configured properly. It is recommended to disable password authentication and to use SSH keys instead.
To configure SSH, run the following command:
sudo nano /etc/ssh/sshd_config
Edit the following lines:
Port 2025 #Change me PasswordAuthentication no ChallengeResponseAuthentication no PermitRootLogin no PubkeyAuthentication yes
sudo systemctl restart ssh
To use public/private key authentication, you will need to generate a key pair on your local machine. To do so, run the following command:
ssh-keygen -t rsa -b 4096
You will be asked to enter a file in which to save the key. Press enter to use the default file. You will also be asked to enter a passphrase. It is recommended to enter a passphrase.
Once you have generated the key pair, you will need to copy the public key to your server. To do so, run the following command:
ssh-copy-id -i ~/.ssh/id_rsa.pub [server ip]
You will be asked to enter the password of the user you are connecting to. Once you have entered the password, you will be able to connect to your server without entering a password.
Fail2ban is a tool that will block IP addresses that try to login to your server with the wrong credentials. It will also block IP addresses that try to access your server with SSH.
To install Fail2ban, run the following command:
sudo apt install fail2ban
To configure Fail2ban, run the following command:
sudo nano /etc/fail2ban/jail.local
Add the following lines:
[sshd] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3 bantime = 3600
sudo systemctl restart fail2ban
UFW is a firewall that will block all incoming connections by default. It will only allow connections to the ports that you specify.
To install UFW, run the following command:
sudo apt install ufw
To configure UFW, run the following command:
sudo ufw default deny incoming sudo ufw default allow outgoing sudo ufw allow ssh sudo ufw allow http sudo ufw allow https sudo ufw enable
This article has covered the following topics:
You can now secure your server.
Website created by Yassine Fathi © 2023
Built with Next.js & Hosted in my Homelab