Securing your server

November 25, 20223 min read592 words

Introduction

This article will guide you through the process of securing your server. It will cover the following topics:

Automatic updates

Automatic updates are a great way to keep your server up to date. It will automatically install security updates and bug fixes. It will also automatically reboot your server if needed.

Installation

To install automatic updates, run the following command:

sudo apt install unattended-upgrades

Configuration

To configure automatic updates, run the following command:

sudo dpkg-reconfigure -plow unattended-upgrades

You will be asked to choose the update settings. You can choose the default settings by pressing enter.

Automatic reboots

To enable automatic reboots, run the following command:

sudo sed -i 's|//Unattended-Upgrade::Automatic-Reboot "false";|Unattended-Upgrade::Automatic-Reboot "true";|g' /etc/apt/apt.conf.d/50unattended-upgrades

Automatic reboots with delay

To enable automatic reboots with a delay, run the following command:

sudo sed -i 's|//Unattended-Upgrade::Automatic-Reboot-Time "02:00";|Unattended-Upgrade::Automatic-Reboot-Time "02:00";|g' /etc/apt/apt.conf.d/50unattended-upgrades

SSH

SSH is a protocol that allows you to connect to your server remotely. It is a very powerful tool, but it can also be dangerous if not configured properly. It is recommended to disable password authentication and to use SSH keys instead.

To configure SSH, run the following command:


sudo nano /etc/ssh/sshd_config

Edit the following lines:

Port 2025 #Change me
PasswordAuthentication no
ChallengeResponseAuthentication no
PermitRootLogin no
PubkeyAuthentication yes

Restart SSH:


sudo systemctl restart ssh

Use public/private key authentication

To use public/private key authentication, you will need to generate a key pair on your local machine. To do so, run the following command:


ssh-keygen -t rsa -b 4096

You will be asked to enter a file in which to save the key. Press enter to use the default file. You will also be asked to enter a passphrase. It is recommended to enter a passphrase.

Once you have generated the key pair, you will need to copy the public key to your server. To do so, run the following command:


ssh-copy-id -i ~/.ssh/id_rsa.pub [server ip]

You will be asked to enter the password of the user you are connecting to. Once you have entered the password, you will be able to connect to your server without entering a password.

Fail2ban

Fail2ban is a tool that will block IP addresses that try to login to your server with the wrong credentials. It will also block IP addresses that try to access your server with SSH.

Installation

To install Fail2ban, run the following command:


sudo apt install fail2ban

Configuration

To configure Fail2ban, run the following command:


sudo nano /etc/fail2ban/jail.local

Add the following lines:


[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600

Restart Fail2ban:


sudo systemctl restart fail2ban

UFW

UFW is a firewall that will block all incoming connections by default. It will only allow connections to the ports that you specify.

Installation

To install UFW, run the following command:


sudo apt install ufw

Configuration

To configure UFW, run the following command:

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
sudo ufw enable

Conclusion

This article has covered the following topics:

  • Automatic updates

  • SSH

  • Fail2ban

  • UFW

You can now secure your server.

Next steps

Buy Me a Coffee at ko-fi.com

Website created by Yassine Fathi © 2023

Built with Next.js & Hosted in my Homelab