Once you get an unmanaged server from MGCSpace.com, the first step you should perform is securing the server. In case of managed services, MGCSpace team will take of your server’s security aspect. But if you have a server where you want to manage it yourself then you should perform crucial security measures in order to avoid your server being compromised and exploited by bad actors. Securing your server not only keeps you and your server safe but also deters bad actors and send them to look for other less secure servers. <\/p>\n\n\n\n
Although there are plethora of aspects of Linux server security but we suggest you to perform some crucial security measures initially which would serve as base for your Linux server security. You may later enhance and fine tune them as per your use case and requirements. <\/p>\n\n\n\n
In short, we need it to keep your server secure from unwanted access and exploitation by malicious actors. If you are not vigilant then many kind of compromises are possible such as using the web server to spread malware or just using it to steal your traffic, creating a spam-sending relay, a web or TCP proxy server, or other malicious activities are possible. When your server is not properly secured, you are not only risking your data but may also helping inadvertently in compromising other servers online. <\/p>\n\n\n\n
So what kind of basic measures you need ? As already mentioned, there are plenty of things you can do to secure your server but we will focus on some initial and crucial things. <\/p>\n\n\n\n
In most of the Linux installation, by-default you will have root access. Root user allow to have full and unrestricted privileges. This may prove fatal as any of the mistake or command can render your system unusable if not used wisely. Hence it is recommended to use limited privilege user which can run Administrative commands via elevated privileges using Note:<\/strong> Now we have new limited user with OR<\/p>\n\n\n\n It will ask you for user’s password and should be able to run the Administrative commands. If there is no error and you are able to use sudo command with newly created sudo user, you may now logout the previous root user session and now on continue with Since you have just created a new limited user with sudo privileges, we will move forward now with updating the system. Keeping your system updated is the most basic yet very important security measure. By updating you are getting most secure and patched version of software as mostly security issues and vulnerability in software are patched quickly and are made available via updates. Although there are various system but most common system can be updated using following methods: CentOS stream 8 \/ CentOS 8, AlmaLinux, Rocky Linux, Fedora and other latest RHEL distributions:<\/strong><\/p>\n\n\n\n Debian \/ Ubuntu based distributions:<\/strong><\/p>\n\n\n\n SSH, (or Secure Shell Protocol) is a remote administration protocol that is used to to manage and access remote resources and service, control, and modify servers on network via secure layer over unsecured network. In short, the SSH is gateway over internet to your server and keeping it secure is essential part. SSH security can be hardened in multiple ways depending upon the use case. Here we will implement basic security measures so that access to your server is more secures through SSH. <\/p>\n\n\n\n By default, you can login to ssh using password as well ssh-keys, however, password based login is considered relatively unsafe, and hence it is suggested to use key-based authentication. It is enabled by default in SSH. Generating SSH public-private key pair is easy, first on the system from where you will login to remote system using SSH, you need to run following command to generate the key pair: <\/p>\n\n\n\n It will ask you for locations to save newly generated files, just press enter and if asks for passphrase then again press enter to choose no passphrase. If you provide any password there, then it will add extra layer of security, along with key will also ask for that password whenever you want to login. <\/p>\n\n\n\n Once done, it will create two files <\/p>\n\n\n\n Note:<\/strong> Now upload your public key to remote system, ideally we are required copy content of To copy public key to remote server over ssh use following command, it will require that you have access to remote user using password : <\/p>\n\n\n\n Once you run above command successfully from your local system where you generated the keys, it will ask for ssh password and then will add entry to remote server’s (here its with ip Now run following command to test to see if you can login to remote user tech1 on server 1.2.3.4 without providing password. <\/p>\n\n\n\n If everything is fine, running above command should allow you to login to remote system ssh without password. In above, -p 22 is default ssh port, if ssh is running on non-standard port for remote server, then replace 22 with desired port. Further, As SSH is gateway to your server, it is always best practice to disable direct root access, we have already created sudo user<\/a> earlier and tested that its able to login. Now we can disable access root via SSH, this way we are making sure that no one can log in using root user even if they are able to guess or obtain root login credentials.<\/p>\n\n\n\n Open sshd configuration file in editor of your choice, we prefer In that file look for directive “PermitRootLogin” and set it to no. Although we suggest to disable root login completely, however, in some cases you may want to disable password login but allow key-based authentication which is considered sufficiently secure. <\/p>\n\n\n\n To disable root ssh login completely, make sure “PermitRootLogin” is set to no in ssh configuration file. <\/p>\n\n\n\n To disable password login but allow key-based access: <\/p>\n\n\n\n By default, SSH uses port 22, it means there are always bad actors looking for port 22 to break the password using repeat dictionary attack known as brute force attack. We have already made it harder by disabling root access by SSH as now attacker also need to guess the username since root is disabled. Further we can change ssh port to something else so that attacker will have hard time connecting to SSH on this server. We can change to something like “12200”<\/p>\n\n\n\n Open ssh configuration file in editor like nano with command Note:<\/strong> Also, no matter what port you use, it is easy to find running port through simple port scanning but by changing ports, you will definitely turn away bots those are looking SSH running over port 22. <\/p>\n<\/div><\/div>\n\n\n\n If you have configured key-based authentication successfully, it is recommended to disable password based authentication for all users. To do that, open ssh configuration file in editor like nano with command Note:<\/strong> Once you are done with modifying your If there is no error, you can now restart sshd daemon and changes we made so far will be applied. Remember, if there is any mistake, you may get locked out of your system after applying sshd config changes.<\/p>\n\n\n\n Now after this, you can login to SSH on the server using new port, you can verify using : <\/p>\n\n\n\n In above, -p 12200 tells to use port 12200 which we set earlier<\/a>, it should login without asking password. Although you have taken basic measures to secure your server but you still need firewall to enhance the security further. A firewall can be piece of software or hardware which control access of services to and from your server from outside. A properly configured firewall helps to reduce security breaches in a server. For example, if you are running a public webserver and a private sql server then using firewall we can make sure only webserver is accessible from outside your network or server. <\/p>\n\n\n\n Firewalls can be comprehensive and depends upon how you want to use them, however we will focus on basic security which you may use as base to start with. Linux primarily uses iptables or more recently nftables for network packet filtering however, instead of manipulating them directly, we will explore ufw (Uncomplicated Firewall) for Debian \/ Ubuntu \/ Arch based Linux Distributions and FirewallD for RedHat based system such Fedora, CentOS, AlmaLinux etc. Both UFW and FirewallD act as frontend for lower level iptables \/ nftables packet filtering system. <\/p>\n\n\n\n UFW is fairly easy and recommended way to configure firewall in Debian and Ubuntu based Linux distributions. UFW comes by default in Ubuntu, however, you will need to install it on Debian and other system. You can verify using following : <\/p>\n\n\n\n If you get error like Install in Debian \/ Ubuntu <\/strong><\/p>\n\n\n\n Install on Arch Linux<\/strong><\/p>\n\n\n\n Once installed, running command Now we know that ufw firewall is there and it is inactive, time to configure it. First we will set firewall to deny all incoming connections while allowing all outgoing connections. Our goal is to only allow access services those are necessary, we can also fine tune rules further to allow access to certain services from specified hosts etc. <\/p>\n\n\n\n Setting up the default policies of deny all incoming connections to server while allowing all outgoing:<\/p>\n\n\n\n By default, ufw comes with various pre-defined list of applications, for example, allowing http will open port 80, while allowing https will open port 443 on server. You can see list of all predefined application profiles using: <\/p>\n\n\n\n Now lets allow http (port 80), https (port 443) and FTP (port 21) traffic. <\/p>\n\n\n\nsudo<\/code>. Another advantage of using sudo user is that you can also log all elevated command perform by such user.<\/p>\n\n\n\nFor RHEL\/Fedora\/Alma and similar linux distribution<\/h4>\n\n\n\n
\n
useradd -m your_user_name && passwd your_user_name <\/code><\/pre>\nIn above replace your_user_name<\/code> with desired name, you password and you have will have new user added to system.<\/li>\n\n\n\nwheel<\/code> group which will give it sudo privileges. usermod -aG wheel your_user_name<\/code><\/pre> <\/li>\n<\/ul>\n<\/div><\/div>\n\n\n\nFor Debian\/Ubuntu and similar linux distribution<\/h4>\n\n\n\n
\n
adduser your_user_name <\/code><\/pre> In above replace your_user_name<\/code> with desired name, you will be asked for couple of details including password and you have will have new user added to the system.<\/li>\n\n\n\nsudo<\/code> group which will give it sudo privileges. usermod -aG wheel your_user_name<\/code><\/pre><\/li>\n<\/ul>\n<\/div><\/div>\n\n\n\n
Sometimes you may not have sudo<\/code> installed by default, you can add it easily using dnf install sudo -y<\/code> on RHEL based systems and apt-get install sudo -y<\/code> on debian based systems.<\/p>\n\n\n\nsudo<\/code> privileges added, you should open another terminal or session and login using new user and try to run some Administrative commands without sudo, it should give you permission error. Now if you want to run Administrative commands, you can run following way : <\/p>\n\n\n\nsudo dnf update<\/code><\/pre>\n\n\n\nsudo apt-get update<\/code><\/pre>\n\n\n\nsudo<\/code> user session we just used to login a moment ago.<\/p>\n\n\n\nUpdating the system<\/h2>\n\n\n\n
<\/p>\n\n\n\nsudo dnf upgrade<\/code><\/pre>\n<\/div><\/div>\n\n\n\nsudo apt update && sudo apt upgrade<\/code><\/pre>\n<\/div><\/div>\n\n\n\nHardening SSH access<\/h2>\n\n\n\n
Configure key-based SSH authentication<\/h4>\n\n\n\n
Before making any changes ssh configuration, we have to generate ssh-keys which works in public and private key pair ie. we generate a private key and then public key based on that key. As as the name suggest, private key should be kept with you and never shared with anyone while the public key need to be copied on remote system which want login. <\/p>\n\n\n\nssh-keygen -b 4096 -t rsa<\/code><\/pre>\n\n\n\n\n
\/home\/your_user_name\/.ssh\/id_rsa<\/code> Your private key, never share with anyone. <\/li>\n\n\n\n\/home\/your_user_name\/.ssh\/id_rsa.pub<\/code> Your public key, you need to copy this to remote system where you want to connect.<\/li>\n<\/ul>\n\n\n\n
Above command will create ssh key pair for the as user you are logged in local system. It has nothing to do with remote system user. For example, if you run above command as root user then keys will be generated in files \/root\/.ssh\/id_rsa.pub<\/code> and \/root\/.ssh\/id_rsa<\/code><\/p>\n\n\n\n\/home\/your_user_name\/.ssh\/id_rsa.pub<\/code> to remote user’s ~\/.ssh\/authorized_keys<\/code> file. Lets have an example, for user “tech1”, it would go in file \/home\/tech1\/.ssh\/authorized_keys<\/code>. You can also use built-in utility ssh-copy-id<\/code> which can do that part for you easily.<\/p>\n\n\n\nssh-copy-id -i ~\/.ssh\/id_rsa.pub tech1@1.2.3.4<\/code><\/pre>\n\n\n\n1.2.3.4<\/code>) authorized_keys file for remote user tech1<\/code>.<\/p>\n\n\n\nssh -p 22 tech1@1.2.3.4<\/code><\/pre>\n\n\n\ntech1<\/code> is user and we are connecting to server with ip 1.2.3.4<\/code>. <\/p>\n<\/div><\/div>\n\n\n\nDisable root user login via SSH<\/h4>\n\n\n\n
nano<\/code>. <\/p>\n\n\n\nsudo nano \/etc\/ssh\/sshd_config<\/code><\/pre>\n\n\n\nPermitRootLogin no<\/code><\/pre>\n\n\n\nPermitRootLogin prohibit-password<\/code><\/pre>\n<\/div><\/div>\n\n\n\nChange SSH port<\/h4>\n\n\n\n
sudo nano \/etc\/ssh\/sshd_config<\/code>, find Port and change to anything you like : <\/p>\n\n\n\nPort 12200<\/code><\/pre>\n\n\n\n
It is suggested to use on of the privileged port ie <1024, however you can use any port your prefer as long its not used by any other service on your server. <\/p>\n\n\n\nDisable password authentication for all users<\/h4>\n\n\n\n
sudo nano \/etc\/ssh\/sshd_config<\/code>, and set “PasswordAuthentication” to “no”. Make sure its not commented out. <\/p>\n\n\n\nPasswordAuthentication no<\/code><\/pre>\n\n\n\n
Although its recommended to disable password authentication completely but you may want to enable password authentication for non-root users so that you can access your server using password where your private key is not available eg. accessing it form some one else’s computer. Since we have already disabled ssh root login<\/a>, then you may leave PasswordAuthentication yes<\/code> and only non-root users can access server via SSH.<\/p>\n\n\n\n\/etc\/ssh\/sshd_config<\/code> file, to apply the changes, we need to reload the sshd daemon. We also need to make sure there is no errors in config files after we made the changes. <\/p>\n\n\n\nsshd -t <\/code><\/pre>\n\n\n\nsudo systemctl restart sshd<\/code><\/pre>\n\n\n\nssh -p 12200 tech1@1.2.3.4<\/code><\/pre>\n\n\n\ntech1<\/code> is the user we are using as example, 1.2.3.4<\/code> is IP of remote server. <\/p>\n\n\n\nSet up Firewall<\/h2>\n\n\n\n
Configuring UFW (Uncomplicated Firewall)<\/h3>\n\n\n\n
sudo ufw status<\/code><\/pre>\n\n\n\nufw: command not found<\/code>, you have to install it which is few seconds tasks.<\/p>\n\n\n\nsudo apt-get install ufw<\/code><\/pre>\n\n\n\nsudo pacman -S ufw<\/code><\/pre>\n\n\n\nsudo ufw status<\/code> should give output like following. <\/p>\n\n\n\nsudo ufw status\nStatus: inactive<\/code><\/pre>\n<\/div><\/div>\n\n\n\nsudo ufw default deny incoming\nsudo ufw default allow outgoing<\/code><\/pre>\n\n\n\nsudo ufw app list <\/code><\/pre>\n\n\n\nsudo ufw allow http\nsudo ufw allow https\nsudo ufw allow ftp<\/code><\/pre>\n\n\n\n