The Internet — is not only a sea of opportunities, but also a source of constant threats to your server. If left unprotected, it can fall victim to attacks such as hacking, spamming, or malicious users using your resources.
Even if your server is used for a small project, neglecting basic security measures can lead to serious problems. In this article, we will cover five key steps to help you secure your Linux server on the Internet
1. System updates: Your first step to protection
Every program or operating system becomes vulnerable over time if not updated. Attackers are constantly looking for and exploiting vulnerabilities in older versions of software. Fortunately, developers release patches to close these holes.
Upgrading your system is easy: for Debian-based distributions, use the command:
If you are running a different distribution, the commands may be different, such as dnf update for RedHat compatible OSes such as AlmaLinux, Fedora, or Rocky Linux. Also, set up automatic updates to keep your server up to date
2. Strong passwords and disabling root access (with SSH keys)
A password like "123456" or "password" — is a direct invitation to attackers. Hackers and crackers of all kinds use brute-force or dictionary attacks, which allow them to break into weakly protected server accounts relatively quickly. Always use the most complex unique passwords of at least 12 characters in length, using a combination of letters, numbers, and special characters.
All passwords should be at least 12 characters long, using a combination of letters, numbers, and special characters
But it's best to use SSH keys — this is the most secure way to authenticate to the server for remote access. Instead of passwords, you create a pair of keys: a private key (stored with you) and a public key (hosted on the server). Even if an attacker finds out your login, without the private key, they won't be able to log in. Let's take a look at how to set this up
2.1. generate a key pair on your local machine:
-t rsa— key type (RSA).-b 4096— key length in bits (the longer the more difficult to crack).-C "your_email@example.com"— comment to identify the key.
After running the command, you will be asked to specify a location to save the key (by default ~/.ssh/id_rsa) and, if necessary, to set a password for the key.
2.2. check the files created:
After successful execution of the command, two files should be created in the ~/.ssh directory
- Private key:
~~/.ssh/id_rsa— stays with you, don't pass it on to anyone!" - Public key:
~~/.ssh/id_rsa.pub— copy it to the server.
2.3. Install the public key on the server
Next, you must place the public key on the remote server. This can be done either automatically or manually.
And then you need to place the public key on the remote server
Method 1: Using ssh-copy-id
This method automates the process. Run the command on your local machine:
Replace
usernameandserver_ipwith your login and server IP address.
Enter the current password to confirm. The public key will then be automatically added to the ~/.ssh/authorized_keys file on the server.
Method 2: Manual key installation
If ssh-copy-id is not available, follow these steps.
Copy the contents of the public key on the local machine:
Connect to the server via SSH with a password:
On the server, create a folder for the keys (if it doesn't exist):
Create or complete the ~/.ssh/authorized_keys file:
Log out of the server and verify key login:
You must log in without being prompted for a password.
2.4. root access restriction
Open the SSH server settings file:
For strict security, you can disable remote login as user root, for this in the file /etc/ssh/sshd_config, add line:
If you want to keep the ability to log in as root, but only using an SSH key, find or create lines with these parameters:
PermitRootLogin prohibit-password— root can only log in by key.PasswordAuthentication no— disable password login for all users.PubkeyAuthentication yes— enable key authentication.
After making changes to the configuration file, you should restart the ssh daemon.
Root access is now only possible with the key installed, which greatly increases security
3. Setting up a firewall: The first line of defense
A firewall helps you restrict access to the server to only the applications you need. For example, leave open the port for SSH (default 22) and your web server, if you have one. To configure a firewall, use ufw (Uncomplicated Firewall):
This is a basic setting that can be extended. Blocking unnecessary traffic greatly reduces the chances of an attack.
4. SSH: Security and Alternate Ports
SSH — is the main way of controlling the server, so it must be protected. In addition to disabling root access, change the default port 22 to a less obvious port, such as 2222. This can be done in /etc/ssh/sshd_config:
For protection against bruteforce attacks, install Fail2Ban. It automatically blocks IP addresses from which password attempts are made. Installation is simple:
Fail2Ban will monitor login attempts and block suspicious addresses.
5. Monitoring and regular inspections
Even with protection configured, you should regularly check what's happening on the server. Use tools like htop to monitor resources, netstat to check network connections, or analyze logs via logwatch. These tools can help you identify suspicious activity such as unknown connections or high CPU utilization.
Don't forget to periodically check that server services are available and your security settings are up-to-date.
Conclusion: Security as an investment
Securing your Linux server — is not only about minimizing risks, but it is also an indicator of your responsibility as an online resource owner. The better your server is protected, the less likely you are to run into problems. Follow these basic steps and your server will be a fortress ready to withstand most threats. Remember, security is a process that requires regular attention and updates
Now your server is ready to go online. But if you feel that something is missing, don't hesitate to seek professional help or continue to learn more about the topic.
Here's what you need to know
