Linux Server Security Tips (EN)
Linux Server Security Tips
Securing your Linux server is essential to protect your data and system. Below are the most important tips and commands you can apply to enhance security.
1. SSH Security
Change SSH Port
Changing the default SSH port (22) makes it harder for attackers to connect. To change the SSH port, follow these steps:
sudo nano /etc/ssh/sshd_config
Find the line:
Port 22
Replace it with another port number, for example:
Port 2222
Then restart the SSH service:
sudo systemctl restart sshd
SSH Key Authentication
Instead of passwords, use SSH key authentication for better security. Generate an SSH key:
ssh-keygen -t rsa -b 4096
Add the generated key to the server:
ssh-copy-id user@server_ip
2. Strong Password Policy
Using strong passwords helps protect against brute-force attacks. Install the libpam-pwquality package to enforce password complexity:
sudo apt install libpam-pwquality
After installation, configure password complexity in:
/etc/pam.d/common-password
3. Security Updates and Patch Management
Keep your server updated with security patches to close vulnerabilities. Enable automatic updates:
sudo apt install unattended-upgrades
Configure automatic updates:
sudo dpkg-reconfigure -plow unattended-upgrades
4. Firewall Configuration
A firewall is the first step to block unauthorized access. Use UFW or iptables for basic firewall setup.
Configure Firewall with UFW
Allow SSH on your custom port:
sudo ufw allow 2222/tcp
Enable the firewall:
sudo ufw enable
5. Protect Login with Fail2Ban
Fail2Ban protects your server against SSH brute-force attacks. Install it:
sudo apt install fail2ban
Configure SSH settings in:
/etc/fail2ban/jail.local
Example:
[sshd]
enabled = true
port = 2222
logpath = /var/log/auth.log
maxretry = 5
Start Fail2Ban:
sudo systemctl start fail2ban
6. Disable Unnecessary Services
Disabling unused services reduces the attack surface. Stop and disable services:
sudo systemctl stop servicename
sudo systemctl disable servicename
7. File Permissions and SELinux Configuration
Set correct file permissions to prevent unauthorized access. For home directory:
chmod 700 /home/user
Enable SELinux for extra security:
sudo setenforce 1
This puts SELinux in “Enforcing” mode to apply security policies.
8. Backup Strategies
Regular backups protect against data loss. Use rsync for automated backups:
rsync -a /source/ /backup_path/
This command copies files from /source to /backup_path.
By applying these Linux server security tips, you can protect your server from unauthorized access and improve overall security. Regular updates and security practices will keep your system safe.