The default security will be set up when the server is installed but will be the basic iptables and UFW.To add to the secuirty you can change the user to a non root user and prevent root access to the server.As a general rule,in case of ddos attack,we do not offer DDoS protection.We do have internal procedures to mitigate the damage a DDoS attack may have, this includes temporarily blocking all network traffic from any server that is being ddossed to prevent our other customers from being affected.
Securing the server is critical to protect it from unauthorized access, data breaches, and other security threats.Below are the steps to harden and secure your Linux server:
a Keep the System Updated
Regularly update the operating system and installed packages using package managers like apt, yum, or dnf.
sudo apt update && sudo apt upgrade -y
Enable automatic updates if possible.b. Use Strong Passwords and Authentication
Enforce strong password policies using tools like pam_pwquality.
Disable root login via SSH and use a regular user with sudo privileges.
Implement SSH key-based authentication instead of passwords.
sudo nano /etc/ssh/sshd_config
# Set:
PermitRootLogin no
PasswordAuthentication noc. Configure a Firewall
Use tools like ufw, firewalld, or iptables to restrict access to only necessary ports.
sudo ufw allow ssh
sudo ufw enabled. Install Fail2Ban
Protect against brute-force attacks by installing and configuring Fail2Ban.
sudo apt install fail2bane. Disable Unused Services
Identify and disable unnecessary services to reduce the attack surface.
sudo systemctl disable <service_name>f. Enable SELinux or AppArmor
Use SELinux (Security-Enhanced Linux) or AppArmor to enforce mandatory access controls.
sudo setenforce 1 # For SELinuxg. Secure Shared Memory
Prevent shared memory from being used for unauthorized purposes by editing /etc/fstab:
sudo nano /etc/fstab
# Add:
tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0h. Limit User Privileges
Use the principle of least privilege by granting users only the permissions they need.
Regularly audit user accounts and remove unused ones.i. Enable Logging and Monitoring
Use tools like rsyslog, auditd, or centralized logging solutions to monitor server activity.
Install intrusion detection systems (IDS) like AIDE or OSSEC.j. Secure Network Configurations
Disable IPv6 if not in use.
Configure /etc/sysctl.conf to prevent IP spoofing and other network attacks:
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_syncookies = 1k. Encrypt Data
Use full-disk encryption (e.g., LUKS) for sensitive data.
Encrypt data in transit using protocols like HTTPS, SFTP, or VPNs.l Regular Backups
Automate regular backups and store them securely offsite.
Test backup restoration periodically.m. Use Security Tools
Install tools like ClamAV for malware scanning.
Use vulnerability scanners like OpenVAS or Lynis to identify weaknesses.n. Regular Security Audits
Perform regular audits of logs, configurations, and installed software.
Stay informed about new vulnerabilities and apply patches promptly.By following these steps, you can significantly enhance the security of your Linux server.
