First few minutes on your Linux server
After booting up your Linux server, what you want to do, is to make sure, that your instance is secure against most common threats. In this short guide I go over steps you need to take to achieve basic security level on your Linux server.
I am using Debian distribution of Linux.
1. Login into your server through SSH.
When prompted to input your password, provide your password and you should be logged in into your server.
2. Update your server software and repositories.
Having your software up to date, may get rid of vulnerabilities, present in previous versions of programs intstalled on your server.
To do it, use commands:
apt update && apt upgrade
3. Create user account, that you will use to login into server.
To create user, simply use command
4. Add just created user to sudo group.
That will enable you to execute commands with administrator privileges from your user account.
To do it, use command:
usermod -a -G sudo <username>
5. Setup firewall.
Firewall is a security mechanism, that oversees traffic going in and going out from your server. It blocks or allows traffic, based on the security rules, that you put in place, at the time of configuration.
Configuration, shown below, is created assuming, that you will want to use Linux server to accept HTTP and HTTPS requests.
In case you want other ports opened and close, feel free to modify configuration, so that it fits your needs.
For this task, I prefer to use
iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT # SSH iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT # HTTP iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT # HTTPS iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT iptables -P FORWARD DROP iptables -P INPUT DROP
Now you want to make your firewall settings persist between restarts:
apt-get install netfilter-persistent iptables-persistent service netfilter-persistent save
6. Disable root login.
To make attack attempts harder to success, you want to disable root login to your server. This way not only your password has to be guessed, but login as well. Doing that is much harder, than guessing/bruteforcing just a password.
To do it, you need to modify a SSH config file, using text editor of your choice.
/etc/ssh/sshd_config and change followiwng line:
PermitRootLogin no AllowUsers <username>
Now you want to reboot your machine.
Next time you login through SSH, use your created username.
Hopefully, this short guide was helpful to you.