1. Initial Setup:
- Choose a Strong Password: Always start with a strong password for your root user and any other users. Use a mix of upper-case, lower-case, numbers, and special characters.
- Disable Root Login: It’s best to disable direct root login to prevent any unauthorized access. Use a non-root user for everyday tasks and elevate privileges when needed.
2. Set Up a Firewall:
- Install UFW (Uncomplicated Firewall):
sudo apt install ufw
- Enable UFW:
sudo ufw enable
- Allow Necessary Ports:
sudo ufw allow 22/tcp # For SSH
(Replace 22 with your SSH port if you’ve changed it.)
3. SSH Hardening:
- Change the Default SSH Port: Update the port number in
/etc/ssh/sshd_config
. - Disable Root SSH Access: In
/etc/ssh/sshd_config
, set:
PermitRootLogin no
- Use Key-based Authentication: Disable password authentication and use SSH keys for a more secure method.
PasswordAuthentication no
- Limit User Access: Allow only specific users to access via SSH by using the
AllowUsers
directive in the SSH configuration file. - Implement Fail2ban: This tool helps prevent brute-force attacks by banning IP addresses that have too many failed login attempts.
4. Update Regularly:
- Check for Updates:
sudo apt update && sudo apt upgrade
Regularly updating ensures you get the latest security patches.
5. Install a Malware Scanner:
- ClamAV is a free antivirus tool. Install and run it regularly.
sudo apt install clamav sudo freshclam # Update virus database sudo clamscan -r /home # Scan the home directory
6. Monitor System Activity:
- Install and Use
htop
ortop
: These tools help monitor system resources and processes in real-time. - Audit System with
auditd
: It collects auditing data based on pre-defined rules. - Sysstat: Provides performance and usage activity stats.
7. Secure Shared Memory:
- Add the following line to
/etc/fstab
:
tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0
Then, remount shared memory:
sudo mount -o remount /run/shm
8. Disable Unused Services and Protocols:
- Check Running Services:
systemctl list-unit-files --state=enabled
- Disable Unwanted Services: For instance, to disable
telnet
(which you shouldn’t be using anyway due to security concerns):
sudo systemctl disable telnet
9. Implement AppArmor or SELinux:
- These tools provide Mandatory Access Control (MAC) system which restricts programs’ capabilities.
10. Backup Regularly:
- Use Tools like
rsync
ortar
: Regular backups ensure that even if there’s a compromise, you can restore your system.
11. Other Recommendations:
- Use HTTPS: If you’re running a web server, always use HTTPS. Tools like Let’s Encrypt provide free SSL certificates.
- Limit User Privileges: Don’t give more privileges than necessary to users and applications.
- Check for Rootkits: Tools like
rkhunter
orchkrootkit
can be used to scan for rootkits. - Database Security: If running a database, bind it to
localhost
(127.0.0.1) if it’s only accessed locally. Always set strong database passwords. - Regular Audits: Perform regular security audits to identify and fix vulnerabilities.
Remember, no system can ever be 100% secure, but by following best practices and keeping abreast of the latest threats and solutions, you can significantly reduce your risk.
Always stay informed about the latest security advisories related to the software and services you are running on your server.