Ali.as

Protect your server against threats

Here we explain how you can make your root server secure and what you need to keep in mind. If you set up a root server, you unfortunately open the door for hackers at the same time. Due to the permanent accessibility from the Internet, a root server naturally makes itself vulnerable to attack. With these tips you can secure your root server.

In the root server area, Linux distributions and Windows servers are mainly used. In general, of course, all operating systems have weak points, some more others less. Server security, however, is a bigger problem, especially for beginners with Linux. Many users often use Linux for the first time and may not even notice the foreign access. Windows Server is of course also anything but secure, but here the firewall is already set in advance so that the server does not respond to pings, also almost all other public ports are automatically blocked. Security updates and patches are also installed automatically by Windows Server, unless you have disabled this feature.

For Linux distributions, unfortunately, you will have to perform these steps manually, but with these tips you can make your root server secure in just a few steps.

Secure SSH access

Use SSH to connect to the console of your Linux root server. Here, by default, you log in with a username and password. You get this data from your provider. However, it is possible to crack this access through bruteforce attacks. Since the attackers simply have to try various passwords in connection with the "root" login as often as they like. With these measures you can make your root server secure:

Default SSH Port Change

SSH uses port 22 by default, this creates a security hole. Change the port to a 4 or 5 digit number if possible.

Lock the "root" login

Create a new user whose username and password only you know. This makes successful bruteforce attacks extremely unlikely.

Replace user / password input with SSH key

Alternatively, you can disallow login via username and password altogether. Then you can only login with your own SSH key. You generate this key before and copy it to the server. Please note that if you lose your own private SSH key, you will not be able to log in to the server. So you should only consider this if you have an alternative access possibility, e.g. via KVM, VNC or other remote accesses.

Installation of updates and upgrades

Unlike Windows, your Linux server distribution does not update itself automatically. So you have to log in to your system regularly and trigger the updates manually. This is the only way to be sure that there are no critical security holes in the system or services.

If you don't want to deal with this, you can rent a managed server from many providers. Here, updates and patches are automatically installed on your server directly by professional IT specialists. The provider takes care of both the hardware maintenance and the installed software.

Repeated login attempts blocking

If you do not want to change the SSH logins, you can still monitor repeated failed login attempts and block them accordingly. Install Fail2ban, this service monitors the SSH login attempts and locks out the attackers' IPs accordingly. You only need to set the maximum number of login attempts and the duration of the ban. Fail2ban then checks the logs and locks out corresponding IPs via Iptables. But be careful here as well, IPs can be whitelisted, but if you don't have them and try to log in failures yourself multiple times, you will be locked out as well.

Secure Windows Server 2008/2012/2016

With your Windows root servers, always make sure that the firewall is turned on and blocks all unnecessary ports. Do not suppress important security updates, they often patch critical security holes. It also makes sense to change the port for the RDP login of the server. If possible, also change the administrator login, or create a second administrator account with a different user name and deactivate the normal administrator account.



Content copyright 2002 Ali.as
All rights reserved.