Securing a server is critical to prevent unauthorized access, data breaches, and cyberattacks. Below is a step-by-step guide to hardening your server.
1️⃣ Use Strong Authentication & Access Control
✅ Disable Root Login (Linux)
- Use a regular user with sudo privileges instead of root.
sudo nano /etc/ssh/sshd_config # Find: PermitRootLogin yes # Change it to: PermitRootLogin no sudo systemctl restart sshd
✅ Use SSH Keys Instead of Passwords
- Generate an SSH key:
ssh-keygen -t rsa -b 4096 - Copy the key to the server:
ssh-copy-id user@your_server_ip
✅ Enable Multi-Factor Authentication (MFA)
- For SSH, use Google Authenticator or Duo Security.
✅ Limit SSH Access
- Restrict SSH access to specific IPs in /etc/ssh/sshd_config:
AllowUsers myuser@192.168.1.100
✅ For Windows Servers:
- Use RDP Firewall Rules and enable Network Level Authentication (NLA).
- Change default RDP port (3389) to something random in the registry.
2️⃣ Keep the Server & Software Updated
✅ Update System Packages Regularly
- Linux:
sudo apt update && sudo apt upgrade -y - Windows: Enable Windows Update and install security patches.
✅ Use Automated Patch Management
- Use unattended-upgrades for Ubuntu/Debian:
sudo apt install unattended-upgrades
3️⃣ Firewall & Network Security
✅ Enable a Firewall (UFW, Firewalld, or Windows Defender Firewall)
- Linux (UFW Example):
sudo ufw default deny incoming sudo ufw default allow outgoing sudo ufw allow 22/tcp # Allow SSH sudo ufw enable - Windows:
- Use Windows Defender Firewall to block all unnecessary ports.
✅ Use Fail2Ban to Block Brute Force Attacks
- Linux Installation:
sudo apt install fail2ban -y
✅ Close Unused Ports
- Use netstat to check open ports:
netstat -tulnp - Close unnecessary ports using firewall rules.
✅ Use a VPN for Secure Access
- Set up WireGuard or OpenVPN for remote connections.
4️⃣ Secure Services & Applications
✅ Disable Unused Services
- Check running services:
sudo systemctl list-units --type=service - Disable unnecessary services:
sudo systemctl disable service-name
✅ Use Secure Configurations for Databases
- MySQL/MariaDB:
sudo mysql_secure_installation - Disable remote root access in /etc/mysql/my.cnf:
bind-address = 127.0.0.1
✅ Use Strong Password Policies
- Enforce password complexity rules for all users.
5️⃣ Protect Against Malware & Intrusions
✅ Install an Intrusion Detection System (IDS)
- Use AIDE (Linux):
sudo apt install aide -y sudo aideinit - For Windows, use OSSEC or Snort.
✅ Use Anti-Malware Software
- Linux: ClamAV
sudo apt install clamav -y clamscan -r /home - Windows: Use Windows Defender or Malwarebytes.
✅ Implement Log Monitoring
- Check logs regularly:
sudo tail -f /var/log/auth.log - Use SIEM (Security Information & Event Management) solutions like Wazuh.
6️⃣ Backup & Disaster Recovery
✅ Automate Backups
- Use rsync for Linux:
rsync -avz /important_data/ /backup_location/ - For Windows, use Veeam or Windows Server Backup.
✅ Store Backups Securely
- Encrypt backups with GPG:
tar -czf backup.tar.gz /data gpg --encrypt --recipient "your_email" backup.tar.gz
✅ Use RAID for Redundancy
- RAID 1 (Mirroring) or RAID 5 for data redundancy.
7️⃣ Secure Web Server & APIs (If Applicable)
✅ Use SSL/TLS Encryption
- Install Let’s Encrypt (Linux):
sudo apt install certbot sudo certbot --apache - For Windows, enable IIS HTTPS with a valid SSL cert.
✅ Enable Web Application Firewall (WAF)
- Use ModSecurity (Linux):
sudo apt install libapache2-mod-security2 -y
✅ Restrict API Access
- Implement API keys, OAuth, or JWT for authentication.
🔚 Conclusion: The Ultimate Security Checklist
✔ Disable root login & use SSH keys
✔ Keep software & OS updated
✔ Enable a firewall & close unused ports
✔ Install Fail2Ban to stop brute force attacks
✔ Secure databases & services
✔ Install an IDS & malware scanner
✔ Automate backups with encryption
✔ Implement SSL/TLS for secure communication
