loading...
Cover image for How to Make Your Server More Secure

How to Make Your Server More Secure

ericnanhu profile image Eric Hu ・3 min read

The security of your server is essential to your websites. In this article, we'll talk about how to increase the security of your server. Read this post for details: How to Setup Your Own VPS on Vultr

Connect to Your Server Using SSH Client

Use PuTTY, XShell or other SSH clients that you like to connect to your server. Here, I will use Xshell as an example. Your login information can be found on the server information page.

img

Open Xshell, a session window should pop up. Create a new session.

img

First, give it a name, it can be anything you want. And in the “Host”, Type in the IP address of your server. “Port Number” should be 22.

img

Then go to “Authentication” page, and type in your user name and password, they can be found on the server information page.

And now you should be able to connect to your server.

img

To make your server more secure, it’s better to use an SSH key to log in instead of passwords.

Setup SSH Keys

img

Go to Tools and choose “New User Key Wizard”.

img

Choose a key type and key length. Longer keys are more secure.

img

img

After it is generated, you can give it a name and a password.

Now, you need to save a public key and register it on your server.

img

Click on save as a file.

Go to the “root” directory of your server. If you installed Xftp and Xshell as a bundle, just click the green button on the top bar of Xshell.

img

img

Add an “.ssh” folder.

img

Copy the public key you just saved to this folder, and rename it authorized_keys.

Restart ssh service.

CentOS

sudo systemctl restart sshd

Ubuntu

sudo service ssh restart

Now you should be able to log in to your server with the SSH key pair.

Disable Password Login

However, now you can still use your password to log in, which means the hackers can as well. So, you need to disable the password login.

Go to /etc/ssh

img

Edit the sshd_config file.

Find PasswordAuthentication

img

Change the value to no

img

Restart the ssh service again. Now you can only log in using the SSH key pair.

Related Articles

How to Create a Website With WordPress

Laravel Tutorial For Beginners

Django Tutorial For Beginners

Laravel Nova: The Perfect Admin Panel For Your Laravel Apps

Discussion

pic
Editor guide
Collapse
nicoroy2561 profile image
nicoroy2561

Is using an ssh key effectively more secure than whitelisting only your own static IP address (or manually adding it when you connect from somewhere else)?
Because It seems to me that if one uses an ssh key he/she would need to back it up (in case your computer had issues). Then you have to protect your key, and install it again on every device that needs to connect to the server.
All the while if you want to connect from an insecure computer / temporary location via password, you could log into your host service (usually behind a 2FA), temporarily whitelist that IP address, log in via ssh and then remove the whitelist rule right after from the firewall (once you're connected). Even if anyone was actually able to steal your password, he wouldn't be able to use it at all.
That to me feels like a more safe approach, but I'm by no means expert and I'm likely missing something here.

Collapse
ericnanhu profile image
Eric Hu Author

Whitelisting your own IP is also an effective way to secure your server. However, you risk getting locked out of your server, since your IP address is not permanent.
If you are a modem user, each time you connect to the Internet, you'll be assigned an IP address that's available. If you are a broadband user, your IP address will be reassigned when the ISP change their infrastructure.
So I guess they both have pros and cons. I prefer using SSH keys, but make sure you make several copies and store them in different places.

Collapse
nicoroy2561 profile image
nicoroy2561

What I do is I create & manage a firewall using my host's website (rather than on the server itself). This way I can always log in to said host using my credentials+2FA and add/remove the IP address I want to allow SSH from anytime.

Collapse
zedentox profile image
Florian Lefèvre

I think your miss the point that you are not limited in number of keys allowed to connect on your server. authorized_keys file can contain multiple public keys.
I apply this rule : NEVER copy my private key anywhere. The more you copy it, the more it is exposed. Dont make copy on USB sticks for example.
I think you should use an unique keypair per computer you use.
Your laptop was stolen ? No problem, just remove your key from authorized ones.
Furthermore, I generate my keypair on place.
IP restriction is good but its very contraignant. 2FA seems better cause you can use it from anywhere.
The only problem I encounter with this method is that you need to have access to an authorized host to authorize your new key. Easily solved if you have a KVM access to you server on your hosting provider.

See it has 1 password per computer. :)

You can also use a system of SSH proxy/bastion if you have multiple servers to manage and allow only your proxy to connect to your servers.

Collapse
nicoroy2561 profile image
nicoroy2561

So overall this way it would be pretty much the same, since both methods involve going through the hosting provider to authorize operations from a new device.
Using keys is probably easier over time, I ought to consider that.

Thread Thread
zedentox profile image
Florian Lefèvre

Another solution may be to use something like a Yubikey and 2FA.

If you loose it, 2FA protect you the time you remove it everywhere.
You can take it with you and it cant be copied by someone.

Collapse
peter279k profile image
peter279k

It can also consider using the fail2ban to limit the failed login times and block malicious accessing.

The reference is available here.

Collapse
mrrcollins profile image
Ryan Collins

Good write-up, but two changes:

  • ssh will complain about permissions on .ssh. The permissions of the directory should be 700 (dwrx------)
  • authorized_keys needs to be 640 (-rw-r-----)

Also, you don't have to restart sshd after copying the ssh keys, authorized_keys will start working immediately.

If you are using a Linux host, ssh-copy-id will take care of copying your public key to a remote host and appending it to the authorized_keys file. (Under macOS you can install it with brew install ssh-copy-id).

Again, great write-up, using ssh-keys is paramount to good security practices.

Collapse
_garybell profile image
Gary Bell

These are great first steps to making servers more secure, but often overlooked.

Collapse
ben profile image
Ben Halpern

Great post

Collapse
ericnanhu profile image
Collapse
thomasbnt profile image
Thomas Bnt

Your post and header is very clean ! Good job!

Collapse
ericnanhu profile image
Eric Hu Author

Thank you!