Beafing up Your server For Production🐄

David Dut — Thu, 18 Dec 2025 23:32:09 +0000

Let's say you are ready for production. Now you want to host your services on the cloud. Are you production ready?
I am going to give a step by step guide of how to beaf up your production server to prevent various attacks and make sure your server is safe. Let's start shall we.
I am going to use linode. Since this is a small scale production server. I am going to set up a shared vps. I will use the 2GB linode for now.

Make sure to set a very strong password then set up ssh. To set up the ssh key. On your local machine, then generate the keys if you don't have. I decided to go with ed25519 formart

ssh-keygen -t ed25519
cat ~/.ssh/id_ed25519.pub

Once created. You'll need to add the .pub into your ssh section in linode when creating it. You can choose to add a back up option but that will cost more. Wait for 1 to 2 minutes then log in to your server.Now Do the initial system setup that is the apt updrade and upgrade then reboot.
Now your server is ready for beafing.
Now le's create a non-root user then log in with the new credentials.

adduser deploy
usermod -aG sudo deploy

Now let's Secure our SSH to only allow use of public key:
vi /etc/ssh/sshd_config
change the configurations to:

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
X11Forwarding no
UsePAM no

Also allow AuthorizedKeysFile .ssh/authorized_keys
Add the key to the new user you created

mkdir -p /home/deploy/.ssh
vi /home/deploy/.ssh/authorized_keys

Fix permission issues:

chown -R deploy:deploy /home/deploy/.ssh
chmod 700 /home/deploy/.ssh
chmod 600 /home/deploy/.ssh/authorized_keys

Then restart SSH;
systemctl restart ssh
Open another terminal and test first without closing the initial one.

Now lets set up Firewall (UFW)

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow OpenSSH
sudo ufw allow 80
sudo ufw allow 443
sudo ufw enable

Since we need a webserver, let's install nginx:

sudo apt install nginx -y
sudo systemctl enable nginx
sudo systemctl start nginx

Test your webserver on the browser:
http://SERVER_IP
Perfect, now our webserver is running.

Adding your domain to cloudfalere
Now that your server is up and running. Let's add our domain to cloudflare. I am going to use the free tier.
Log in to cloudflare, navigate to domains then add your new domain.

When you click continue, it is going to scan for any DNS records set up. In my case, I have my records set up on linode. If you had any records, cloudflare will import them. On your domain provider, in this instance where I am using godaddy, I am required to remove the NS records I set for linode and replace with the ones provided for you by cloudflare.

Now let's create a cloudflare Origin Certificate.

Copy the Origin Certificate and Private key.
Install the certificate on the server:

sudo mkdir /etc/ssl/cloudflare
sudo vi /etc/ssl/cloudflare/origin.pem
sudo vi /etc/ssl/cloudflare/origin.key

Set Permissions:
sudo chmod 600 /etc/ssl/cloudflare/origin.key

Now let's configure Nginx with SSL:
sudo vi /etc/nginx/sites-available/example.com

Add the following configurations and update accordingly:

server {
    listen 443 ssl http2;
    server_name example.com www.example.com;

    ssl_certificate /etc/ssl/cloudflare/origin.pem;
    ssl_certificate_key /etc/ssl/cloudflare/origin.key;
    ssl_protocols TLSv1.2 TLSv1.3;

    root /var/www/example.com;
    index index.html;

    location / {
        try_files $uri $uri/ =404;
    }
}

server {
    listen 80;
    server_name example.com www.example.com;
    return 301 https://$host$request_uri;
}

Now let's enable our site:

sudo mkdir /var/www/example.com
sudo chown -R deploy:deploy /var/www/example.com
sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx

Once that is done, let;s fix real client IP for cloudflare. This is to configure web server to see the actual visitors and not cloudflare's proxy IPs.
Enter the nginx config and add the following:
sudo vi /etc/nginx/nginx.conf

# Use Cloudflare real IP
real_ip_header CF-Connecting-IP;

# Trust Cloudflare IP ranges
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/13;
set_real_ip_from 104.24.0.0/14;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;

real_ip_recursive on;

Then restart nginx.
You can enable more features on cloudflare dashboard according to your preference.

Now that our server is under a CDN. Let's set up go and react since this is what I use.
First install the necessary packages.

DEV Community: David Dut

Beafing up Your server For Production🐄