This post has originally been written here along with images and code snippets -> https://easyontheweb.com/5-server-security-tips-for-beginners/
Security is one of the most important things when it comes to any kind of development. To be really honest even I was a bit overwhelmed by all the parts surrounding server security earlier (and still am!). In this article I’ll be sharing simple and easy server security tips for beginners that even you can easily implement to keep your server more secure.
For the impatient ones out there, these are the 5 things that we will discuss in this article one by one.
Two factor authentication
No root user
“Secure Shell (SSH) is a protocol used to provide secure and encrypted communication over a network. It is most widely used by Linux system administrators for remote server management.”
There are two ways you can get into your server and use it – Password and SSH keys.
Using a password to log into your server is the same as using your password to log into your netflix account and use it. But your server isn’t your netflix account, and shouldn’t be treated like one. We need to keep it secure. The problem with password authentication is brute-force attacks. Hackers can potentially brute-force their way into guessing your password and then get into your server to cause all kinds of malice ! Another issue is that it sucks to type your password everytime you want to access your server.
That’s where the other method of accessing the server comes up – SSH. If you do not know what SSH is then I’ll try explaining it in the simplest of terms – SSH keys are a set of keys that are used to authenticate you. What we will actually be doing is generating an SSH key in your computer and saving that on your server once. From next time, whenever you try to access your server through your computer the server will check whether your computers SSH keys are allowed into the server or not. These SSH keys are very long and very secure through cryptography methods we need not understand.
Just know that only the computers which have been listed in the server’s allowed ssh keys will be allowed to access the server. You can very well not allow the username-password combination at all and to be honest, I would recommend that.
The first thing I would recommend you to do is change the default port for SSH which is 22. Why? Because many of the hackers run automated scripts on PORT 22 for servers for trying to get into your server. Therefore, changing the port where SSH runs will leave them cluless on what port to target next.
To do this, change to the super user and
In this file search for the term PORT and change the 22 to something else of your choice. After saving the file restart the service using
service sshd restart
Also, let us disable the password based logins we discussed about earlier now, from the same file.
Look for the line that says PasswordAuthentication and change to PasswordAuthentication_no. Make sure to uncomment the line if the # is present.
The most important thing with authentication using SSH for your remote server is the authorised_keys file which is a file in which you enter the SSH keys that are allowed to access the server.
mkdir -p ~/.ssh
In this file you can copy your computer’s public SSH key and then you’ll be able to access the server using that computer. If you do not know how to create an SSH key pair please google it, it’s fairly simple.
Do not forget to restart the ssh service here as well using service sshd restart .
The second tip is something that sounds very meh and even I did not take it seriously until I saw a talk where it’s importance was highlighted to me.
So, there’s no super trick here. Just keep the software on your server updated. Keeping the software on your server updated means you are constantly getting all the security patches that the software owner’s being used in your system are writing on a daily basis.
Every piece of software has a security hole, there’s no two ways around it but what we can make sure is that we stay on the latest software so that if the author has fixed that hole (which is nearly always the case) our server is safe from any potential attack.
Okay, don’t take my word on it but just read this from the guys at Norton ->
Firewall is a pretty cool name, isn’t it ? This is what I’ve always thought about firewalls – These things are cool.
And they are, cool for security of your server that is. Firewall is a system that governs input and output traffic to and from your server based on some defined rules. It is mostly used to filter income requests to the server so that only requests from places we want to allow are allowed in.
You write rules for your firewall to filter traffic against using keywords such as “Accept”, “Reject”, “Drop” etc.
There are various types of firewalls like stateful and stateless firewalls that work differently under the hood but the major purpose of all of them is the same, that is to filter traffic into your servers’ ports.
You might use iptables to manage firewall restrictions on your server but my favourite and the preffered one is UFW (Uncomplicated Firewall) which provides a clean and hassle free interface , and by interface I still mean you do need to use the terminal anyways to establishing a firewall on your server.
A guide to using UFW can be found here -> https://www.digitalocean.com/community/tutorials/how-to-setup-a-firewall-with-ufw-on-an-ubuntu-and-debian-cloud-server
Using firewalls you can control and filter traffic not only to the server but specific ports individually as well and using rules you can blacklist/whitelist any set of IP addresses and all sorts of checks and conditions that you might want to put.
The best thing is to keep only required ports open for others to access. Maybe PORT 80 if you are running HTTP or 443 for HTTPS. This would limit the surface area available for interaction from the outside world onto your server.
There’s a lot of things that you can explore with firewalls to be honest.
Two factor authentication
Assume your VPS (or in simple terms , your server) is hosted on DigitalOcean. What if someone gets access to your DigitalOcean account ? Well, you are again just as screwed as someone getting access to your server itself.
To save yourself from this, what is suggested is to implement a two factor authentication for your delicate accounts. These days, even social media sites like Facebook allow to set up 2FA on their application but I would really recommend to setting it up for your DigitalOcean (or whatever service you use), your Gitlab (again just an example) accounts.
This adds an extra layer of authentication on your accounts and sends you a One Time Password on your mobile device whenever you try to login into your account. Now, this might feel like an irritation to some people but I think it’s a nice security layer to have.
No root user
There’s a lot of power in your hands when you are the root user on a server. In fact, so much power that many developers feel that we should never ever be root while on the server.
Saving our server from hackers is a very important thing , but equally important is saving our server from ourself. As the root user, we very well may make a mistake that we might not recover from. Therefore, it is best that we create a new user with which we operate our server as.
To disable root login into your server all you need to do is again go into the ssh config file at /etc/ssh/sshd_config and change the PermitRootLogin property to no there. From now on, no one will be able to access the server being the root user.
Before you do this though, please please remember to create a new user on the server.
I hope these 5 tips were easy for you to follow as beginners on server security and that you will try and implement these methods on your own.
If you want motivation on why you should start with Typescript please check this article out -> https://easyontheweb.com/why-to-learn-typescript/
Also, please join this facebook group dedicated to Easy On The Web where you can interact with other devs including me 🙂 -> https://www.facebook.com/groups/503230450489995