Securing your server + various security tips and guides

Guide for securing your Linux server

In this article, we give you suggestions and information on securing your Linux server, such as disabling SSH password authentication, installing fail2ban, managing your firewall, disk encryption, and more!


Looking to buy a Virtual or Dedicated server? Do you like privacy and low prices? Try Privex!

We have virtual servers starting from just US$0.99/mo, and dedicated servers starting from as low as US$50/mo

Unlike other hosts, we don't ask for any personal details - only a name (can be an alias / username), and an e-mail address so we can send you your server details and renewal invoices.

We also accept several different cryptocurrencies with our own in-house payment processor - no third parties involved in processing your payments.

At the time of writing, we currently accept: Bitcoin (BTC), Litecoin (LTC), Monero (XMR), Dogecoin (DOGE), HIVE, and HBD

Order a server TODAY! Privacy is affordable™


Basic Security - recommended for all Linux servers

The following sections are recommended for all Linux servers to help protect your server from being compromised through basic attacks such as brute force attacks.

  • Disabling SSH Password Authentication
  • Installing Fail2ban
  • (Optional) Changing your SSH port
  • Setting up the firewall

Disabling SSH Password Authentication

If you have SSH setup and allow login with passwords, it poses a potentially unnecessary security risk, as it makes it possible for an attacker to brute force the password of a user on your system.

We strongly recommend that you use an SSH key (an Ed25519, RSA, or ECDSA key) to connect to your server instead, as this cannot be easily bruteforced.

Once you confirm that you're able to access your server using your SSH key alone, and you have no good reason to leave password authentication enabled, follow these steps to disable password authentication, which will mean you can only connect to the server via your SSH key.

Open the SSH configuration file /etc/ssh/sshd_config in a text editor such as nano or vim:

sudo nano /etc/ssh/sshd_config

Find the line PasswordAuthentication yes and change it to PasswordAuthentication no. If the line is commented out (starts with #), delete the # character from the start.

PasswordAuthentication no

Save and close the file by pressing Ctrl-X - and simply hit enter when it asks you where to save the file

Restart the SSH service:

# On some distro's, the service may be called ssh instead of sshd
# so if you get an error that the service wasn't found, please try running the
# command again but with ssh instead of sshd
sudo systemctl restart sshd

Open another terminal (or SSH client window) and try to connect to your server to make sure you can still connect.

For good measure, you may want to try to connect to the server without your SSH key to make sure password authentication is properly turned off.

Installing fail2ban

Installing Fail2ban on Ubuntu/Debian based distros

Update the system repository by running the command:

sudo apt update

Install Fail2ban with the command:

sudo apt install fail2ban

Start the Fail2ban service and enable it upon boot:

sudo systemctl start fail2ban
sudo systemctl enable fail2ban

Installing Fail2ban on CentOS / Fedora / RHEL based distros

NOTE: Some RHEL-based distros use yum instead of dnf - if you get "Invalid command" / "dnf not found" - try replacing dnf with yum

Update the system and add the EPEL repository by running the command:

sudo dnf update
sudo dnf install epel-release

If epel-release isn't available, continue to the following step, as fail2ban may be available in your standard repos.

Install Fail2ban with the command:

sudo dnf install fail2ban

Start the Fail2ban service and enable it upon boot:

sudo systemctl start fail2ban
sudo systemctl enable fail2ban

Change the SSH server listen port (Optional)

This is marked as "optional", as there's disagreements between people as to whether this is worth it or not. It will not protect you from a targetted attack, but it may offer slight protection against mass untargetted attacks, as they'd now have to port scan your server to be able to figure out where your SSH is. Additionally, if you have your firewall setup to DROP traffic that isn't explicitly allowed, it will massively slow down port scans, which may deter some attackers.

One slight downside of doing this, you'll need to make sure to always specify the port number to any software which runs over SSH such as Rsync and SFTP (though this can be avoided by configuring your server in .ssh/config so that the port is pre-configured on a host alias).

Open the SSH configuration file using a text editor. The file is usually located at /etc/ssh/sshd_config. You can use the following command to open the file in the nano text editor:

sudo nano /etc/ssh/sshd_config

Locate the line that specifies the SSH port number. By default, the port number is set to 22. Change this to your desired port number (we recommend a high random number between 40000 and 65000). For example, if you want to change the port number to 2222, you should modify the line to look like this:

Port 2222

Save the changes to the file and exit the text editor.

Restart the SSH service to apply the changes. You can use the following command to restart the SSH service:

sudo systemctl restart sshd

Update the fail2ban configuration file to monitor the new SSH port. This is best done by creating a new file in /etc/fail2ban/jail.d. You can use the following command to open and create the file in the nano text editor:

sudo nano /etc/fail2ban/jail.d/custom.conf

Enter the following into the new file, where 2222 is the new port you set:

[sshd]
enabled = true
port = 2222

Save the changes to the file and exit the text editor.

Restart the fail2ban service to apply the changes. You can use the following command to restart the fail2ban service:

sudo systemctl restart fail2ban

Setting up a firewall

As there's a lot of information to know about managing a firewall on Linux, we've wrote a dedicated article about using either UFW or iptables to firewall your server.

Please check out the following article to learn how to setup your firewall


Looking to buy a Virtual or Dedicated server? Do you like privacy and low prices? Try Privex!

We have virtual servers starting from just US$0.99/mo, and dedicated servers starting from as low as US$50/mo

Unlike other hosts, we don't ask for any personal details - only a name (can be an alias / username), and an e-mail address so we can send you your server details and renewal invoices.

We also accept several different cryptocurrencies with our own in-house payment processor - no third parties involved in processing your payments.

At the time of writing, we currently accept: Bitcoin (BTC), Litecoin (LTC), Monero (XMR), Dogecoin (DOGE), HIVE, and HBD

Order a server TODAY! Privacy is affordable™