Advanced Server Security Configuration

Comprehensive security hardening for production servers.

Prerequisites

  • Root access to your server
  • Basic Linux administration knowledge
  • Understanding of network security concepts

1. System Updates and Patches

# Enable automatic security updates
dpkg-reconfigure -plow unattended-upgrades

# Configure update intervals
echo 'APT::Periodic::Update-Package-Lists "1";' > /etc/apt/apt.conf.d/20auto-upgrades
echo 'APT::Periodic::Unattended-Upgrade "1";' >> /etc/apt/apt.conf.d/20auto-upgrades

2. SSH Security Hardening

Disable Root Login

# Edit SSH config
vim /etc/ssh/sshd_config

# Set these values:
PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no

Configure SSH Keys

# Generate SSH key (on local machine)
ssh-keygen -t ed25519 -C "your-email@domain.com"

# Copy to server
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@server-ip

3. Firewall Configuration

# Enable UFW
ufw --force enable

# Default policies
ufw default deny incoming
ufw default allow outgoing

# Allow essential services
ufw allow ssh
ufw allow http
ufw allow https

# Rate limiting for SSH
ufw limit ssh

4. Intrusion Detection

Install and Configure Fail2Ban

apt install fail2ban -y

# Create custom jail
cat > /etc/fail2ban/jail.local << EOF
[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 5

[sshd]
enabled = true
port = ssh
logpath = /var/log/auth.log
EOF

systemctl restart fail2ban

5. File System Security

# Set proper permissions
chmod 700 /root
chmod 600 /etc/ssh/sshd_config
chmod 644 /etc/passwd
chmod 600 /etc/shadow

# Remove SUID bits where possible
find / -perm -4000 -type f 2>/dev/null | xargs ls -la

6. Monitoring and Logging

Configure Logrotate

cat > /etc/logrotate.d/security << EOF
/var/log/auth.log {
    daily
    missingok
    rotate 30
    compress
    notifempty
    create 640 root adm
}
EOF

7. Network Security

Disable Unnecessary Services

# List running services
systemctl list-unit-files --type=service | grep enabled

# Disable unnecessary services
systemctl disable bluetooth
systemctl disable cups

8. Regular Security Audits

# Check for rootkits
apt install rkhunter -y
rkhunter --update
rkhunter --check

# System integrity check
apt install aide -y
aide --init
cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db
aide --check

Conclusion

Regular security maintenance is crucial. Schedule monthly security reviews and keep all systems updated.

For enterprise security solutions, contact our security team at security@letscloud.io

Read more about: Advanced Topics