This guide covers the initial setup process for a new Linux server, focusing on basic security and maintenance tasks.
For those interested in automating this setup process, please refer to the Linux Server Setup Script.
Keeping your system packages up to date is crucial for security and stability.
sudo apt update && sudo apt upgrade -ysudo apt update: Updates the package lists for upgrades and new package installations.sudo apt upgrade -y: Upgrades all the installed packages to their latest versions. The-yflag automatically confirms the upgrade.
sudo dnf update -ysudo dnf update -y: Updates all the installed packages to their latest versions. The-yflag automatically confirms the update.
sudo pacman -Syusudo pacman -Syu: Updates the package lists and upgrades all the installed packages to their latest versions.
It's a good practice to avoid using the root account for daily operations.
# Replace 'newuser' with your desired username
sudo adduser newuser
sudo usermod -aG sudo newusersudo adduser newuser: Creates a new user with the usernamenewuser.sudo usermod -aG sudo newuser: Adds the new user to thesudogroup, granting them administrative privileges.
# Replace 'newuser' with your desired username
sudo adduser newuser
sudo usermod -aG wheel newusersudo adduser newuser: Creates a new user with the usernamenewuser.sudo usermod -aG wheel newuser: Adds the new user to thewheelgroup, granting them administrative privileges.
# Replace 'newuser' with your desired username
sudo useradd -m -G wheel newuser
sudo passwd newusersudo useradd -m -G wheel newuser: Creates a new user with the usernamenewuserand adds them to thewheelgroup.sudo passwd newuser: Sets a password for the new user.
Disabling root login over SSH adds an extra layer of security.
Edit the SSH configuration file:
sudo nano /etc/ssh/sshd_configFind and change the following line:
PermitRootLogin noPermitRootLogin no: Disables SSH login for the root user.
Restart the SSH service:
sudo systemctl restart ssh # Debian/Ubuntu
sudo systemctl restart sshd # RHEL/CentOS/Fedora or Arch Linuxsudo systemctl restart ssh: Restarts the SSH service to apply the changes.
Using SSH key authentication is more secure than password-based authentication.
Generate an SSH key pair on your local machine:
ssh-keygen -t rsa -b 4096ssh-keygen -t rsa -b 4096: Generates a new SSH key pair using the RSA algorithm with a 4096-bit key length.
Copy the public key to the server:
ssh-copy-id newuser@your_server_ipssh-copy-id newuser@your_server_ip: Copies your public key to the server's authorized keys file for thenewuseraccount.
Edit the SSH configuration file:
sudo nano /etc/ssh/sshd_configFind and change the following lines:
PasswordAuthentication no
PubkeyAuthentication yesPasswordAuthentication no: Disables password authentication for SSH.PubkeyAuthentication yes: Enables public key authentication for SSH.
Restart the SSH service:
sudo systemctl restart ssh # Debian/Ubuntu
sudo systemctl restart sshd # RHEL/CentOS/Fedora or Arch Linuxsudo systemctl restart ssh: Restarts the SSH service to apply the changes.
A firewall protects your server by controlling incoming and outgoing network traffic.
Install UFW:
sudo apt install ufw -ysudo apt install ufw -y: Installs the UFW firewall package.
Allow OpenSSH through the firewall:
sudo ufw allow OpenSSHsudo ufw allow OpenSSH: Allows SSH connections through the firewall.
Enable the firewall:
sudo ufw enablesudo ufw enable: Enables the UFW firewall.
Install and configure firewalld as UFW is not typically used on these distributions.
Install firewalld:
sudo dnf install firewalld -y # RHEL/CentOS/Fedora
sudo pacman -S firewalld # Arch Linuxsudo dnf install firewalld -y: Installs thefirewalldpackage on RHEL/CentOS/Fedora.sudo pacman -S firewalld: Installs thefirewalldpackage on Arch Linux.
Start and enable firewalld:
sudo systemctl start firewalld
sudo systemctl enable firewalldsudo systemctl start firewalld: Starts thefirewalldservice.sudo systemctl enable firewalld: Enables thefirewalldservice to start at boot.
Allow OpenSSH through the firewall:
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --reloadsudo firewall-cmd --permanent --add-service=ssh: Allows SSH connections through the firewall.sudo firewall-cmd --reload: Reloads the firewall rules to apply the changes.
Fail2Ban helps protect your server from brute-force attacks by banning IPs that show malicious signs.
Install Fail2Ban:
sudo apt install fail2ban -y # Debian/Ubuntu
sudo dnf install fail2ban -y # RHEL/CentOS/Fedorasudo apt install fail2ban -y: Installs the Fail2Ban package.
Create a local configuration file:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.localsudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local: Copies the default configuration file to a local configuration file for customization.
Edit the local configuration file:
sudo nano /etc/fail2ban/jail.localFind and change the following lines:
[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
bantime = 3600
findtime = 600
maxretry = 3[sshd]: Section for SSH settings.enabled = true: Enables the SSH jail.port = ssh: Specifies the port for SSH (default is 22).logpath = %(sshd_log)s: Specifies the log file path for SSH logs.bantime = 3600: Sets the ban time to 1 hour (3600 seconds).findtime = 600: Sets the time window to 10 minutes (600 seconds) for considering failed attempts.maxretry = 3: Sets the maximum number of failed attempts before banning.
Restart Fail2Ban:
sudo systemctl restart fail2bansudo systemctl restart fail2ban: Restarts the Fail2Ban service to apply the changes.
We may use sshguard instead of fail2ban on Arch Linux.
Install sshguard:
sudo pacman -S sshguardsudo pacman -S sshguard: Installs thesshguardpackage.
Enable and start the sshguard service:
sudo systemctl enable sshguard
sudo systemctl start sshguardsudo systemctl enable sshguard: Enables thesshguardservice to start at boot.sudo systemctl start sshguard: Starts thesshguardservice.
Automatic updates help ensure your server stays secure with the latest security patches.
Install the unattended-upgrades package:
sudo apt install unattended-upgrades -ysudo apt install unattended-upgrades -y: Installs the unattended-upgrades package.
Enable automatic updates:
sudo dpkg-reconfigure --priority=low unattended-upgradessudo dpkg-reconfigure --priority=low unattended-upgrades: Configures the package to enable automatic updates.
Fedora and CentOS systems can use the dnf-automatic package for automatic updates.
Install the dnf-automatic package:
sudo dnf install dnf-automatic -ysudo dnf install dnf-automatic -y: Installs thednf-automaticpackage.
Enable and start the dnf-automatic service:
sudo systemctl enable --now dnf-automatic.timersudo systemctl enable --now dnf-automatic.timer: Enables and starts thednf-automaticservice to run automatically.
Automatic updates are not recommended on Arch Linux due to its rolling release nature. It's best to manually update the system regularly.
Ensuring your server's time is synchronized can prevent various issues.
Install and enable chrony:
sudo apt install chrony -y # Debian/Ubuntu
sudo dnf install chrony -y # RHEL/CentOS/Fedora
sudo systemctl enable chrony # Debian/Ubuntu and RHEL/CentOS/Fedora
sudo systemctl start chrony # Debian/Ubuntu and RHEL/CentOS/Fedorasudo apt install chrony -y: Installs the Chrony package.sudo systemctl enable chrony: Enables the Chrony service to start at boot.sudo systemctl start chrony: Starts the Chrony service.
We can use ntp for time synchronization on Arch Linux.
Install and enable ntp:
sudo pacman -S ntp
sudo systemctl enable ntpd
sudo systemctl start ntpdsudo pacman -S ntp: Installs the NTP package.sudo systemctl enable ntpd: Enables the NTP service to start at boot.sudo systemctl start ntpd: Starts the NTP service.
Securing shared memory can help prevent certain types of attacks.
Edit the /etc/fstab file:
sudo nano /etc/fstabAdd the following line at the end of the file:
tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0: Mounts the shared memory withnoexecandnosuidoptions to prevent execution of binaries and set-user-identifier bits.
Add the following line at the end of the file:
tmpfs /dev/shm tmpfs defaults,noexec,nosuid 0 0tmpfs /dev/shm tmpfs defaults,noexec,nosuid 0 0: Mounts the shared memory withnoexecandnosuidoptions to prevent execution of binaries and set-user-identifier bits.
Logwatch provides a daily summary of system logs.
Install Logwatch:
sudo apt install logwatch -y # Debian/Ubuntu
sudo dnf install logwatch -y # RHEL/CentOS/Fedora
sudo pacman -S logwatch # Arch Linuxsudo apt install logwatch -y: Installs the Logwatch package.
Edit the Logwatch configuration file:
sudo nano /usr/share/logwatch/default.conf/logwatch.confFind and change the following lines:
MailTo = [email protected]
Range = yesterday
Detail = LowMailTo = [email protected]: Sets the email address to send the log reports to.Range = yesterday: Sets the report range to the previous day.Detail = Low: Sets the detail level of the report to low.
Regular backups are crucial for data recovery in case of failures.
Set up regular backups using tools like rsnapshot, rsync, or a cloud-based backup service. Ensure you have a strategy for both local and offsite backups.
Monitoring tools help you keep an eye on your server's health and performance.
Install and configure tools like htop, netdata, or Prometheus for monitoring your server's performance and health.
sudo apt install htop -y # Debian/Ubuntu
sudo dnf install htop -y # RHEL/CentOS/Fedora
sudo pacman -S htop # Arch Linuxsudo apt install htop -y: Installshtop, an interactive process viewer.
By following these steps, you will significantly improve the security and stability of your Linux server. Regular maintenance and monitoring are crucial to ensure your server remains secure and performs optimally.
If you see any mistake or any better approach, feel free to share them in the comment.
Awesome job, bro! Thanks.