Server security is an important part of the production. Here we provide 7 tips to secure your servers
A comprehensive password is:
-
Private: it is used and known by one person only;
-
Secret: it does not appear in any text, file, program, or atop a sheet of paper pinned to the monitor;
-
Easy-to-remember: so there is no need to write it down; at least 8 characters long;
-
A mixture of at least 3 of the following: upper case letters, lower case letters, digits and symbols;
-
Not listed in a dictionary of any international language;
-
Not quickly identifiable by any program (i.e. less than one week).
Bad password: qwerty123
Good password: u6]T:PX.OT8!VEB;
You can generate a comprehensive password using generator
If you want to generate the key on your device, just run:
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"Copy your key on server and run:
ssh-copy-id -i ~/.ssh/id_rsa user@yourhostWith a good password, you can limit your exposure to a brute force attack. However, it may still be possible. Before you disable root logins you should add an administrative user that can ssh into the server and become root with su.
This adds another layer of security because an additional username and password must now be entered before gaining the root user privileges.
In order to disable root login, you need to uncomment #PermitRootLogin no in file /etc/ssh/sshd_config. After, you need to restart SSH server and run systemctl restart sshd.service.
In file /etc/ssh/sshd_config change the string Port 22 to Port 1001. Then restart SSH server via systemctl restart sshd.service. Now you can connect to the server using 1001 port.
Run command apt unattended-upgrade on the server. Check the following link for more details.
SSL Certificates are small data files that digitally bind a cryptographic key to an organization’s details. When installed on a web server, it activates the padlock and the https protocol and allows secure connections from a web server to a browser. Typically, SSL is used to secure credit card transactions, data transfer and logins, and more recently is becoming the norm when securing browsing of social media sites.
For example, you can use letsencrypt - free certificate provider.
Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show any malicious signs: too many password failures, seeking for exploits, etc.
Generally Fail2Ban is used to update firewall rules to reject the IP addresses for a specified amount of time. Although any other arbitrary action (e.g. sending an email) could also be configured. Fail2Ban comes with filters for various services (apache, courier, ssh, etc) out of the box.
Copyright © 2015-2019 Codica. It is released under the MIT License.
The names and logos for Codica are trademarks of Codica.
We love open source software! See our other projects or hire us to design, develop, and grow your product.