Make root server secure

Make root server secure

How you can make your root server secure and what to consider, we explain here. If you set up a root server, you unfortunately open the door for hackers at the same time. Due to the permanent accessibility from the Internet, a root server naturally makes itself vulnerable to attack. With these tips you can secure your root server.

In the root server area, Linux distributions and Windows servers are mainly used. In general, of course, all operating systems have vulnerabilities, some more some less. Server security is a major problem, especially for Linux beginners. Many users often use Linux for the first time and may not even notice the foreign accesses. Windows Server is of course also anything but secure, but here the firewall is already set in advance so that the server does not respond to pings, also almost all other public ports are automatically blocked. Windows Server also installs security updates and patches automatically if you have not disabled this feature.

For Linux distributions, unfortunately, you have to do these steps manually, but with these tips you can make your root server secure in a few steps.

Secure SSH access

Use SSH to connect to the console of your Linux root server. Here you log in with a username and password by default. You will get this information from your provider. However, it is possible to crack this access by bruteforce attacks. Since the attackers simply have to try various passwords in conjunction with the "root" login any number of times. With these measures you can make your root server secure:

SSH uses port 22 by default, as this creates a security vulnerability. Change the port to a 4 or 5 digit number if possible.

Create a new user whose username and password only you know. This makes successful bruteforce attacks extremely unlikely

Alternatively, you can prohibit login via username and password altogether. Then you can only log in with your own SSH key. Generate this key beforehand and copy it to the server. Please note that if you lose your private SSH key, you will no longer be able to log in to the server. So you should only consider this if you have an alternative way to access the server, e.g.B. via KVM, VNC or other remote accesses.

Installation of updates and upgrades

Your Linux server distribution does not update itself automatically, unlike Windows. So you have to log in to your system regularly and trigger the updates manually. This is the only way to be sure that there are no critical vulnerabilities in the system or services.

If you do not want to deal with this, you can rent a managed server from many providers. Here, updates and patches are automatically installed on your server directly by professional IT specialists. The provider takes care of both hardware and installed software maintenance.

Block repeated login attempts

If you don't want to change the SSH logins, you can still monitor repeated failed login attempts and block them accordingly. Install Fail2ban, this service monitors the SSH login attempts and locks out the attackers' IPs accordingly. You only need to set the maximum number of login attempts and the duration of the ban. Fail2ban will then check the logs and block the corresponding IPs via Iptables. But be careful here as well, IPs can be whitelisted, but if you don't have it and try to log in incorrectly multiple times, you will be locked out as well.

Securing Windows Server 2008/2012/2016

On your Windows root servers, always make sure that the firewall is turned on and blocks all unnecessary ports. Do not suppress important security updates in any case, they often patch critical security holes. It is also useful to change the port for the RDP login of the server. If possible, also change the administrator login, resp. create a second administrator account with a different username and deactivate the normal administrator account.

Leave a Reply

Your email address will not be published. Required fields are marked *