Server hardening 101

Setting up a new server, heard the cool kids talk about “server hardening,” but didn’t know what that meant?

Server hardening involves configuring the operating system and any running applications such that unauthorized access to your computers and network is more difficult.

Network setup

  1. Make sure your router has up to date firmware. Your manufacturer may have stopped supporting it, but there may be open source firmware (like OpenWRT, tomato, or Merlin).

  2. Make sure your router has uPnP disabled, and don’t expose ports.

  3. If possible, only expose your systems via a VPN, like tailscale.

Server setup

First and foremost, back up any important files you have on your server.

Assuming your Linux server is running Ubuntu, look into installing the following packages:

unattended-upgrades

sudo apt-get install unattended-upgrades
dpkg-reconfigure -plow unattended-upgrades

this will apply security updates to your server periodically and automatically, but keep in mind that you’ll still need to manually reboot your server to apply kernel updates.

lynis

sudo apt-get install lynis
lynis audit system

Running this will list a series of steps that you’ll need to do, including ssh hardening. Be sure to disable root logins, change your ssh port, and disable non-key-based authentication. Make sure you understand the impacts of any changes you make before you make them and find that you’ve locked yourself out of your own server!

Re-run lynis audit system to verify that you’ve made things better.

Misc intrusion deflection and detection

sudo apt-get install fail2ban rkhunter debsums 
rkhunter --check
debsums -s

Got backups?

Seriously. Have backups. At least one copy must be offline. Ideally one or more copies are in different physical places.

Got any other suggestions?

Excellent: please leave a comment!