Skip to main content

Security baseline

# Security baseline

New servers should be hardened before they are exposed to the public internet. A good security baseline reduces the attack surface and makes it much harder for attackers to compromise your instance. Below is a set of initial steps you should perform after provisioning a VPS or dedicated server.

## 1. Update the operating system and software

- **Install the latest patches** – Use your distribution’s package manager (`apt`, `dnf`, `yum`, etc.) to update the OS and installed packages. Apply security updates regularly.
- **Update application packages** – Keep software installed via other package managers (such as `npm` or `pip`) current to reduce vulnerabilities.

## 2. Create a non‑root user and disable direct root login

- **Create a new user with sudo privileges** – Avoid logging in as the `root` user. Create a user account and grant it sudo privileges for administrative tasks.
- **Disable root logins** – Edit `/etc/ssh/sshd_config` and set `PermitRootLogin no`, then restart the SSH service.

## 3. Use SSH key authentication

- **Generate an SSH key pair** – Use `ssh-keygen` (or PuTTYgen on Windows) to generate a key pair, then copy the public key to your server. Keep your private key secure.
- **Disable password authentication** – In `/etc/ssh/sshd_config` set `PasswordAuthentication no` and restart SSH to enforce key-based logins.

## 4. Change the default SSH port (optional)

- Changing the SSH listening port from `22` to another value can reduce automated scan noise. Edit the `Port` directive in `/etc/ssh/sshd_config`, restart the SSH service and test the new port.

## 5. Configure a firewall

- **Default‑deny policy** – Configure a firewall (e.g., UFW on Ubuntu or firewalld on CentOS) with a default‑deny rule so only explicitly allowed ports are open.
- **Open only required ports** – Allow essential services such as HTTP (80), HTTPS (443), SSH (your chosen port) and any other ports your applications require.

## 6. Close unused ports and disable unnecessary services

- Audit open ports with tools like `ss` or `netstat` and stop services you don’t need using `systemctl`. Disabling unused services reduces the attack surface.

## 7. Install intrusion‑prevention tools

- Tools like **Fail2Ban** monitor logs for failed login attempts and automatically ban offending IPs. Install and configure Fail2Ban (or a similar tool) to protect SSH and other services.

## 8. Perform regular backups and monitor your server

- **Develop a backup strategy** – Schedule regular backups and store copies in multiple locations (off‑site or cloud). Test restores periodically.
- **Monitor usage and logs** – Use monitoring tools to watch for unusual activity, high resource usage or unexpected processes. Review logs and adjust settings as necessary.

## 9. Use strong passwords and two‑factor authentication

- Enforce strong, unique passwords for all accounts (including your control panel and client area).
- Enable two‑factor authentication (2FA) wherever supported to add an extra layer of protection.

## 10. Review and update regularly

Security is an ongoing process. Periodically review firewall rules, SSH configuration, Fail2Ban policies and other security settings. Apply updates promptly and reassess your security posture to stay ahead of emerging threats.

Back to top