Just got a new Linux based server or have an existing one and want to secure it? Follow these steps!
These steps are from Alexzander's wonderful YouTube video (<8 min), which you should watch for full context. He goes into the details of what each command does and why you want to do it.
I will call out steps that I added (i.e. steps that were not covered in the video) with a ➕.
apt update && apt upgrade -y
apt install fail2ban -ysystemctl enable fail2bansystemctl start fail2ban
ufw default deny incomingufw default allow outgoing- OPTIONAL
ufw default allow forward- This is useful for when you're going to be hosting something like a VPN (e.g. Wireguard)
- ➕ This is my own addition (not from the video)
ufw allow ssh- Any other ports you need:
ufw allow PORT_NUMBER(replacePORT_NUMBERwith the necessary port number)
- Any other ports you need:
ufw enable
add user USER_NAME(replaceUSER_NAMEwith your own username)- Skip this if you already have another user
nano /etc/ssh/sshd_config- Set
PermitRootLogin noand save
- Set
systemctl restart sshd- Once logged in as non-root user, use
sudo suto switch to root user- In the video,
su rootwas shown, but didn't work for me on Ubuntu 22/24.
- In the video,
- On your local machine, run
ssh-keygen -b 4096to create a public/private key pair- ➕ This is different than the video, where Alex used Bitvise to create his key
- You can skip this step if you already have a SSH key on your local computer
- Usual Windows location:
%userprofile%/.ssh/id_rsa.pub - Usual Mac location:
~/.ssh/id_rsa.pub
- Usual Windows location:
- On the server, go to your home directory
/home/USER_NAME- If you don't have a
.sshfolder make one:mkdir .ssh cd .sshnano authorized_keys- Paste in your public key from above and save the file
systemctl restart sshd
- If you don't have a
nano /etc/ssh/sshd_config- Set
PasswordAuthentication noand save
- Set
systemctl restart sshd