Why Server Security Can't Wait

The average time between a server going online and the first automated scan hitting it is under 60 seconds. Bots constantly crawl the internet looking for weak SSH passwords, outdated software, and misconfigured services. The good news: basic hardening blocks 95% of attacks.

Step 1: Disable Password SSH Login

This is the single most important thing you can do. Password brute-forcing is one of the most common attack vectors.

# Edit /etc/ssh/sshd_config
PasswordAuthentication no
PermitRootLogin no
PubkeyAuthentication yes

After saving, restart SSH: sudo systemctl restart sshd. Make sure you have your SSH key added before doing this!

Step 2: Set Up a Firewall

Only open ports you actually use. UFW (Uncomplicated Firewall) makes this simple:

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp   # SSH
sudo ufw allow 80/tcp   # HTTP
sudo ufw allow 443/tcp  # HTTPS
sudo ufw enable

Step 3: Enable Automatic Security Updates

sudo apt install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades

This automatically installs security patches without requiring manual intervention.

Step 4: Install Fail2Ban

Fail2Ban monitors log files and bans IPs that show malicious signs (too many failed SSH attempts):

sudo apt install fail2ban
sudo systemctl enable fail2ban

Step 5: Monitor with Security Headers

For web servers, add security headers in Nginx:

add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=31536000";

Step 6: Regular Audits

Run lynis audit system monthly for a comprehensive security report. It checks hundreds of configuration items and gives you a hardening index score.

Security is never "done" — it's an ongoing process. Want a security audit of your infrastructure? Get in touch.