- Install only what you need. Keep your server lean. Install only those packages that you really need. If there are unwanted packages; purge. The fewer the packages the less chance of unpatched code.
- Run only what you need. This output will show you which services are running on which ports:
- netstat -npl
- You should also keep an eye on the services that are enabled and run at system startup. You can check it by running the following command on systems running systemd:
- systemctl list-unit-files –type=service | grep enabled
- You can disable services using the systemctl command:
- systemctl disable service_name
- Restrict access to your server. Never log in as root. Create a user with sudo powers so that you can ssh into the server and perform administrative tasks. Disable root Login so that no one can ssh or log into the server as root user. To do so, open the sshd configuration file:
- nano /etc/ssh/sshd_conf
- Next, look for the commented line that says:
- #PermitRootLogin no
- Then save and close this file and restart the service:
- service ssh restart
- or,
- systemctl restart sshd
WARNING: Don’t log out of the server yet until you test whether you can successfully ssh into the server using the previously created user. Open another instance of the terminal and ssh into the server with user you previously created. If everything works fine, you can safely log out of the server as root.
- Change the default SSH port.
- Open the sshd_config file (this time as sudo, because you can no longer log into the server as root.):
- sudo nano /etc/ssh/sshd_conf
- Then, find this commented line:
- #Port 22
- Then replace 22 with another port, then save the file. Then close the file and restart the sshd service. Once again, before logging out of the server, check the settings by opening another terminal window and then log in using this pattern:
- ssh -p{port_number}@server_IP
If you can successfully log in, you’re set.