Back to DocsThese are the minimum security operations to perform on every new server before putting it into production.
Quick Checklist
| Operation | Priority |
|---|---|
| Update system | π΄ Critical |
| Change root password | π΄ Critical |
| Configure SSH keys | π΄ Critical |
| Enable firewall | π΄ Critical |
| Install Fail2ban | π High |
| Disable SSH password login | π High |
| Create non-root user | π High |
| Change SSH port | π‘ Medium |
| Configure automatic updates | π‘ Medium |
1. Update the System
apt update && apt upgrade -y # Debian/Ubuntu
dnf update -y # CentOS/AlmaLinux
2. Configure SSH Keys and Disable Passwords
# On your computer: copy your public key
ssh-copy-id root@SERVER_IP
# On the server: disable password login
nano /etc/ssh/sshd_config
Set:
PasswordAuthentication no
PermitRootLogin prohibit-password
systemctl restart sshd
3. Enable the Firewall
ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
ufw allow http
ufw allow https
ufw enable
4. Install Fail2ban
apt install fail2ban -y
systemctl enable --now fail2ban
See the complete guide: Fail2ban
5. Create a Non-Root User
adduser deploy
usermod -aG sudo deploy
6. Configure Automatic Security Updates
# Debian/Ubuntu
apt install unattended-upgrades -y
dpkg-reconfigure --priority=low unattended-upgrades
Complete Recommended SSH Configuration
nano /etc/ssh/sshd_config
# Change the port (optional)
Port 2222
# Disable root login with password
PermitRootLogin prohibit-password
# Disable password authentication
PasswordAuthentication no
# Disable interactive keyboard authentication
ChallengeResponseAuthentication no
# Disable X11 forwarding if not needed
X11Forwarding no
# Limit authentication attempts
MaxAuthTries 3
# Timeout for idle sessions (in seconds)
ClientAliveInterval 300
ClientAliveCountMax 2
# Disable login for users without password
PermitEmptyPasswords no
systemctl restart sshd
Verify SSH Configuration
sshd -T | grep -E 'passwordauth|permitroot|port|maxauthtries'
Monitor Access
Regularly check who has accessed your server:
# Last successful logins
last | head -20
# Failed login attempts
lastb | head -20
# SSH logs in real-time
journalctl -u sshd -f
Automatic Security Audit Tool
You can use Lynis for automated security audit:
apt install lynis -y
lynis audit system
Lynis analyzes your server configuration and suggests improvements with a security score.
Related articles
Fail2ban: Brute Force Protection
How to install and configure Fail2ban to protect your server from SSH and web brute force attacks
Change SSH Port
How to change SSH port to reduce automatic brute force attempts from bots and scanners on the internet
Users and Permissions
How to manage Linux users, groups and file permissions on your server
DeluxHost, founded in 2023, offers high-quality hosting solutions for various digital needs. We provide shared hosting, VPS, and dedicated servers with advanced security and global data centers.
