DEV Community

Cover image for 5 Easy Steps to Secure your Server
Jonas Scholz
Jonas Scholz Subscriber

Posted on

5 Easy Steps to Secure your Server

Server security doesn't have to be complicated. This guide covers five essential steps to protect your cloud server from common threats and attacks. We'll walk through setting up firewalls, implementing fail2ban, configuring backups, and more.

I will use a Hetzner server for this tutorial, but the steps are similar for other providers. If you do not have a Hetzner Account yet, feel free to sign up with my referral link to get 20€ credits for free.

Let's make sure that you will not land in the news for being hacked! 😤

1. Firewall

The first thing you should always do when creating a new cloud server is creating a firewall. A firewall controls incoming and outgoing network requests to/from your server. For example, a firewall could be configured in such a way that your server has no access to the internet or that only a specific IP Address can reach your server.

The actual configuration of the firewall depends on the applications that you are running on your server. If you are running a simple website you usually have these requirements:

  • Everyone can reach the website through HTTP or HTTPS
  • The Server has full access to the internet

The first requirement is about "incoming" (or inbound) traffic. In other words, any IP address (IPv4 or IPv6) can reach your server at the ports 80 (http) and 443 (https).

In the Hetzner Dashboard it would look something like this:

Firewall Inbound Rules

Note: You would probably also want to allow SSH connections from only your IP. For this, figure out your IP address and then add an incoming rule for only this IP to TCP/22!

Our second requirement, that the server can access anything, is usually the default. In Hetzner you would not need to change anything:

Firewall Outbound Rules

2. Fail2Ban

Fail2ban is like a security guard for your server. It watches for anyone trying to break into your system by guessing passwords over and over. When it sees too many wrong guesses from a particular place, it locks them out for a while to keep your computer safe from hackers. But of course, there is no free lunch. If you need to guess your own password, you might just lock yourself out!

Anyway, you can install fail2ban very easily like this:

sudo apt-get install fail2ban
Enter fullscreen mode Exit fullscreen mode

Now you could optimize the setup further, but this is already going to be enough and keep most automated attempts giving up pretty fast!

3. Backups

I knoow, I know. No one likes to think or especially pay for backups. And if we are honest, sometimes you can live dangerously and ignore them, for example, if you only want to run a temporary dev server.

While there are many ways to do backups, the easiest one is usually just using the snapshot backups of your cloud provider. Most providers take 20% of your server price to make daily backups. If you destroy your server, simply restore it from the previous day and you should be good to go again! 🥳

Hetzner Server Backup Option

Again, this is a specific feature from Hetzner with similar ones available from Hosts such as DigitalOcean!

4. UFW

Another firewall! 🔥

UFW, which stands for Uncomplicated Firewall, is a simple tool that helps you control and manage the firewall on your computer. The same as the first firewall, it lets you decide which traffic is allowed to reach your server. The difference is that it is not part of your cloud provider's infrastructure but instead is running on your server. If you forget to enable your cloud provider's firewall (or if they do not have one), UFW will still keep your unwanted traffic out. This might sound redundant, but Defense in depth is a very important concept and can save you from human errors. Anyway, let's see how you can use it:

First, install it.

sudo apt install ufw
Enter fullscreen mode Exit fullscreen mode

We are now going to build up our firewall step by step by first denying every incoming traffic and allowing every outgoing traffic. This basically means that we can contact everyone, but no one can contact us.

sudo ufw default deny incoming
sudo ufw default allow outgoing
Enter fullscreen mode Exit fullscreen mode

If we stop now, we wouldn't be able to connect to our server anymore! This is why we now allow SSH connections, as well as http and https for our webserver. If you don't host a webserver, don't execute the last two lines :)

sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
Enter fullscreen mode Exit fullscreen mode

And finally, we are enabling the firewall and double-check if we did everything correctly!

sudo ufw enable
sudo ufw status
Enter fullscreen mode Exit fullscreen mode

5. Use SSH Keys

When creating your server you usually have 2 choices. You can either log in with a password or with an SSH key. While passwords might be the obvious choice, they are also the least secure choice! Passwords can be brute-forced, SSH keys use asymmetric encryption and (realistically) can't be brute-forced. Of course, you still need to keep your private keys safe, but that is usually a lot easier to do than with passwords! How you can use SSH keys to log in to your server depends on your Cloud Provider, here is a tutorial for Hetzner, DigitalOcean, and AWS

Conclusion

This is barely scratching the surface of security. There are many more things you can do to secure your server, but this should give you a good starting point!

If you are not doing this to learn but to get stuff done, it is maybe worth to consider other options like managed container services that take care of all the security aspects for you. I'm the Founder of Sliplane, a PaaS specifically designed for Docker. You can get started in less than 2 minutes and the first 48 hours are free, then only 7 Euros per month for an unlimited number of Docker containers :)

Deploy Docker Apps in 2 Minutes 🚀

Cheers,

Jonas

Top comments (4)

Collapse
 
wimadev profile image
Lukas Mauser

Step 6: Steal a good hardening script from the internet to take care about the finetuning (but make sure to read and understand it first 🤠)

Collapse
 
code42cate profile image
Jonas Scholz

i like the thrill of just running random scripts without checking them out first

Collapse
 
code42cate profile image
Jonas Scholz

Is there anything you think I missed? LMK here!

Collapse
 
thecodingthesi profile image
Thesi
  1. update your dependencies regularly!