Server security doesn't have to be complicated. This guide covers five essential steps to protect your cloud server from common threats and attacks. We'll walk through setting up firewalls, implementing fail2ban, configuring backups, and more.
I will use a Hetzner server for this tutorial, but the steps are similar for other providers. If you do not have a Hetzner Account yet, feel free to sign up with my referral link to get 20€ credits for free.
Let's make sure that you will not land in the news for being hacked! 😤
1. Firewall
The first thing you should always do when creating a new cloud server is creating a firewall. A firewall controls incoming and outgoing network requests to/from your server. For example, a firewall could be configured in such a way that your server has no access to the internet or that only a specific IP Address can reach your server.
The actual configuration of the firewall depends on the applications that you are running on your server. If you are running a simple website you usually have these requirements:
- Everyone can reach the website through HTTP or HTTPS
- The Server has full access to the internet
The first requirement is about "incoming" (or inbound) traffic. In other words, any IP address (IPv4 or IPv6) can reach your server at the ports 80 (http) and 443 (https).
In the Hetzner Dashboard it would look something like this:
Note: You would probably also want to allow SSH connections from only your IP. For this, figure out your IP address and then add an incoming rule for only this IP to TCP/22!
Our second requirement, that the server can access anything, is usually the default. In Hetzner you would not need to change anything:
2. Fail2Ban
Fail2ban is like a security guard for your server. It watches for anyone trying to break into your system by guessing passwords over and over. When it sees too many wrong guesses from a particular place, it locks them out for a while to keep your computer safe from hackers. But of course, there is no free lunch. If you need to guess your own password, you might just lock yourself out!
Anyway, you can install fail2ban very easily like this:
sudo apt-get install fail2ban
Now you could optimize the setup further, but this is already going to be enough and keep most automated attempts giving up pretty fast!
3. Backups
I knoow, I know. No one likes to think or especially pay for backups. And if we are honest, sometimes you can live dangerously and ignore them, for example, if you only want to run a temporary dev server.
While there are many ways to do backups, the easiest one is usually just using the snapshot backups of your cloud provider. Most providers take 20% of your server price to make daily backups. If you destroy your server, simply restore it from the previous day and you should be good to go again! 🥳
Again, this is a specific feature from Hetzner with similar ones available from Hosts such as DigitalOcean!
4. UFW
Another firewall! 🔥
UFW, which stands for Uncomplicated Firewall, is a simple tool that helps you control and manage the firewall on your computer. The same as the first firewall, it lets you decide which traffic is allowed to reach your server. The difference is that it is not part of your cloud provider's infrastructure but instead is running on your server. If you forget to enable your cloud provider's firewall (or if they do not have one), UFW will still keep your unwanted traffic out. This might sound redundant, but Defense in depth is a very important concept and can save you from human errors. Anyway, let's see how you can use it:
First, install it.
sudo apt install ufw
We are now going to build up our firewall step by step by first denying every incoming traffic and allowing every outgoing traffic. This basically means that we can contact everyone, but no one can contact us.
sudo ufw default deny incoming
sudo ufw default allow outgoing
If we stop now, we wouldn't be able to connect to our server anymore! This is why we now allow SSH connections, as well as http and https for our webserver. If you don't host a webserver, don't execute the last two lines :)
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
And finally, we are enabling the firewall and double-check if we did everything correctly!
sudo ufw enable
sudo ufw status
5. Use SSH Keys
When creating your server you usually have 2 choices. You can either log in with a password or with an SSH key. While passwords might be the obvious choice, they are also the least secure choice! Passwords can be brute-forced, SSH keys use asymmetric encryption and (realistically) can't be brute-forced. Of course, you still need to keep your private keys safe, but that is usually a lot easier to do than with passwords! How you can use SSH keys to log in to your server depends on your Cloud Provider, here is a tutorial for Hetzner, DigitalOcean, and AWS
Conclusion
This is barely scratching the surface of security. There are many more things you can do to secure your server, but this should give you a good starting point!
If you are not doing this to learn but to get stuff done, it is maybe worth to consider other options like managed container services that take care of all the security aspects for you. I'm the Founder of Sliplane, a PaaS specifically designed for Docker. You can get started in less than 2 minutes and the first 48 hours are free, then only 7 Euros per month for an unlimited number of Docker containers :)
Deploy Docker Apps in 2 Minutes 🚀
Cheers,
Jonas
Top comments (4)
Step 6: Steal a good hardening script from the internet to take care about the finetuning (but make sure to read and understand it first 🤠)
i like the thrill of just running random scripts without checking them out first
Is there anything you think I missed? LMK here!