In this article, I show you all the steps needed to secure a web server and improve your security. I recommend doing all of these things on every installation. Also, just because you secure your server doesn’t mean you can neglect it. I highly recommend monitoring it and adjusting security as needed. Monitoring is required for proper security in my opinion.

Secure A Web Server Steps

Install UFW

1
2
3
4
5
6

sudo apt-get update  
sudo apt-get install ufw  
sudo ufw limit 22/tcp  
sudo ufw allow 80/tcp  
sudo ufw allow 443/tcp  
sudo ufw enable

Verify
sudo ufw status

Do Global blocks

1
2

sudo ufw default deny incoming  
sudo ufw default allow outgoing

Change SSH to Key

Remote Machine: ssh-keygen -t rsa

Transfer to Server

Method 1:

Transfer pub ssh key to server

1
2

scp ~/.ssh/id_rsa.pub user@server.com:~
cat ~/id_rsa.pub >> ~/.ssh/authorized_keys

Method 2:

Copy key and place in authorized_key file in one command
ssh-copy-id -i ~/.ssh/id_rsa.pub user@server.com

Secure a Web Server Disabling Password Auth through SSH

Change the following lines in /etc/sshd_config

ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no
PermitRootLogin no

Edit /etc/sysctl.conf

Enable security features

Prevent IP Spoof /etc/host.conf

Change File to mirror below:

​order bind,hosts
multi on
nospoof on

Install Fail2Ban

1
2
3

sudo apt install fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Check Listening Ports

netstat -tunlp

You will now have completed the basics of a secure web server!

Video Walkthrough

Note: YouTube Video - Hold Ctrl + Left Click to open in new window

I live stream on Twitch and encourage you to drop in and ask a question. I regularly publish on YouTube and christitus.com, but if you need immediate assistance, check out the Terminal Cafe with Discord Invite Link.