Sign in Subscribe

Essential Steps to Secure Your New Freshly Installed Server

This guide provides a clear, actionable checklist to build a strong security foundation for your new Linux machine. These aren't just suggestions; they are the essential first steps every system administrator must take.

Arpan Sen

4 min read
Essential Steps to Secure Your New Freshly Installed Server

So, you've just deployed a new server (maybe it's on DigitalOcean?). It's a clean slate—fast, responsive, and brimming with potential. It's also completely exposed. Default configurations for cloud servers are designed for accessibility, not security. They're an open invitation for automated bots and malicious actors scanning the internet for easy targets.

Leaving your server in its default state is like leaving your front door wide open. This guide provides a clear, actionable checklist to build a strong security foundation for your new Linux machine. These aren't just suggestions; they are the essential first steps every system administrator must take.

Prerequisites

Before we start, let's make sure you have everything you need. This guide assumes you have:

  • A new Linux server: We'll use commands that are compatible with Ubuntu 24.04 or Debian 12, but the principles apply to most distributions.
  • Root access via SSH: You should be able to log in as the root user initially.
  • A terminal client: You'll need a way to connect to your server, like the built-in terminal on macOS/Linux or PuTTY on Windows.

To check which operating system and version you're running, log into your server and run one of these commands:

lsb_release -a

Or, for a more detailed output:

cat /etc/os-release

This will confirm your OS, ensuring the following commands work as expected.

Step 1: Update Your System

The very first thing you should do on any new system is update its software packages. This single step patches known vulnerabilities that attackers could exploit.

Connect to your server as the root user and run the following command:

sudo apt update && sudo apt upgrade -y
  • apt update refreshes your package list with the latest available versions.
  • apt upgrade -y installs the updates without prompting you for confirmation.

Step 2: Create a Sudo User

Operating directly as the root user is extremely risky. A single typo can destroy your system. Best practice is to create a limited user account and grant it administrative privileges using the sudo command.

Grant administrative privileges by adding the new user to the sudo group:

usermod -aG sudo yourname

Create a new user (replace yourname with your desired username):

adduser yourname

You'll be prompted to create a strong password and fill in some optional user information.

Now, log out of your root session and log back in with your new user account. From now on, you'll preface administrative commands with sudo.

Step 3: Harden SSH Access

Your SSH port is the main door to your server. Let's replace the flimsy default lock with a vault door by enabling key-based authentication and disabling passwords.

Set Up SSH Key Authentication

This method is far more secure than using a password. You generate a cryptographic key pair: a private key that stays on your computer and a public key that you place on the server.

Copy your public key to the server. The easiest way is with the ssh-copy-id utility. Replace yourname and your_server_ip:

ssh-copy-id yourname@your_server_ip

If you don't have ssh-copy-id (common on Windows), you'll have to copy the contents of your ~/.ssh/id_rsa.pub file from your local machine and manually paste it into the ~/.ssh/authorized_keys file on your server.

On your local machine (not the server), generate a key pair if you don't already have one:

ssh-keygen -t rsa -b 4096

Press Enter to accept the default file location and options. You can optionally set a passphrase for an extra layer of security.

Disable Password and Root Login

Now that you can log in with your SSH key, you can disable the less secure login methods.

    • PermitRootLogin no: This completely disables the ability to log in as the root user via SSH, forcing attackers to guess your new username.
    • PasswordAuthentication no: This disables password-based logins, forcing everyone (including you) to use a more secure SSH key.

Save the file (Ctrl+X, then Y, then Enter) and restart the SSH service to apply the changes:

sudo systemctl restart sshd

Find and modify the following lines. You may need to uncomment them (remove the #).

PermitRootLogin no
PasswordAuthentication no

Edit the SSH configuration file on your server:

sudo nano /etc/ssh/sshd_config

Important: Before you log out, open a new terminal window and test that you can still log in with your new user and SSH key. If something went wrong, you still have your old session open to fix it!

Step 4: Implement a Firewall

A firewall is your server's first line of defense against network-based attacks. It controls incoming and outgoing traffic, blocking anything you haven't explicitly allowed. ufw (Uncomplicated Firewall) is a user-friendly tool for this.

Check the status:

sudo ufw status

This will show you the active rules, confirming that your firewall is running and configured correctly.

Enable the firewall:

sudo ufw enable

It will warn you that this may disrupt existing connections. Type y and press Enter.

Allow essential services. You need to allow SSH traffic, or you'll lock yourself out. If you're running a web server, you'll need to allow HTTP and HTTPS as well.

# Allow SSH connections
sudo ufw allow 'OpenSSH'

# (Optional) Allow web traffic
sudo ufw allow 'WWW Full'

Step 5: Install Fail2ban

Even with a strong password policy (or none at all), your server will be hammered by bots trying to guess login credentials. Fail2ban is a utility that monitors log files for malicious patterns—like repeated failed login attempts—and temporarily bans the offending IP addresses.

  1. That's it! Fail2ban starts automatically upon installation and comes with a pre-configured jail for SSH. It's already protecting you.

You can check its status to ensure it's running:

sudo systemctl status fail2ban

Install Fail2ban:

sudo apt install fail2ban

Fail2ban is highly customizable, but its default settings provide a massive security boost right out of the box.

Conclusion: Security is a Process

Congratulations! By following these five steps, you've transformed your server from a vulnerable target into a hardened machine. You've:

  • Patched known vulnerabilities.
  • Removed the risk of using the root account.
  • Secured SSH with key-based authentication.
  • Blocked unwanted traffic with a firewall.
  • Automated defense against brute-force attacks.

This is a fantastic start, but remember that security is an ongoing process, not a one-time setup. Your work isn't done forever.

A great next step? Set up automated backups. A secure server is great, but a secure server with reliable backups is invincible. Stay vigilant, keep learning, and keep your systems safe.