Basic Protection for Linux Servers – FastLayer Security Guide

This guide provides essential hardening practices for Linux servers. If you're hosting with FastLayer or managing your own server, following these steps will significantly reduce the risk of compromise from brute force attacks or automated scans.

1. Disable SSH Password Authentication

Allowing password login via SSH increases risk from brute force attacks. Using SSH keys is far more secure.

  1. Open SSH config file: 
    sudo nano /etc/ssh/sshd_config
  2. Find or add this line (remove # if present): 
    PasswordAuthentication no
  3. Save with Ctrl+X and confirm.
  4. Restart the SSH service: 
    sudo systemctl restart sshd
  5. ⚠️ Important: Test your SSH key login in a separate terminal before logging out. If your key is invalid or missing, you could lock yourself out.

2. Install Fail2ban – Brute-force Protection

Fail2ban monitors log files and bans IPs that show signs of malicious behavior (e.g. too many failed login attempts).

Ubuntu / Debian

sudo apt update
sudo apt install fail2ban
sudo systemctl start fail2ban
sudo systemctl enable fail2ban

CentOS / RHEL / Fedora

Make sure EPEL repository is installed:

sudo dnf install epel-release

Then install and start fail2ban:

sudo dnf install fail2ban
sudo systemctl start fail2ban
sudo systemctl enable fail2ban

You can customize jail settings via /etc/fail2ban/jail.local

3. Change the Default SSH Port (Optional)

Changing the SSH port makes automated attacks less likely (obscurity ≠ security, but it helps).

  1. Open the SSH config file: 
    sudo nano /etc/ssh/sshd_config
  2. Change this line (choose a high unused port, e.g. 48291): 
    Port 48291
  3. Restart the SSH service: 
    sudo systemctl restart sshd
  4. Open a new SSH connection using the new port: 
    ssh -p 48291 youruser@yourserver
  5. Tell Fail2ban about the new port: 
    sudo nano /etc/fail2ban/jail.d/custom.conf

    Insert:

    [sshd]
enabled = true
port = 48291

    Then restart Fail2ban:

    sudo systemctl restart fail2ban

Tip: Set this port in your ~/.ssh/config file for easier future access.

4. Setup a Basic Firewall

Use UFW (easy) or iptables (advanced) to restrict all unnecessary ports.

Quick Setup with UFW (Ubuntu/Debian)

sudo apt install ufw
sudo ufw allow 48291/tcp    # allow your custom SSH port
sudo ufw allow 80,443/tcp   # allow HTTP/HTTPS
sudo ufw enable             # activate firewall
sudo ufw status verbose     # check rules

 

FastLayer Best Practices

  • ✅ Always use strong, unique passwords for user accounts
  • ✅ Disable root SSH login if possible (PermitRootLogin no)
  • ✅ Regularly update your system (sudo apt update && sudo apt upgrade)
  • ✅ Use a monitoring tool (like Netdata, Uptime Kuma, or Zabbix)
  • ✅ Automate security updates via unattended-upgrades

Need Help?

If you have a FastLayer server and need help securing it, contact our technical support at [email protected]

Stay safe – Your FastLayer Team ❤️

Var dette svaret til hjelp? 1 brukere syntes dette svaret var til hjelp (1 Stemmer)

Mest populære

Set Up a Firewall on Linux (UFW & IPTables)

Set Up a Firewall on Linux (UFW & IPTables) | FastLayer A firewall is an essential part of...
Remote LUKS Unlock via SSH with Dropbear (Debian/Ubuntu)

Remote LUKS Unlock via SSH with Dropbear LUKS (Linux Unified Key Setup) is the standard for disk...
Install SSL with Let's Encrypt / Certbot

Install SSL with Let's Encrypt / Certbot This guide helps you configure HTTPS using free Certbot...
Configure a Firewall with UFW (Linux)

Configure a Firewall with UFW (Linux) A firewall is essential to block unauthorized access to...
Securing SSH with Key-Based Authentication

Securing SSH with Key-Based Authentication Protecting SSH access is critical for server...