HxHippy

New Server Hardening

First 10 minutes on a new server - essential security setup.

Last updated: 2025-01-15

New Server Hardening

Essential security steps for a freshly provisioned server.

Quick Checklist

  • Update system packages
  • Create admin user
  • Configure SSH
  • Set up firewall
  • Enable automatic updates
  • Configure fail2ban

Step 1: Update System

# Debian/Ubuntu
apt update && apt upgrade -y

# RHEL/CentOS
dnf update -y

Step 2: Create Admin User

# Create user
useradd -m -s /bin/bash admin
passwd admin

# Add to sudo group
usermod -aG sudo admin  # Debian/Ubuntu
usermod -aG wheel admin  # RHEL/CentOS

# Verify sudo works
su - admin
sudo whoami  # Should output: root

Step 3: Configure SSH Keys

# On your LOCAL machine
ssh-keygen -t ed25519 -C "admin@server"
ssh-copy-id -i ~/.ssh/id_ed25519.pub admin@server

# Test key login
ssh admin@server

# On the SERVER - disable password auth
sudo nano /etc/ssh/sshd_config

SSH Configuration

# /etc/ssh/sshd_config
Port 22  # Consider changing
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
MaxAuthTries 3
AllowUsers admin

# Restart SSH
sudo systemctl restart sshd

Step 4: Configure Firewall

# UFW (Ubuntu/Debian)
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw enable
sudo ufw status

# firewalld (RHEL/CentOS)
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --reload

Step 5: Automatic Security Updates

# Ubuntu/Debian
sudo apt install unattended-upgrades
sudo dpkg-reconfigure unattended-upgrades

# RHEL/CentOS
sudo dnf install dnf-automatic
sudo systemctl enable --now dnf-automatic.timer

Step 6: Install fail2ban

# Install
sudo apt install fail2ban  # Debian/Ubuntu
sudo dnf install fail2ban  # RHEL

# Configure
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

fail2ban Configuration

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600
# Start fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Step 7: Set Timezone & NTP

# Set timezone
sudo timedatectl set-timezone America/New_York

# Enable NTP
sudo timedatectl set-ntp on

Verification

# Check firewall
sudo ufw status

# Check SSH config
sudo sshd -t

# Check fail2ban
sudo fail2ban-client status

# Check updates
sudo apt list --upgradable

Post-Setup

Task Command
Check open ports ss -tuln
View auth logs tail /var/log/auth.log
Check failed logins lastb
View firewall rules sudo ufw status
beginner Server Setup Updated 2025-01-15
  • server
  • hardening
  • security
  • new server
  • setup