56tvmao: How-to instructions you can trust. Linux How to Secure a Linux Home Server

How to Secure a Linux Home Server

There are plenty of reasons to set up a home server. You might use it as a media server, a file server, or even a local backup server. Basically, any files of yours that don’t need to be online are good candidates for a home server. Setting up a Linux-powered home server is relatively easy, especially these days. That said, keeping that server secure is another story altogether. Security can be as tricky, as it is important.

Also read: What Is Log4Shell and How to Protect Your Linux System Against It

Only Install What You Absolutely Need

One of the easiest ways to keep your home server secure is to keep security in mind from the very beginning. This starts with installation. Are you unsure if you need an application or service? Don’t install it. You can always install it later.

If you’ve installed Linux a few times, this is even easier. Instead of sticking with the defaults, use the modes that give you the most control over installation. Sometimes these are named “expert mode” or something similar.

Carefully keeping track of install options can save you time disabling services for security reasons later.

Configure sudo

Before you move on to any other steps, you need to configure sudo. Why? Because once we’re done here, you’ll log into your server via SSH, and you won’t be able to log in as the root account. To make any further changes to your system, you’ll need to use sudo.

First, check to see if you’re already able to use sudo. From your user account, run the following with your username instead of USERNAME:

sudo -lU USERNAME

If you see a message displayed stating that your username can run “(ALL) ALL,” or something similar, you’re ready to move on.

Now, as the root account on your server, run the following to edit the “/etc/sudoers” file. If you prefer another editor, use it instead of nano.

EDITOR=nano visudo

Edit the file to include the following, with your username instead of USERNAME:

USERNAME   ALL=(ALL) ALL

Also read: How to Use the Nessus Vulnerability Scanner on Linux

Configure SSH

You may already have SSH enabled on your home server. You likely do, in fact, as this is typically the way you interact with a server.

First, make sure OpenSSH is installed. If you use another distribution, your command will vary, but the package name should be fairly consistent. On Ubuntu, run the following:

sudo apt install openssh-server

Using key-based authentication is much more secure than password authentication, so we’ll set up SSH to work this way. To do this, make sure you’re working on a client you plan to connect to the server with, not the server itself. First, you want to make sure you don’t already have any SSH keys:

ls ~/.ssh/

If you see “id_rsa” and “id_rsa.pub” among the filenames listed, you already have SSH keys. Skip this next step.

ssh-keygen -t rsa -b 4096 -C "youremail@domain.com"

Now you’ll copy the SSH key to your server:

ssh-copy-id USERNAME@SERVER

For a home server, you may likely be using an IP address for your server instead of a name. If you don’t know your server name, use your IP address instead of SERVER above.

Now we’ll edit your SSH settings to secure them more. Log into your server from the client on which you created the keys. This will enable you to log in again after this step.Run the following, replacing nano with the editor of your choice.

sudo nano /etc/ssh/sshd_config

Edit the file and with the following settings. These will be located in various places in the file. Make sure there are no duplicates, as only the first instance of a setting will be followed.

ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no
PermitRootLogin no

Now you need to restart the SSH server with one of the following commands.

On Ubuntu, run:

sudo systemctl restart ssh

Also read: SELinux vs AppArmor: What Are the Differences and Which One Should You Use?

Configure a Firewall

Depending on the services you’re running and how much your server connects to the Internet, you may want to run a firewall. There are a few options for this, but the tried and true method on Linux is iptables.

Setting up iptables is beyond the scope of this article, but don’t worry. We have a complete guide to configuring iptables on your machine.

Another easier way to set up a firewall is to use ufw. You can install it with the command:

sudo apt install ufw

By default, it will block all ports. To enable online and ssh access, run the following ufw commands to open up ports 80, 443, and 22:

sudo ufw allow 80
sudo ufw allow 443
sudo ufw allow 22

And lastly, enable the ufw service:

sudo ufw enable

Stay Up to Date

Servers can be easy to forget about if they just work, but this can be dangerous. Make sure to keep your software up to date. You can use unattended upgrades, but these can be unpredictable. The safest way is to schedule a regular weekly or monthly server maintenance appointment to make sure everything is up to snuff.

Also read: The Best Open Source Tools to Secure Your Linux Server

Where to Go from Here

Now you have a good start to keep your server protected from outside threats. What if you need to access your server from home, though? Every door you open could potentially be used by an attacker, and every open port increases your vulnerability.

One of the easiest ways to access your home network from outside is to use a VPN, which is outside the scope of this article, but don’t worry, we have you covered. Take a look at our list of the best secure VPN services available for an idea of what your options are.


Kris Wouk

Kris Wouk is a writer, musician, and whatever it’s called when someone makes videos for the web.

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox

Sign up for all newsletters.
By signing up, you agree to our Privacy Policy and European users agree to the data transfer policy. We will not share your data and you can unsubscribe at any time. Subscribe

Related Post