BLOGS ON AWS RESOURCES

Category: Server Security

  • 🔒 How to Secure Your Linux Server with Basic Firewall and SSH Hardening

    Securing your Linux server is critical to protect your data, applications, and infrastructure from unauthorized access and attacks. Two foundational steps to improve your server security are configuring a firewall and hardening SSH (Secure Shell) access.

    In this guide, we’ll walk you through easy, effective measures to secure your Linux server — ideal for beginners and those managing VPS or dedicated servers.

    1. Set Up a Basic Firewall Using UFW

    UFW (Uncomplicated Firewall) is a user-friendly firewall tool commonly available on Ubuntu and Debian-based systems.

    sudo ufw status

    If it’s not installed, install it:

    sudo apt install ufw -y

    Step 2: Allow SSH Connections

    Before enabling the firewall, allow SSH to avoid locking yourself out:

    • sudo ufw allow ssh

    Alternatively, if you use a custom SSH port (e.g., 2222):

    • sudo ufw allow 2222/tcp

    Step 3: Allow HTTP and HTTPS (For Web Servers)

    • sudo ufw allow http
    • sudo ufw allow https

    Step 4: Enable UFW

    • sudo ufw enable

    Step 5: Verify Firewall Status

    • sudo ufw status verbose

    2. Harden SSH Access

    SSH is your gateway to the server, so securing it is vital.

    Step 1: Change Default SSH Port (Optional but Recommended)

    Edit SSH config file:

    • sudo nano /etc/ssh/sshd_config
    Find the line:
    #Port 22

    Uncomment and change 22 to another port number (e.g., 2222):

    • Port 2222

    Save and exit (Ctrl+O, Enter, Ctrl+X).

    Restart SSH service:

    • sudo systemctl restart sshd
    Remember to update your firewall rule if you changed the port:
    • sudo ufw allow 2222/tcp

    Step 2: Disable Root Login via SSH

    In the same SSH config file (/etc/ssh/sshd_config), find:

    • PermitRootLogin yes

    Change it to:

    • PermitRootLogin no

    Save and restart SSH service again.

    Step 3: Use SSH Key Authentication

    SSH keys are more secure than passwords.

    • Generate SSH key pair on your local machine:

    • ssh-keygen -t rsa -b 4096

    • Copy the public key to your server:

    • ssh-copy-id -p 2222 username@your_server_ip

    Replace 2222 with your SSH port if changed.

    Step 4: Disable Password Authentication

    Once SSH keys work, disable password login for SSH.

    Edit /etc/ssh/sshd_config:

    • PasswordAuthentication no

    Save and restart SSH:

    • sudo systemctl restart sshd

    3. Additional Security Tips

    • Keep your system updated

    • sudo apt update && sudo apt upgrade -y
    • Install Fail2Ban to block suspicious IPs:
    • sudo apt install fail2ban -y
    • Regularly review SSH login attempts:
    • sudo tail -f /var/log/auth.log

    Final Thoughts

    Basic firewall setup and SSH hardening are vital first steps to secure your Linux server. These measures help prevent unauthorized access and reduce attack surfaces — keeping your data and apps safe.

    For a more streamlined, automated experience, consider VavenCloud’s managed VPS services, where security best practices come pre-configured with continuous monitoring and support.

  • Setup Wireguard VPN on Ubuntu

    WireGuard is a communication protocol and free and open-source software that implements encrypted virtual private networks, and was designed with the goals of ease of use, high speed performance, and low attack surface.

    Server Side Setup :

    • Step 1 — Installing WireGuard and Generating a Key Pair
    $ sudo apt update
$ sudo apt install wireguard -y
    • Step 2 – Configuring the WireGuard server
     $ sudo  -i
 $ cd /etc/wireguard/
 $ umask 077; wg genkey | tee privatekey | wg pubkey > publickey
 $ ls -l privatekey publickey
 $ cat privatekey
 $ cat publickey
 $ sudo vim /etc/wireguard/wg0.conf
    • Server wg0.conf file code 
    # local settings for WireGuard Server
[Interface]
PrivateKey = ABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBFA= 
Address = 10.0.0.2/32
ListenPort = 51820

# IP forwarding
PreUp = sysctl -w net.ipv4.ip_forward=1
# IP masquerading
PreUp = iptables -t mangle -A PREROUTING -i wg0 -j MARK --set-mark 0x30
PreUp = iptables -t nat -A POSTROUTING ! -o wg0 -m mark --mark 0x30 -j MASQUERADE
PostDown = iptables -t mangle -D PREROUTING -i wg0 -j MARK --set-mark 0x30
PostDown = iptables -t nat -D POSTROUTING ! -o wg0 -m mark --mark 0x30 -j MASQUERADE

# firewall local host from wg peers
PreUp = iptables -A INPUT -i wg0 -m state --state ESTABLISHED,RELATED -j ACCEPT
PreUp = iptables -A INPUT -i wg0 -j REJECT
PostDown = iptables -D INPUT -i wg0 -m state --state ESTABLISHED,RELATED -j ACCEPT
PostDown = iptables -D INPUT -i wg0 -j REJECT
# firewall wg peers from other hosts
PreUp = iptables -A FORWARD -o wg0 -m state --state ESTABLISHED,RELATED -j ACCEPT
PreUp = iptables -A FORWARD -o wg0 -j REJECT
PostDown = iptables -D FORWARD -o wg0 -m state --state ESTABLISHED,RELATED -j ACCEPT
PostDown = iptables -D FORWARD -o wg0 -j REJECT

# remote settings for Justin's Workstation
[Peer]
PublicKey = ABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBFA=
AllowedIPs = 10.0.0.1/32
    • Note
      1. Replace the PrivateKey value with the private key you generated on the server, and the PublicKey value with the key that will be generated during the client-side setup.
      2. Make sure in the Address value, put the range of your vpc.
      3. Please change the ‘AllowedIPs’ value to the assigned addresses for the client server.

    Step 3:- Start, Stop, and Status Wireguard server

    $ sudo systemctl start [email protected]
$ sudo systemctl stop [email protected]
$ sudo systemctl status [email protected]
    • Verify :- Server Connection
    $ sudo wg
$ ifconfig wg0
    • Step 4:- VPN Server aws security group open custom UDP port :
    Port - 51820

    Client Side Setup:-

    • Step 1 — Installing WireGuard and Generating a Key Pair
    $ sudo apt update
$ sudo apt install wireguard -y
    • Step 2 – Configuring the WireGuard server
    $ sudo -i
$ cd /etc/wireguard/
$ umask 077; wg genkey | tee privatekey | wg pubkey > publickey
$ ls -l privatekey publickey
$ cat privatekey
$ cat publickey
$ sudo vim /etc/wireguard/wg0.conf
    • Client wg0.conf file code 
    # local settings for Workstation
[Interface]
PrivateKey = cNNHgtsXZXG0cJ7lL5mfEBL3fDaZM6hKNePQu0jCTkU= # PrivateKey of client
Address = 10.0.0.2/32  # client wg0 ip address


# remote settings for WireGuard Server
[Peer]
#server publickey
PublicKey = FDpMPkKH9ldTeipFZB08bizAnbSgWP/lmmgXQMTRil4=
Endpoint = 3.18.54.161:51820 # serverip:port
AllowedIPs = 10.10.0.0/16 # server VPC ip address
    • Step 3:- Start, Stop, and Status Wireguard server
     $ sudo systemctl start [email protected]
 $ sudo systemctl stop [email protected]
 $ sudo systemctl status [email protected] 
 $ sudo systemctl start [email protected]
    • Verify :- Server Connection
    $ sudo wg
$ ifconfig wg0