This article describes several steps you can take to help secure a semi-managed server.
A semi-managed server provides you with total flexibility. Because you have root access to the server, you can install whatever you want, configure it however you want, and run it however you want.
With this freedom comes additional administration tasks, however, and one of the most important of these is security. If you do not take steps to secure your server, you leave it open to attack by malicious actors. A minor attack could be just an annoyance, while a major attack could result in the loss of your entire server configuration and data.
Therefore, it is very important that you try to secure your server as much as possible. The following recommendations can help you do this.
Weak passwords can undermine the most carefully configured server. Good security practices start with using strong passwords. For information about how to choose strong passwords, please see this article.
The root account is all-powerful, so one of the first things you should do on a new semi-managed server is create a normal user account and disable root SSH access. For information about how to do this, please see this article.
Security vulnerabilities are constantly being discovered and patched. (One well-publicized example is the “Heartbleed” OpenSSL vulnerability that was disclosed in April 2014.) Maintaining an up-to-date server with the latest patches and fixes is crucial to maintaining a more secure server.
For information about how to install updates on a semi-managed server, please see this article.
A firewall enables you to control incoming and outgoing network packets. For example, you can specify rules that block all incoming packets on port 25, or all outgoing packets to a certain port or host.
The fail2ban program helps secure your server against unauthorized access attempts by monitoring log files for suspicious activity. After a predefined number of failed access attempts from an IP address, fail2ban automatically blocks it.
For information about how to set up fail2ban on your server, please see this article.