How to Set Up a Secure Linux Web Server from Scratch
Introduction
Setting up a Linux web server is essential for hosting websites and applications. However, security is critical to protect against attacks. This step-by-step guide will teach you how to install, configure, and secure a Linux web server using open-source tools.
Step 1: Choose the Right Linux Distribution
Start by selecting a stable Linux distribution for your server. Common choices include:
- Ubuntu Server (user-friendly and widely supported)
- CentOS Stream (enterprise-grade stability)
- Debian (excellent for long-term support)
Step 2: Update Your System
Once your server is up, update all packages:
sudo apt update && sudo apt upgrade -y
Regular updates fix vulnerabilities and keep your server secure.
Step 3: Set Up a New User and Disable Root Login
Running as root is dangerous. Create a new user with sudo privileges:
adduser adminuser
usermod -aG sudo adminuser
Edit the SSH configuration to disable root login:
sudo nano /etc/ssh/sshd_config
# Change:
PermitRootLogin no
Step 4: Configure a Firewall
Use UFW (Uncomplicated Firewall) to control access:
sudo ufw allow OpenSSH
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable
Step 5: Install a Web Server
For most use cases, choose Apache or Nginx:
sudo apt install apache2 -y
# or
sudo apt install nginx -y
Step 6: Enable SSL for HTTPS
Use Let's Encrypt for free SSL certificates:
sudo apt install certbot python3-certbot-apache -y
sudo certbot --apache -d yourdomain.com
For Nginx:
sudo apt install certbot python3-certbot-nginx -y
sudo certbot --nginx -d yourdomain.com
Step 7: Harden SSH
- Change the default SSH port from 22 to a custom port.
- Use key-based authentication instead of passwords.
sudo nano /etc/ssh/sshd_config
# Example:
Port 2222
PasswordAuthentication no
Step 8: Set Up Intrusion Detection
Install Fail2Ban to protect against brute-force attacks:
sudo apt install fail2ban -y
Step 9: Monitor Server Logs
Use tools like logwatch or GoAccess to monitor suspicious activity:
sudo apt install logwatch -y
Step 10: Regular Backups
Set up automated backups using rsync or a cloud-based service:
rsync -avz /var/www/ /backup/server/
Conclusion
By following these steps, you have a secure, fully functional Linux web server. Always monitor for vulnerabilities, update regularly, and implement best practices for long-term stability.