How to Set Up a Secure Linux Web Server from Scratch

Irfan Alam August 8, 2025 153 views

Introduction

Setting up a Linux web server is essential for hosting websites and applications. However, security is critical to protect against attacks. This step-by-step guide will teach you how to install, configure, and secure a Linux web server using open-source tools.

Step 1: Choose the Right Linux Distribution

Start by selecting a stable Linux distribution for your server. Common choices include:

  • Ubuntu Server (user-friendly and widely supported)
  • CentOS Stream (enterprise-grade stability)
  • Debian (excellent for long-term support)

Step 2: Update Your System

Once your server is up, update all packages:

sudo apt update && sudo apt upgrade -y

Regular updates fix vulnerabilities and keep your server secure.

Step 3: Set Up a New User and Disable Root Login

Running as root is dangerous. Create a new user with sudo privileges:

adduser adminuser
usermod -aG sudo adminuser

Edit the SSH configuration to disable root login:

sudo nano /etc/ssh/sshd_config
# Change:
PermitRootLogin no

Step 4: Configure a Firewall

Use UFW (Uncomplicated Firewall) to control access:

sudo ufw allow OpenSSH
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable

Step 5: Install a Web Server

For most use cases, choose Apache or Nginx:

sudo apt install apache2 -y
# or
sudo apt install nginx -y

Step 6: Enable SSL for HTTPS

Use Let's Encrypt for free SSL certificates:

sudo apt install certbot python3-certbot-apache -y
sudo certbot --apache -d yourdomain.com

For Nginx:

sudo apt install certbot python3-certbot-nginx -y
sudo certbot --nginx -d yourdomain.com

Step 7: Harden SSH

  • Change the default SSH port from 22 to a custom port.
  • Use key-based authentication instead of passwords.
sudo nano /etc/ssh/sshd_config
# Example:
Port 2222
PasswordAuthentication no

Step 8: Set Up Intrusion Detection

Install Fail2Ban to protect against brute-force attacks:

sudo apt install fail2ban -y

Step 9: Monitor Server Logs

Use tools like logwatch or GoAccess to monitor suspicious activity:

sudo apt install logwatch -y

Step 10: Regular Backups

Set up automated backups using rsync or a cloud-based service:

rsync -avz /var/www/ /backup/server/

Conclusion

By following these steps, you have a secure, fully functional Linux web server. Always monitor for vulnerabilities, update regularly, and implement best practices for long-term stability.