Support Online
MirrorLooking Glass
GenixNodeGenixNode
Client Panel
Skip to main content

Basic Precautions to Implement to Increase Your Server Security

The security steps you take before opening your servers to the internet form the basis of your long-term protection against attacks.
In this guide, you'll find truly actionable, self-explanatory security steps for beginners and experts alike.

🧠 What Will You Learn in This Guide?

  • Secure login with SSH key
  • Completely disabling root login
  • Firewall configuration + reducing the attack surface
  • Private network isolation with VPC
  • Creating secure tunnels with VPN
  • Analyzing services running with ss
  • Automatic security updates
  • Understand internal PKI logic

🛡️ 1. Secure Access with SSH Keys

SSH keys allow you to log in to your server with a cryptographic key instead of a password.
This disables brute-force attacks almost 100%.

✔ Why is it important?
  • Passwords can be guessed, keys cannot.
  • You can turn off password entry completely.
  • Keys are hundreds of bits long (very difficult to break).
  • Attacker cannot try password → your server is quieter & more secure.

🔧 1.1 Generating SSH Key

ssh-keygen -t rsa -b 4096

Description: This command creates a 4096-bit RSA key pair. id_rsa is the private key, id_rsa.pub is the public key.

🔧 1.2 Adding the Public Key to the Server


ssh-copy-id kullanici@sunucu-ip

Description: Adds your public key to the remote server's ~/.ssh/authorized_keys file. So you can log in without entering a password.

🔧 1.3 Disabling Root User's SSH Login


sudo nano /etc/ssh/sshd_config

Find → replace this line:


PermitRootLogin no

Then restart the SSH service:


sudo systemctl restart sshd

Description: Disabling root login makes it very difficult to take over the server. The attacker cannot reach the root directly.

🔥 2. Firewall Configuration

Firewall is the main security layer that regulates incoming and outgoing traffic to your server.

✔ Why is it important?

Closes all unnecessary ports.

It only leaves open the ports you allow.

It reduces the attack surface as a guide.

🔧 2.1 Basic Port Opening with UFW


sudo ufw allow 22/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable

Description: These commands open SSH, HTTP and HTTPS ports. Other ports are automatically blocked.

🏢 3. Network Isolation (VPC)

VPC creates a private network and completely separates traffic between servers from the internet.

✔ Advantages

Traffic does not go to the internet → the risk of eavesdropping decreases to zero

Services such as databases, cache and backend operate off the internet.

Only the ingress gateways you specify open to the internet.

Result: Your servers behave as if they were in a private VLAN, even if they are physically located in different locations.

🔐 4. Creating a Secure Tunnel with VPN

If you can't use a VPC or want additional isolation → you install a VPN.

WireGuard and OpenVPN are the best options.

✔ Why is VPN Secure?

All traffic is end-to-end encrypted

Servers communicate via private tunnel

Only web traffic is opened to the public internet

Other services, including SSH, can remain in a completely private tunnel

🔍 5. Service Auditing

You have to know all the services running on your server. Because every running service = potential attack surface.

🔧 5.1 Viewing Open Ports


sudo ss -plunt

Description: This command lists all TCP/UDP services, ports and processes running on the server.

✔ What will you look for?

0.0.0.0:PORT → open to all IPv4 interfaces

[::]:PORT → open to all IPv6 interfaces

users:(("program")) → owner of the service

Suggestion: If you see an unnecessary service → close it.

🔄 6. Automatic Updates (Unattended Upgrades)

Outdated package = largest attack surface.

🔧 6.1 Activating Automatic Security Update


sudo apt install unattended-upgrades
sudo dpkg-reconfigure unattended-upgrades

Description: This system automatically applies daily security patches. Provides “zero touch security”.

🔑 7. PKI (Certificate Infrastructure) & SSL/TLS

PKI:

Servers verifying each other

Secure encryption of traffic

Blocking MITM attacks

It is used for.

For small projects: VPN is sufficient.

In large projects: Internal CA management becomes inevitable.

❓ Frequently Asked Questions (FAQ)

1. How do I use SSH completely passwordless?

You can turn off the password completely by setting PasswordAuthentication no.

2. Which ports should remain open on my server?

Minimum:

22 (SSH)

80 (HTTP)

443 (HTTPS)

Do not open the others unless necessary.

3. Is VPC or VPN better?

VPC → Infrastructure-based, automatic and high-performance VPN → Software-based, flexible solution Ideal: Using both together.

4. How often should I perform a service inspection?

When you install a new service

Regularly every 2–3 months

5. Is Fail2ban necessary?

It's not mandatory if you're using an SSH key, but it's very useful.

🎯 Result

The security measures in this guide are the basic steps that must be taken before opening your servers to the internet. When configured correctly:

Attack surface becomes smaller

Brute-force attacks are ineffective

Services are taken under control

Traffic is isolated

The server is always up to date and secure

You can immediately create a Virtual Instance on the GenixNode platform and start following these steps.