Tips on protecting your server | Heart Internet Blog – Focusing on all aspects of the web

When you purchase a VPS or Dedicated Server, you need to protect it. Bots trawl the Internet looking for any possible vulnerability, and an open VPS or Dedicated Server is a potential goldmine.

But, thankfully, locking down your server is fairly easy – whether it’s on Linux or Windows. Just follow these few tips, and you’ll have a server that’s well on its way to being safe.

Change the login port

For Linux machines, the default SSH port is 22. And since it is a default, it’s vulnerable to brute force attacks. But you can easily switch over your port, making it much more difficult for others to log in.

You can change it to any number you want, but you should check that it isn’t a port used by another program. You can see the full list of TCP and UDP ports on Wikipedia.

To switch your port:

  1. SSH into your server with your root login
  2. Open /etc/ssh/sshd_config in the text editor of your choice
  3. Find the line # Port 22
  4. Remove the # next to Port 22
  5. Replace 22 with another number
  6. Save and exit the config file
  7. Restart the SSH service by entering /etc/init.d/ssh restart
  8. Log in again using the new port

On Windows, you can change the RDP port, making it more difficult for other people to Remote Desktop into your computer.

To switch your port:

  1. Remote Desktop into your server
  2. Click the Windows logo and R to open the Run dialog
  3. Enter in cmd
  4. Enter in regedit
  5. Look for HKEY_LOCAL_MACHINESystemCurrentControlSetControlTerminalServerWinStationsRDP-TcpPortNumber
  6. Double-click or right-click on the PortNumber registry subkey
  7. Select the decimal base
  8. Enter in the port number of your choice
  9. Click OK

You will need to make certain that your new port is authorised within your Windows firewall before you restart your server.

  1. Go to the command prompt
  2. Enter in netsh advfirewall firewall add rule name="Open new RDP Port" dir=in action=allow protocol=TCP localport=[New Port]

Once it has been added, you can exit the registry editor and restart your server. Make certain that you add the new port to your RDP client when you log in.

Create a new root or administrative login

When you first set up your server, you’ll have either your root login (if you’re on Linux) or an Administrator login (if you’re on Windows). These have all the power, but because they’re also the default, they’re low-hanging fruit for hackers.

But you can give another user all the power.

To set up your new user and disable your root user in Linux:

  1. SSH into your server with your root login
  2. Enter useradd [username] wheel (creating a new user account)
  3. Enter Passwd [username] (using the same user)
  4. Enter in the new password
  5. Open /etc/sudoers in the text editor of your choice
  6. Find the line # %wheel ALL=(ALL) ALL
  7. Remove the # next to %wheel
  8. Save and exit
  9. Open /etc/ssh/sshd_config in the text editor of your choice
  10. At the bottom, add AllowUsers [username]
  11. Save and exit the config file
  12. Log out and log back in using your new user account
  13. Open /etc/ssh/sshd_config in the text editor of your choice again
  14. Find the line # PermitRootLogin yes
  15. Remove the # next to PermitRootLogin
  16. Change yes to no
  17. Save and exit the config file
  18. Restart the SSH service by entering /etc/init.d/ssh restart
  19. Log in again using your new user account

To set up your new user and disable your Administrator user in Windows:

  1. Log into your server with your Administrator login
  2. Click Start
  3. Click Computer Management
  4. Click Local Users and Computers
  5. Click the Users folder
  6. Right Click and select New User
  7. Enter the new User’s name and password
  8. Untick User must change password at next logon
  9. Click Create
  10. Disable the current administrator account by double clicking on the Administrator user and ticking Account is disabled
  11. Click the Groups folder
  12. Right Click Administrators and Select Add To Group
  13. Add the new user you have just created
  14. Log out and log back in using your new user account

Block suspicious IP addresses

Once you’ve changed the port and root account, you can protect your server even more by setting up protection against unauthorised access.

On Linux systems, fail2ban is a good piece of security software that can help you.

To set up fail2ban:

  1. Log into your server
  2. Use apt-get or yum to install fail2ban
  3. Create local version of the fail2ban configuration file by entering cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
  4. Open /etc/fail2ban/jail.local in the text editor of your choice
  5. Define how long you want suspicious IP addresses to be blocked under bantime. The value is specified in seconds, so, for example, a 10 minute ban would be 600
  6. Define how many incorrect login attempts can happen before the IP address is blocked under maxretry
  7. Under SSH, find the port = ssh field and switch it to the new port number you specified above
  8. Restart fail2ban by entering /etc/init.d/fail2ban restart

You can then review the log of blocked IP addresses by going to var/log/fail2ban

On your Windows server, you can add the IIS module Dynamic IP Restrictions, which helps protect your server against DDOS attacks as well as brute force attacks. With Dynamic IP Restrictions, you can define how many requests can be made from an IP address, both in a set amount of time and at the same time.

You can install Dynamic IP Restrictions by downloading it from Microsoft’s IIS download page, or use the Web Platform Installer on your server.

To configure Dynamic IP Restrictions:

  1. Log into your server
  2. Open your IIS Manager
  3. Select the server node if you want to configure server-wide settings, or select a site node to configure site-specific settings
  4. Click Dynamic IP Restrictions
  5. You can deny IP addresses by the maximum number of concurrent requests and also by the number of requests over a period of time
  6. You can also add allowed IP addresses by clicking Show Allowed Addresses under the Actions column

With these three simple processes, you can make sure your server is protected. What other tips do you have for protecting your server?


Please remember that all comments are moderated and any links you paste in your comment will remain as plain text. If your comment looks like spam it will be deleted. We're looking forward to answering your questions and hearing your comments and opinions!

Got a question? Explore our Support Database. Start a live chat*.
Or log in to raise a ticket for support.
*Please note: you will need to accept cookies to see and use our live chat service