Are you a junior developer eager to lock down your cloud server's security but don't know where to begin? Dive into our beginner-friendly guide, and I will walk you through 5 simple steps to fortify your server against potential threats. Let's get your cloud server protected!
Two of my examples will include specific functionality from Hetzner, although an equivalent feature set is available at other providers such as DigitalOcean or AWS as well!
If you do not have a Hetzner Account yet, feel free to sign up with my referral link to get 20€ credits for free.
Let's get started!
The first thing you should always do when creating a new cloud server is creating a firewall. A firewall controls incoming and outgoing network requests to/from your server. For example, a firewall could be configured in such a way that your server has no access to the internet or that only a specific IP Address can reach your server.
The actual configuration of the firewall depends on the applications that you are running on your server. If you are running a simple website you usually have these requirements:
- Everyone can reach the website through HTTP or HTTPS
- The Server has full access to the internet
The first requirement is about "incoming" (or inbound) traffic. In other words, any IP address (IPv4 or IPv6) can reach your server at the ports 80 (http) and 443 (https).
In the Hetzner Dashboard it would look something like this:
Note: You would probably also want to allow SSH connections from only your IP. For this, figure out your IP address and then add an incoming rule for only this IP to TCP/22!
Our second requirement, that the server can access anything, is usually the default. In Hetzner you would not need to change anything:
Fail2ban is like a security guard for your server. It watches for anyone trying to break into your system by guessing passwords over and over. When it sees too many wrong guesses from a particular place, it locks them out for a while to keep your computer safe from hackers. But of course, there is no free lunch. If you need to guess your own password, you might just lock yourself out!
Anyway, you can install fail2ban very easily like this:
sudo apt-get install fail2ban
Now you could optimize the setup further, but this is already going to be enough and keep most automated attempts giving up pretty fast!
I knoow, I know. No one likes to think or especially pay for backups. And if we are honest, sometimes you can live dangerously and ignore them, for example, if you only want to run a temporary dev server.
While there are many ways to do backups, the easiest one is usually just using the snapshot backups of your cloud provider. Most providers take 20% of your server price to make daily backups. If you destroy your server, simply restore it from the previous day and you should be good to go again! 🥳
Again, this is a specific feature from Hetzner with similar ones available from Hosts such as DigitalOcean!
Another firewall! 🔥
UFW, which stands for Uncomplicated Firewall, is a simple tool that helps you control and manage the firewall on your computer. The same as the first firewall, it lets you decide which traffic is allowed to reach your server. The difference is that it is not part of your cloud provider's infrastructure but instead is running on your server. If you forget to enable your cloud provider's firewall (or if they do not have one), UFW will still keep your unwanted traffic out. This might sound redundant, but Defense in depth is a very important concept and can save you from human errors. Anyway, let's see how you can use it:
First, install it.
sudo apt install ufw
We are now going to build up our firewall step by step by first denying every incoming traffic and allowing every outgoing traffic. This basically means that we can contact everyone, but no one can contact us.
sudo ufw default deny incoming sudo ufw default allow outgoing
If we stop now, we wouldn't be able to connect to our server anymore! This is why we now allow SSH connections, as well as http and https for our webserver. If you don't host a webserver, don't execute the last two lines :)
sudo ufw allow ssh sudo ufw allow http sudo ufw allow https
And finally, we are enabling the firewall and double-check if we did everything correctly!
sudo ufw enable sudo ufw status
When creating your server you usually have 2 choices. You can either log in with a password or with an SSH key. While passwords might be the obvious choice, they are also the least secure choice! While passwords can be brute-forced, SSH keys use asymmetric encryption and (realistically) can't be brute-forced. Of course, you still need to keep your private keys safe, but that is usually a lot easier to do than with passwords! How you can use SSH keys to log in to your server depends on your Cloud Provider, here is a tutorial for Hetzner, DigitalOcean, and AWS
And if you do not want or understand all those security tactics, consider using a PaaS provider such as Sliplane! Sliplane gives you the full PaaS experience while letting you use your own Hetzner Server. The First Server is Free :)
For the comments: What is on your security checklist that you never forget? I'd love to know!