There are plenty of reasons to set up a home server. You might use it as a media server, a file server, or even a local backup server. Basically, any files of yours that don’t need to be online are good candidates for a home server. Setting up a Linux-powered home server is relatively easy, especially these days. That said, keeping that server secure is another story altogether. Security can be as tricky, as it is important.
Only Install What You Absolutely Need
One of the easiest ways to keep your home server secure is to keep security in mind from the very beginning. This starts with installation. Are you unsure if you need an application or service? Don’t install it. You can always install it later.
If you’ve installed Linux a few times, this is even easier. Instead of sticking with the defaults, use the modes that give you the most control over installation. Sometimes these are named “expert mode” or something similar.
Carefully keeping track of install options can save you time disabling services for security reasons later.
Before you move on to any other steps, you need to configure
sudo. Why? Because once we’re done here, you’ll log into your server via SSH, and you won’t be able to log in as the root account. To make any further changes to your system, you’ll need to use
First, check to see if you’re already able to use
sudo. From your user account, run the following with your username instead of USERNAME:
sudo -lU USERNAME
If you see a message displayed stating that your username can run “(ALL) ALL,” or something similar, you’re ready to move on.
Now, as the root account on your server, run the following to edit the “/etc/sudoers” file. If you prefer another editor, use it instead of nano.
Edit the file to include the following, with your username instead of USERNAME:
USERNAME ALL=(ALL) ALL
You may already have SSH enabled on your home server. You likely do, in fact, as this is typically the way you interact with a server.
First, make sure OpenSSH is installed. If you use another distribution, your command will vary, but the package name should be fairly consistent. On Ubuntu, run the following:
sudo apt install openssh-server
Using key-based authentication is much more secure than password authentication, so we’ll set up SSH to work this way. To do this, make sure you’re working on a client you plan to connect to the server with, not the server itself. First, you want to make sure you don’t already have any SSH keys:
If you see “id_rsa” and “id_rsa.pub” among the filenames listed, you already have SSH keys. Skip this next step.
ssh-keygen -t rsa -b 4096 -C "firstname.lastname@example.org"
Now you’ll copy the SSH key to your server:
For a home server, you may likely be using an IP address for your server instead of a name. If you don’t know your server name, use your IP address instead of SERVER above.
Now we’ll edit your SSH settings to secure them more. Log into your server from the client on which you created the keys. This will enable you to log in again after this step.Run the following, replacing
nano with the editor of your choice.
sudo nano /etc/ssh/sshd_config
Edit the file and with the following settings. These will be located in various places in the file. Make sure there are no duplicates, as only the first instance of a setting will be followed.
ChallengeResponseAuthentication no PasswordAuthentication no UsePAM no PermitRootLogin no
Now you need to restart the SSH server with one of the following commands.
On Ubuntu, run:
sudo systemctl restart ssh
Configure a Firewall
Depending on the services you’re running and how much your server connects to the Internet, you may want to run a firewall. There are a few options for this, but the tried and true method on Linux is iptables.
Setting up iptables is beyond the scope of this article, but don’t worry. We have a complete guide to configuring iptables on your machine.
Another easier way to set up a firewall is to use
ufw. You can install it with the command:
sudo apt install ufw
By default, it will block all ports. To enable online and ssh access, run the following ufw commands to open up ports 80, 443, and 22:
sudo ufw allow 80 sudo ufw allow 443 sudo ufw allow 22
And lastly, enable the ufw service:
sudo ufw enable
Stay Up to Date
Servers can be easy to forget about if they just work, but this can be dangerous. Make sure to keep your software up to date. You can use unattended upgrades, but these can be unpredictable. The safest way is to schedule a regular weekly or monthly server maintenance appointment to make sure everything is up to snuff.
Where to Go from Here
Now you have a good start to keep your server protected from outside threats. What if you need to access your server from home, though? Every door you open could potentially be used by an attacker, and every open port increases your vulnerability.
One of the easiest ways to access your home network from outside is to use a VPN, which is outside the scope of this article, but don’t worry, we have you covered. Take a look at our list of the best secure VPN services available for an idea of what your options are.
Our latest tutorials delivered straight to your inbox