Securing Public Servers

A server reachable from the internet faces continuous automated attacks within minutes of getting a public IP address. The attacks are not targeted — they are automated scanners looking for any exposed vulnerability: default credentials, unpatched services, misconfigured databases. The good news is that most attacks are automated and opportunistic; a server that presents no easy targets gets passed over in favor of easier ones. This guide focuses on the specific additional steps needed for internet-facing servers beyond basic Ubuntu hardening.

The public server threat model

Automated attacks hitting every public server:
  SSH brute force: 1000s of attempts/hour from botnets
  Web scanner: looking for /wp-admin, /phpmyadmin, .env, config.php
  Port scanner: mapping all open ports looking for exploitable services
  CVE scanner: checking exposed service versions against vulnerability DBs

Targeted attacks (less common, higher sophistication):
  Custom exploits against your specific software versions
  Social engineering to get credentials
  Supply chain attacks

Defense priority: automated attacks >> targeted attacks
(Most successful compromises use automated tools on trivially exploitable targets)

Immediate actions on a new public server

# First 15 minutes after getting a new public server:

# 1. Update and patch immediately (before doing anything else)
sudo apt update && sudo apt upgrade -y

# 2. Create your admin user and add SSH key
sudo adduser irfan
sudo usermod -aG sudo irfan
sudo mkdir -p /home/irfan/.ssh
# Copy your public key to /home/irfan/.ssh/authorized_keys
sudo chmod 700 /home/irfan/.ssh
sudo chmod 600 /home/irfan/.ssh/authorized_keys
sudo chown -R irfan:irfan /home/irfan/.ssh

# 3. Configure SSH: disable passwords, disable root
sudo nano /etc/ssh/sshd_config
# PasswordAuthentication no
# PermitRootLogin no
sudo sshd -t && sudo systemctl reload ssh

# 4. Firewall: default deny, allow only what you need
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw enable

Protecting web services

# 1. Hide web server version information
# nginx: in /etc/nginx/nginx.conf:
# server_tokens off;

# Apache: in /etc/apache2/conf-enabled/security.conf:
# ServerTokens Prod
# ServerSignature Off

# 2. Block common scan patterns with rate limiting
# nginx: in server block:
# limit_req_zone $binary_remote_addr zone=req_limit:10m rate=10r/s;
# limit_req zone=req_limit burst=20 nodelay;

# 3. Block requests for sensitive files
# nginx:
# location ~* "\.(env|sql|bak|log|git)" { deny all; }

# 4. Use HTTPS everywhere
sudo apt install -y certbot python3-certbot-nginx
sudo certbot --nginx -d yourdomain.com

Intrusion detection

# Install and configure fail2ban with aggressive settings for public servers
sudo apt install -y fail2ban

# /etc/fail2ban/jail.local for a public-facing server:
# [DEFAULT]
# bantime  = 24h
# findtime = 10m
# maxretry = 3
# ignoreip = YOUR_MANAGEMENT_IP

# [sshd]
# enabled = true
# maxretry = 2

# [nginx-http-auth]
# enabled = true

# [nginx-botsearch]
# enabled = true
# filter  = nginx-botsearch

# Monitor what's being attacked:
sudo journalctl -u ssh --since "today" | grep Failed | awk '{print $11}' | sort | uniq -c | sort -rn | head -10

Incident response readiness

# Prepare before an incident, not during:

# 1. Enable persistent logging (survives reboot — important for forensics)
sudo mkdir -p /var/log/journal

# 2. Know how to take snapshots (cloud providers):
# AWS: Create AMI from instance
# GCP: Create disk snapshot

# 3. Document what's normal:
ss -tlnp > /root/baseline-ports.txt         # Normal listening ports
ps aux > /root/baseline-processes.txt        # Normal running processes
sudo crontab -l > /root/baseline-cron.txt    # Normal cron jobs
date >> /root/baseline-*.txt                  # Record baseline date

# 4. Know how to isolate a compromised server
# Cloud: modify security group to block all traffic except your IP
# On-prem: sudo ufw default deny incoming && sudo ufw allow from MGMT_IP
sudo iptables -I INPUT 1 -s YOUR_MGMT_IP -j ACCEPT
sudo iptables -P INPUT DROP    # Block everything else immediately

Conclusion

The internet-facing server baseline: patch immediately, SSH keys only + no root login, UFW default deny, and fail2ban for all internet-exposed services. For web servers: hide version banners, add rate limiting, block requests for sensitive files, and use HTTPS. Document your baseline ports and processes before something goes wrong — you need to know what "normal" looks like to detect "abnormal." Most internet server compromises happen within hours of deployment if basic hardening is not applied.

FAQ

Is Securing Public Servers important for Ubuntu administrators?+

Yes. It supports practical Ubuntu administration because it connects directly to server reliability, security, troubleshooting, or daily operations.

Should I practice this on a live server?+

Use a lab VM first. After you understand the command output and rollback path, apply the workflow carefully on real systems.

What should I do after reading this article?+

Run the practice commands, write down what each one shows, and continue to the next article in the Ubuntu roadmap.

Need help with Ubuntu administration?

Work directly with Muhammad Irfan Aslam for Ubuntu Server, Linux, cloud, Docker, DevOps, CI/CD, or infrastructure troubleshooting support.

Hire Me for Support