How to Secure A Web Server

In this article, I show you all the steps needed to secure a web server and improve your security. I recommend doing all of these things on every installation. Also, just because you secure your server doesn’t mean you can neglect it. I highly recommend monitoring it and adjusting security as needed. Monitoring is required for proper security in my opinion.

Secure A Web Server Steps

Install UFW
sudo apt-get update
sudo apt-get install ufw
sudo ufw limit 22/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

sudo ufw enable

sudo ufw status

Do Global blocks
sudo ufw default deny incoming
sudo ufw default allow outgoing


Change SSH to Key

Remote Machine: ssh-keygen -t rsa

Transfer to Server

Method 1:

Transfer pub ssh key to server
scp ~/.ssh/
cat ~/ >> ~/.ssh/authorized_keys

Method 2:

Copy key and place in authorized_key file in one command
ssh-copy-id -i ~/.ssh/

Secure a Web Server Disabling Password Auth through SSH

Change the following lines in /etc/sshd_config
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no
PermitRootLogin no

Edit /etc/sysctl.conf

Enable security features

Prevent IP Spoof /etc/host.conf

Change File to mirror below:
​order bind,hosts
​nospoof on

Install Fail2Ban

sudo apt install fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Check Listening Ports

netstat -tunlp

You will now have completed the basics of a secure web server!

Leave any Questions and Comments below and I will get back to you. I regularly publish on YouTube and so if you’d like to see more videos and articles click the subscribe button in the top right. If you need immediate assistance, check out our discord channel at Chris Titus Tech Discord.


  1. Camilo

    Path /etc/sshd_config >> please change to /etc/ssh/sshd_config

  2. Frisaq

    Does this apply to Google cloud f1-micro instance from the wordpress tutorial

  3. kit

    Your glibc must be kinda old. nsswitch.conf is supposedly the modern way to replace the “order” command in host.conf (I think the “hosts:” line should have “dns” before “files”, but idk…), and the man page for nospoof claims it has never actually been implemented.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: