When you deploy a bare-metal dedicated server with COLO BIRD, you are given absolute control and full root access. While your server is ready for high-performance workloads the moment it is provisioned, it is your responsibility as the system administrator to implement strict server hardening measures.
An unsecured server is a prime target for automated botnets and vulnerabilities. This guide provides the essential first steps for securing a Linux dedicated server (with examples based on Ubuntu and Debian distributions).
Developers frequently release patches for newly discovered software vulnerabilities. Running an outdated operating system is the easiest way to compromise your dedicated server security.
Run these commands in your terminal to pull and install the latest security patches:
sudo apt update
sudo apt upgrade
Make it a strict habit to run these update commands regularly to ensure your bare-metal infrastructure remains bulletproof.
By default, the SSH service listens on port 22. Malicious bots constantly scan port 22 on public IPs to launch automated brute-force attacks against dedicated hosting environments. Changing this to a custom port immediately drops the amount of background noise and failed login attempts hitting your server.
Open your SSH configuration file using a text editor like Nano:
sudo nano /etc/ssh/sshd_config
Locate the line that says #Port 22.
Remove the # and change 22 to a random,
unused port between 49152 and 65535 (e.g., Port 49152).
Restart the SSH service to apply the security changes:
sudo systemctl restart sshd
Note for Ubuntu 23.04 and later: SSH configuration is now managed via
systemd sockets. You will need to edit /lib/systemd/system/ssh.socket instead, change the
ListenStream=22 line to your new port, and run sudo systemctl daemon-reload followed by sudo systemctl restart ssh.service.
A robust firewall is the backbone of dedicated server security. Most Linux distributions come with iptables or ufw pre-installed, but they are often disabled by default. You can verify your current active rules by typing:
sudo iptables -L
Ensure you configure your internal firewall to drop all incoming traffic by default. Only allow connections to essential ports, such as your new custom SSH port, HTTP/HTTPS for web servers, and any specific application or gaming ports your bare-metal server requires.
Fail2ban is an essential intrusion prevention tool for any Linux dedicated server. It actively monitors your server logs and automatically bans the IP addresses of attackers attempting to brute-force your system credentials.
Install the Fail2ban software package:
sudo apt install fail2ban
Create a local configuration file so your custom security settings aren't overwritten during system updates:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Edit your new configuration file:
sudo nano /etc/fail2ban/jail.local
Scroll down to the [sshd] section and
add enabled = true. (Crucial: If you changed your
SSH port in Step 2, make sure to update the port =
line to match your new custom port).
Restart the service to activate the protection:
sudo service fail2ban restart
True enterprise security requires defense in depth. Beyond your internal OS configuration, you should take full advantage of COLO BIRD's physical and network-level infrastructure:
Hardware DDoS Protection: All COLO BIRD dedicated servers sit behind our robust network-level DDoS mitigation. We automatically scrub malicious volumetric traffic before it ever hits your physical network interface (NIC), ensuring maximum uptime.
Off-Site Server Backups: Securing your data means preparing for the worst-case scenario. Utilize COLO BIRD Backup Storage solutions to automatically replicate your critical databases and files off-site using secure protocols (FTP, NFS, CIFS).