What are best practices to secure my Linux server that's running on Lightsail?

4 minute read

I'm a system administrator for Amazon Lightsail instances that run Linux. I want to know server security best practices that I can use to help protect my data.


The following are basic Linux server security best practices. This isn't a complete list. As a local system administrator, there are many complex settings that you must configure based on your requirements and use case.

Encrypt data communication to and from your Linux server

Use SCP, SSH, rsync, or SFTP for file transfers. Don't use FTP and Telnet because they aren't secure. To maintain a secure (HTTPS) connection, install and configure an SSL/TLS certificate on your server.

Reduce software to minimize vulnerability in Linux, and regularly perform security audits

To avoid vulnerabilities from software or packages, don't install unnecessary software. If possible, identify and remove all unwanted packages.

Keep the Linux kernel and software up to date

Security patches are an important part of Linux server maintenance. Linux provides all the necessary tools to keep your system updated. You can easily upgrade between versions. Review and apply all security updates as soon they're released, and make sure that you update to the latest available kernel. To apply all security updates, use the package managers that are based on your Linux distributions, such as yum, apt-get, or dpkg.

Use Linux security extensions

Linux comes with security features that you can use to guard against misconfigured or compromised programs. If possible, use SELinux and other Linux security extensions to enforce limitations on network and other programs.

Turn off the root login

Don't log in as the root user. When required, it's a best practice to use sudo to run root-level commands. Sudo enhances the security of the system and doesn't share the credentials with other users and administrators. For more information, see Disallowing root access on the Red Hat website.

Use SS or netstat to find listening network ports, and close or restrict all other ports

Use ss or netstat to find the ports that are listening on the system's network interfaces. Any open ports might be evidence of an intrusion. For more information, see Linux networking: socket stats via ss and Linux networking: 13 uses for netstat on the Red Hat website.

Configure the Lightsail firewall and OS-level firewalls on Linux servers for additional security

Use the Lightsail firewall to filter traffic and allow only necessary traffic to your server. The operating system-level firewall is a user space application program that allows you to configure the firewalls that the Linux kernel provides. Depending on your Linux distribution, you can use iptables, ufw, firewalld, and so on. For more information on iptables and firewalld, see Setting and Controlling IP sets using iptables and Using firewalls on the Red Hat website. For more information on ufw, see Security - Firewall on the ubuntu website.

Use auditd to audit your system

Use auditd to audit your system. Auditd writes audit records to the disk. It also monitors system activities, such as system logins, authentications, account modifications, and SELinux denials. These records help you identify malicious activity or unauthorized access. For more information, see Configure Linux system auditing with auditd on the Red Hat website. 

Install an IDS

Use fail2ban or denyhost as an intrusion detection system (IDS). Fail2ban and denyhost scan the log files for too many failed login attempts, and block the IP address that shows signs of malicious activity.

Create backups regularly

For more information, see Snapshots in Amazon Lightsail.

Avoid read, write, and run Permissions (777) for files and directories to users, groups, and others

You can use chmod to restrict access to files and directories, such as the web-root directory or document root. For more information, see Linux permissions: An introduction to chmod on the Red Hat website. To provide access to only authorized users, edit the permissions. For more information, see How to manage Linux permissions for users, groups, and others on the Red Hat website. 

Related information

Security in Amazon Lightsail

Compliance validation for Amazon Lightsail

Infrastructure security in Lightsail

Best practices for securing Windows Server-based Lightsail instances

AWS OFFICIALUpdated 4 months ago