Lets get started with why you should secure your server.
Without properly securing your server you are prone to suffer from:
- Server and services hijacked and used for zombie activities.
- Risk of losing user data.
- Hacker redirecting your web site to another website.
- Adding malware/trojan on your server.
Changing default TCP communication port
No matter who it is, I always suggest to swap the default communication port. If on Linux, switch port 22 to something else and if on Windows switch port 3389.
To change the default, you only need three lines of code and swap the variable $portvalue to the desired port. You have the choice from 1024 to 65535.
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "PortNumber" -Value $portvalue
New-NetFirewallRule -DisplayName 'RDPPORTLatest-TCP-In' -Profile 'Public' -Direction Inbound -Action Allow -Protocol TCP -LocalPort $portvalue
New-NetFirewallRule -DisplayName 'RDPPORTLatest-UDP-In' -Profile 'Public' -Direction Inbound -Action Allow -Protocol UDP -LocalPort $portvalue
On Linux, its very easy, simply locate the /etc/ssh/sshd_config file then edit and save the port field with your desired port.
Configure your firewall
Configuring your firewall to allow the ports and services you need is the fundamental way to go. Some pre-planning on what a particular server is doing should be noted so you could properly implement it into your infrastructure.
If the type of services you need within your infrastructure are the traditional web server, mail server and backup storage, it’s best practice to only configure the web server with port 80 and 443 while mail server port 25 and maybe 465,587,995,2525 should be the only ports opened within your firewall. The backup storage should probably be placed somewhere in the backend if using FTP as the connection is not encrypted over the public internet.