How to secure your server from abuse and prevent IP blacklisting
When you deploy a server, you are responsible for keeping it secure.
Unsecured servers are a major target for abuse, which can cause your IP address to be blacklisted by security organizations like Spamhaus, affecting your services and our network.
This guide provides general best practices to protect your server from common types of abuse:
Spam sending
Open proxy or open relay misuse
Malware infections (botnets, crypto miners)
DDoS launching
Unauthorized access or hijacking
Regularly update the operating system and all installed software.
Install security patches as soon as they are released.
Automate updates where possible to reduce human error.
Example for Linux;
Example for Windows Server:
Enable Windows Update and schedule automatic updates.
Use strong, unique passwords or better yet, SSH key authentication.
Change the default SSH port (22) to a custom port.
For Windows, change RDP settings and enforce strong policies.
Restrict SSH or RDP access to specific trusted IP addresses (if possible).
Disable root login over SSH.
Example to edit SSH config:
Enable and configure a firewall to block all unnecessary ports.
Only open ports that are required for your applications.
Default policy: Block all inbound traffic except what is needed.
Example (Linux ufw):
Leaving ports like 3306 (MySQL) or Redis exposed to the world.
Forgetting to firewall unused services.
If you deploy applications (like VPNs, proxies, websites, mail servers), you must:
Require authentication (login/password, keys, or certificates).
Restrict access to trusted users or IPs.
Monitor who is connecting to your services.
Never leave services open to the public unless absolutely necessary.
Examples:
For a VPN or Proxy: Always use login credentials and encryption.
For a Mail Server: Configure it properly to prevent becoming an open relay.
For Web Apps: Use secure configurations, and limit admin access.
If you are not running an email server, block outbound port 25 (SMTP) to prevent spam abuse.
Monitor outbound traffic to detect abnormal activity (e.g., spam bursts, DDoS traffic).
Use authenticated email services for sending legitimate email (e.g., SendGrid, Mailgun).
Example (block SMTP traffic):
Fail2Ban: Monitors and bans malicious login attempts.
Antivirus (especially for Windows): Protect against malware infections.
Rootkit Scanners (Linux): Detect hidden malware.
Enable intrusion detection systems (IDS) if possible (e.g., OSSEC).
Regularly check system logs (/var/log/auth.log, Event Viewer).
Set up alerts for unusual CPU, RAM, and network spikes.
Use tools like htop, iftop, or netstat to monitor live traffic.
Consider setting up automated server health monitoring.
If you notice suspicious activity (unexpected logins, unknown processes, bandwidth spikes), investigate immediately.
Rebuild the server if itβs compromised.
Contact support if your server was flagged or if you receive an abuse complaint.
Pro tip: Having regular backups will save you if you need to rebuild your server.
You are responsible for maintaining the security of your server.
Failure to secure your server can lead to service disruptions, blacklisting, and potential service suspension.
Prevention is easier and cheaper than cleanup after a compromise.
Unsecured servers are a major target for abuse, which can cause your IP address to be blacklisted by security organizations like Spamhaus, affecting your services and our network.
This guide provides general best practices to protect your server from common types of abuse:
Spam sending
Open proxy or open relay misuse
Malware infections (botnets, crypto miners)
DDoS launching
Unauthorized access or hijacking
π 1. Keep Your Server Updated
Regularly update the operating system and all installed software.
Install security patches as soon as they are released.
Automate updates where possible to reduce human error.
Example for Linux;
sudo apt update && sudo apt upgrade -yExample for Windows Server:
Enable Windows Update and schedule automatic updates.
π 2. Secure Remote Access
Use strong, unique passwords or better yet, SSH key authentication.
Change the default SSH port (22) to a custom port.
For Windows, change RDP settings and enforce strong policies.
Restrict SSH or RDP access to specific trusted IP addresses (if possible).
Disable root login over SSH.
Example to edit SSH config:
sudo nano /etc/ssh/sshd_config
PermitRootLogin no
Port 2289π‘οΈ 3. Set Up a Firewall
Enable and configure a firewall to block all unnecessary ports.
Only open ports that are required for your applications.
Default policy: Block all inbound traffic except what is needed.
Example (Linux ufw):
sudo ufw default deny incoming
sudo ufw allow ssh
sudo ufw allow 80/tcp # If hosting a website
sudo ufw enableCommon mistakes to avoid:
Leaving ports like 3306 (MySQL) or Redis exposed to the world.
Forgetting to firewall unused services.
π΅οΈ 4. Protect Any Services You Run
If you deploy applications (like VPNs, proxies, websites, mail servers), you must:
Require authentication (login/password, keys, or certificates).
Restrict access to trusted users or IPs.
Monitor who is connecting to your services.
Never leave services open to the public unless absolutely necessary.
Examples:
For a VPN or Proxy: Always use login credentials and encryption.
For a Mail Server: Configure it properly to prevent becoming an open relay.
For Web Apps: Use secure configurations, and limit admin access.
π‘οΈ 5. Control Outbound Traffic
If you are not running an email server, block outbound port 25 (SMTP) to prevent spam abuse.
Monitor outbound traffic to detect abnormal activity (e.g., spam bursts, DDoS traffic).
Use authenticated email services for sending legitimate email (e.g., SendGrid, Mailgun).
Example (block SMTP traffic):
sudo ufw deny out 25π§Ή 6. Install Basic Security Tools
Fail2Ban: Monitors and bans malicious login attempts.
Antivirus (especially for Windows): Protect against malware infections.
Rootkit Scanners (Linux): Detect hidden malware.
Enable intrusion detection systems (IDS) if possible (e.g., OSSEC).
π 7. Monitor Your Server
Regularly check system logs (/var/log/auth.log, Event Viewer).
Set up alerts for unusual CPU, RAM, and network spikes.
Use tools like htop, iftop, or netstat to monitor live traffic.
Consider setting up automated server health monitoring.
π₯ 8. Respond Quickly to Any Issues
If you notice suspicious activity (unexpected logins, unknown processes, bandwidth spikes), investigate immediately.
Rebuild the server if itβs compromised.
Contact support if your server was flagged or if you receive an abuse complaint.
Pro tip: Having regular backups will save you if you need to rebuild your server.
π« Common Causes of IP Blacklisting
| Cause | How to Prevent |
|---|---|
| Spam emails | Block port 25 if not needed, use authenticated SMTP |
| Open proxy or VPN misused | Require authentication, restrict access |
| Malware infection | Keep system updated, install antivirus, monitor server |
| Hacked applications | Keep software (CMS, VPN, proxy apps) updated |
| DDoS or botnet control servers | Firewall unnecessary ports, monitor outbound traffic |
π’ Important Note:
You are responsible for maintaining the security of your server.
Failure to secure your server can lead to service disruptions, blacklisting, and potential service suspension.
Prevention is easier and cheaper than cleanup after a compromise.
Updated on: 04/28/2025
Thank you!