10 Useful tips to secure Linux server (improve security of Linux server)

A secure Linux Server is essential to protect our data from hackers. But securing a server doesn’t require to be complicated. Here we have collected 7 Useful tips to improve the security of Linux server

How to secure linux server from hackers

The first rule is to keep your server lean and mean. Install only those packages that you really need. If there are unwanted packages; purge. The fewer the packages the less chance of unpatched code.

Turn on SELinux

Security-Enhanced Linux (SELinux) is an access control security mechanism provided in the kernel. It can easily enforce a security policy of your choosing, which is a must for a rock-solid Linux server.

SELinux provides 3 basic modes of operation :

  1. Enforcing: This is the default mode that enables and enforces the SELinux security policy on the machine.
  2. Permissive: In this mode, SELinux will not enforce the security policy on the system, only warn and log actions.
  3. Disabled: SELinux is turned off.

It can be managed from ‘/etc/selinux/config’ file, where you can enable or disable it.

CentOS and RedHat Enterprise Linux both ship with the SELinux security system. It is pre-configured for good security, so no further instructions are needed.

To set it up on the Ubuntu server use: sudo apt install selinux

Debian: sudo apt-get install selinux-basics selinux-policy-default auditd

Secure Console Access

You must protect Linux server’s console access by disabling the booting from external devices such as DVDs / CDs / USB pen after BIOS setup. Also, Set BIOS and grub boot loader password to protect these settings.

Restrict using Old passwords

We can restrict users to use the same old passwords. The old password file is located at /etc/security/password. This can be done by using PAM module.

Open ‘/etc/pam.d/system-auth‘ file under RHEL / CentOS / Fedora.

# vi /etc/pam.d/system-auth

Open ‘/etc/pam.d/common-password‘ file under Ubuntu/Debian/Linux.

# vi /etc/pam.d/common-password

Add the following line to ‘auth’ section.

auth sufficient pam_unix.so likeauth nullok

Add the below line to ‘password’ section to disallow a user from re-using last 3 passwords.

password sufficient pam_unix.so nullok use_authtok md5 shadow remember=3

Last 3 passwords are remembered by server. If you tried to use any of last 3 old passwords, you will get an error like.

Password has been already used. Choose another

Check Listening Ports

Use ‘netstat’ command to view open ports and corresponding services.

netstat -tunlp

Disable the unwanted services from the system using ‘chkconfig’ command and close the ports that are not needed.

chkconfig serviceName off

Disable Root Login

By shutting access off to Root account, you’ll be able to ensure that bad actors cannot get full access to the system files, install problematic software (like malware), etc. It’s not advisable to ssh into your server as superuser(root). We should disable ssh as root user on the server, but before doing so, let’s create a user with sudo powers so that you can ssh into the server and perform administrative tasks. Once you are logged into the server, you can always switch user to root, if needed.

Create a new user :

useradd user1

Create password for the user added :

passwd user1

Provide sudo permissions to the newly added user :

echo 'user1 ALL=(ALL) ALL' >> /etc/sudoers

SSH to the server with the new user and ensure that the login works.

We are now going to disable root login, which means no one can ssh or log into the server as root user. To do so, open the sshd configuration file:

nano /etc/ssh/sshd_conf

Next, uncomment the line that says

PermitRootLogin no

Then save and close this file and restart the service

service sshd restart

Important: Don’t log out of the server yet. First test whether you can successfully ssh into the server using the previously created user. Open another instance of the terminal and ssh into the server with user you previously created. If everything works fine, you can safely log out of the server as root.

Change the Port

We can change the default SSH Port to add a layer of opacity to keep your server safe .

Open the /etc/ssh/sshd_config file

replace default Port 22 with a different port number say 1110

save & exit from the file

service sshd restart

Now to login define the port No.

ssh username@IP -p 1110

Disable Ctrl+Alt+Delete in Inittab

Hitting Ctrl+Alt+Delete will take your server to reboot process. So this is always advisable to disable this as someone can mistakenly reboot the system.

The ctrl+Alt+Del action is defined in /etc/init/control-alt-delete.conf .Comment the below line

#start on control-alt-delete

Password-less Login

We can easily login to our server through SSH without any password by generating the ssh-keys. Just be careful that you can log into your server only from that machine on which you generated the ssh keys

Generating SSH-keys :

ssh-keygen – t rsa

Generating SSH-keys

Copy your public SSH key, then add the same in the server

cat ~/.ssh/id_rsa.pub

To add ssh keys in the server

Suppose we have user-user1 to provide ssh-key access to the server

cd /home/user1
ls -ll

Create a .ssh directory and inside it create a file named authorized_keys and add the users public ssh key in the same

mkdir .ssh
cd /home/admin/.ssh
vim authorized_keys

Add the public SSH key and then change the owner of the file

chown user1 authorized_keys

Disable ssh login

Edit /etc/ssh/sshd_config

Passwordauthentication no
PermitRootLogin no

Now, only the authorized user can login to the server with the command

ssh user-name@serverIP -p(port Number)

Turn off IPv6 to boost Linux server security

IPv6 is better than IPv4, but you probably aren’t getting much out of it because neither is anyone else. Hackers get something from it, because they use it to send malicious traffic, so shutting down IPv6 will close the door in their faces. Go to edit /etc/sysconfig/ network and change the settings to read NETWORKING_ IPV6=no and IPV6INIT=no. Simple as that.

Use SFTP, not FTP

File transfer protocol (FTP) isn’t safe anymore, even if you encrypt your connection. FTP and FTPS won’t keep you safe from packet sniffing, which is where your network traffic gets logged by someone else. Only the credentials are encrypted, which isn’t much use to anyone.

SFTP is “FTP over SSH” (also called “secure FTP”), and it encrypts all the data, credentials and files included.

Always install updates

This seems like an obvious point, but you’d be surprised to learn how many Linux server operators forgo updates on their system. The choice is understandable, as every update has the potential to screw up running applications, but by choosing to avoid system updates, you miss out on security patches that fix exploits and bugs that hackers use to breach Linux systems.

It’s true that updating on a production Linux server is a lot more annoying it will ever be on the Desktop. The simple fact is that you can’t just stop everything to install patches. To get around this, consider setting up a planned update schedule.

To be clear there’s no set science on update schedules. They can vary depending on your use case, but, it’s best to install patches weekly, or bi-weekly for maximum security.

Fail2Ban for SSH login

Fail2ban works by dynamically altering the firewall rules to ban addresses that have unsuccessfully attempted to log in a certain number of times.

Install Fail2ban :

sudo apt-get update
apt-get install fail2ban

Create a new file jail.local and copy the contents of jail.config to the same and make the changes in jail.local file only

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Edit /etc/fail2ban/jail.local file

Make the desired changes:

[sshd]
enabled = true
port = ssh ( provide the port number if the default port is changed )
protocol = tcp
filter = sshd
logpath = /var/log/secure
maxretry = 3 ( max no. of tries after which the host should be banned)
findtime = 600 (This parameter sets the window that fail2ban will
 pay attention to when looking for repeated failed authentication attempts
in seconds)
bantime = 600 (time duration for which the host is banned -in seconds)

Then restart the fail2ban services

service fail2ban restart

IP can be blocked permanently by setting bantime = -1.

Note: FAIL2BAN will block the Global IP .

Security used to be an inconvenience sometimes, but now it’s a necessity all the time — Martina Navratilova

 

Source medium
You might also like