Harden your Linux server in seven simple steps.
This introductory article introduces you to the basics of Linux server security. Although it’s focused on Debian/Ubuntu, you can apply everything here to other Linux distributions. I also encourage you to study this material and expand where applicable.
1. Update your server
The first thing to do to secure your server is to update your local repository and upgrade your operating system and installed applications by applying the latest fixes.
On Ubuntu and Debian:
$ sudo apt update && sudo apt upgrade -y
Copy the codeOn Fedora, CentOS, or RHEL:
$ sudo dnf upgrade
Copy the code2. Create a new privileged user
Next, create a new user account. Never log in as root, instead create your own account (user), give it sudo privileges, and use it to log in to your server.
First create a new user:
$ adduser <username>
Copy the codeGrant sudo privileges to the new user account by appending (-a) the sudo group (-g) to the user’s group membership:
$ usermod -a -G sudo <username>
Copy the code3. Upload your SSH key
You should log in to the new server using your SSH key. You can upload the pre-generated SSH key to your new server using the ssh-copy-id command:
$ ssh-copy-id <username>@ip_address
Copy the codeYou can now log in to the new server without entering a password.
4. Secure SSH
Next, make the following three changes:
- SSH password authentication is disabled
- Restrict root remote login
- Access to IPv4 or IPv6 is restricted
Open /etc/ssh/sshd_config using the text editor of your choice and make sure the following lines:
PasswordAuthentication yes
PermitRootLogin yes
Copy the codeChange it to this:
PasswordAuthentication no
PermitRootLogin no
Copy the codeNext, restrict the SSH service to IPv4 or IPv6 by modifying the AddressFamily option. To change it to IPv4 only (which should be fine for most people), make the following changes:
AddressFamily inet
Copy the codeRestart the SSH service to enable your changes. Note that it is a good idea to establish two active connections to the server before restarting the SSH service. With these extra connections, you can fix everything in case of an error in restarting the SSH service.
On Ubuntu:
$ sudo service sshd restart
Copy the codeOn Fedora or CentOS or any system using Systemd:
$ sudo systemctl restart sshd
Copy the code5. Enable the firewall
Now you need to install the firewall, enable it, and configure it to allow only the network traffic you specify to pass through. Simple Firewall (UFW) is an easy-to-use Iptables interface that greatly simplifies firewall configuration.
You can install the UFW in the following ways:
$ sudo apt install ufw
Copy the codeBy default, the UFW rejects all incoming connections and allows all outgoing connections. This means that any application on the server can access the Internet, but any content that tries to access the server cannot be connected.
First, make sure you can log in by enabling access to SSH, HTTP, and HTTPS:
$ sudo ufw allow ssh
$ sudo ufw allow http
$ sudo ufw allow https
Copy the codeThen enable the UFW:
$ sudo ufw enable
Copy the codeYou can see which services are allowed and denied by:
$ sudo ufw status
Copy the codeIf you want to disable the UFW, you can do so by typing:
$ sudo ufw disable
Copy the codeYou can also use firewall-cmd (on RHEL/CentOS), which is installed and integrated into some distributions.
6. Install Fail2ban
Fail2ban is an application that checks server logs for repeated or automated attacks. If it finds any attacks, it changes the firewall to block the attacker’s IP address permanently or for a specified period of time.
You can install Fail2ban by typing the following command:
$ sudo apt install fail2ban -y
Copy the codeThen copy the attached configuration file:
$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Copy the codeRestart Fail2ban:
$ sudo service fail2ban restart
Copy the codeThat will do. The software constantly checks log files for attacks. Over time, the application will build up quite a list of banned IP addresses. You can view this list by querying the current status of SSH services:
$ sudo fail2ban-client status ssh
Copy the code7. Remove useless network services
Almost all Linux server operating systems have some network oriented services enabled. You may want to keep most of them, however, some you may want to delete. You can use the ss command to view all active network services (LCTT).
$ sudo ss -atpu
Copy the codeThe output of SS depends on your operating system. Here is an example that shows the SSH (SSHD) and Ngnix (Nginx) services listening on the network and ready to connect:
tcp LISTEN 0 128 *:http *:* users:(("nginx",pid=22563,fd=7))
tcp LISTEN 0 128 *:ssh *:* users:(("sshd",pid=685,fd=3))
Copy the codeHow you remove unused services varies depending on your operating system and the package manager you use.
To remove unused services on Debian/Ubuntu:
$ sudo apt purge <service_name>
Copy the codeTo delete unused services on Red Hat/CentOS:
$ sudo yum remove <service_name>
Copy the codeRun SS-ATUP again to verify that these unused services are not installed and running.
conclusion
This tutorial describes the minimum steps required to harden a Linux server. You should enable additional security layers depending on how the server is being used. These security layers can include things like individual application configurations, intrusion detection software (IDS), and enabling access control (for example, two-factor authentication).
Via: opensource.com/article/19/…
By Patrick h. Mullins (lujun9972
This article is originally compiled by LCTT and released in Linux China