This blog represents the bare minimum needed to harden a Linux server.
Enabling an additional security layer is necessary depending on how a server is used. These layers can include things like individual application configurations, intrusion detection software, and enabling access controls, e.g., two-factor authentication.
These 7 steps securing Linux server will help you to secure the Linux server and we do assist our clients with several Linux queries under the server management plan.
- Update your server
The first step of securing the server is by updating the local repositories and upgrading the operating system and then install the application by applying the latest patches.
On Ubuntu and Debian:
$ sudo apt update && sudo apt upgrade -y
On Fedora, CentOS, or RHEL:
$ sudo dnf upgrade
- Create a new privileged user account
Later, you need to create a new user account. You shouldn’t log the server as a root. Instead, create your account (“<user>“), give it sudo rights, and use it to log into a server.
Start by creating a new user:
$ adduser <username>
Give your new user account sudo rights by appending (-a) the sudo group (-G) to the user’s group membership:
$ usermod -a -G sudo <username>
- Upload your SSH key
To login into the new server, you need an SSH key. By using the ssh-copy-id command you can upload a pre-generated SSH key to the new server.
$ ssh-copy-id <username>@ip_address
Now you can log into your new server without having to type in a password.
- Secure SSH
Making three changes:
- Disable SSH password authentication
- Restrict root from logging in remotely
- Restrict access to IPv4 or IPv6
Open /etc/ssh/sshd_config using your text editor of choice and ensure lines:
look like this:
Later, you can modify the address-family option by restricting the SSH service to either IPv4 or IPv6.Use the only IPV4 to change(which should be fine for most folks) make a change:
Now, Restart the SSH service to make changes enable.
Note: it’s better to have two active connection to the server before restarting the SSH server, by having an extra connection that would allow fixing anything when something goes wrong.
$ sudo service sshd restart
On Fedora or CentOS or anything using Systemd:
$ sudo systemctl restart sshd
- Enable a firewall
Install the firewall, enable it, and configure only you allow network traffic that designates. Uncomplicated Firewall (UFW) is an easy-to-use interface to iptables that greatly simplifies the process of configuring a firewall.
You can install UFW with:
$ sudo apt install ufw
By default, the UFW will allow the outgoing connection but rejects all incoming connection on the server that reaches through the internet
Anything that tries to connect through the server is denied.
Ensure you log in by enabling access to SSH, HTTP, and HTTPS:
$ sudo ufw allow ssh
$ sudo ufw allow http
$ sudo ufw allow https
Then enable UFW:
$ sudo ufw enable
You can see what services are allowed and denied with:
$ sudo ufw status
If you ever want to disable UFW, you can do so by typing:
$ sudo ufw disable
Use firewall-cmd, which is already installed and integrated into some distributions.
- Install Fail2ban
Fail2ban vulnerabilities that will examine server logs looking for repeated or automated attacks. If any are found, the firewall alert will block the attacker’s IP address either permanently or for a specified amount of time.
You can install Fail2ban by typing:
$ sudo apt install fail2ban -y
copy configuration file:
$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
$ sudo service fail2ban restart
That’s all there is to it.
The software will ensure examining all the log files looking for attacks.
Later, the app will build up a list of a banned IP address. You can view the list with the help of the SSH service current status.
$ sudo fail2ban-client status ssh
- Remove unused network-facing services
Most of the Linux based operating system that comes with a few network-facing services enabled, you can remove whatever you wish to. by running network services command
$ sudo ss -atpu
Depending upon the operating system
The output from ss will differ depending on your operating system. This is an example of what you might see. It shows that the SSH (sshd) and Ngnix (nginx) services are listening and ready for connection:
tcp LISTEN 0 128 *:http *:* users:(("nginx",pid=22563,fd=7))
tcp LISTEN 0 128 *:ssh *:* users:(("sshd",pid=685,fd=3))
How you go about removing an unused service (“<service_name>“) will vary on the operating system and the package manager uses.
To remove an unused service on Debian/Ubuntu:
$ sudo apt purge <service_name>
To remove an unused service on Red Hat/CentOS:
$ sudo yum remove <service_name>
Run ss -atup again to verify that the unused services are no longer installed and running.
In short, introduce you to basic Linux server security. While it focuses on Debian/Ubuntu, you can apply everything presented here to other Linux distributions.