A common opinion about Linux is the fact that it represents one of the most secure by default tool you can use.
Linux comes with several in-built security modes, these can be customized as needed, and can lead to a more secure system.
Linux is a bit trickier to manage, but at the same time if offers a lot in terms of configuration opportunities. Let’s see the top security tips to improve your Linux Server security.
The most common-sense approach for hardening a Linux Servers security is to use the BIOS. Set it up to disable booting from CD/DVD or any other external devices.
Afterward, enable BIOS password, and add an extra layer of security with a GRUB password. In this way, you will limit physical access to the system.
It is essential to create distinct partitions, as it will boost data security in case of loss.
In this way, you can group data, and in case of an accident, only a part of your info on a partition will be damaged, rather than losing all your data.
Keep in mind that you have to create separate partitions that require third party app in order to correctly separate file systems under the /opt command.
Use the command
netstat and check all open ports and linked programs.
ss -ntp can be used for this as well.
chkconfig command to disable all unwanted network tools from your system.
SSH represents one of the most secure protocols based on encryption tech for server communication.
- Avoid logging in directly as root. Instead, use
sudoto undergo commands.
- Switch the default SSH port (22) to something else.
- Disable root login
- Enable two factor authentication (2FA)
A simple and yet important security tip is to update your system. Having the latest updates gets you access to security fixes.
sudo apt-get update sudo apt-get upgrade
If you use Fedora, you can use this command:
sudo dnf upgrade
Security Enhanced Linux represents an access control security tool offered in the kernel.
Enabling SELinux can add an extra layer of security to your system. You can select between three main modes of this Enforcing, Permissive and Disable.
SELinux ships with RHEL and Fedora.
It is NOT available on Ubuntu and other Linux distributions, because it’s part of the kernel too.
If you don’t need IPv6 for your system, it is always best to keep it disabled at all times.
One of the top Linux Server Hardening Security tips is to restrict users from using out of date passwords.
/etc/pam.d/system-auth file under RHEL / CentOS / Fedora.
/etc/pam.d/common-password file under Ubuntu/Debian/Linux Mint.
Add the following line:
auth section: auth sufficient pam_unix.so likeauth nullok
Use the password section to disallow a user from re-suing last 5 passwords.
Linux allows you to lock out users after multiple login failures. You can use the faillog command to create login limits.
Using either of those commands will allow you to verify reports about unusual events in syslog.
Besides these 10 tips about hardening a Linux system,
- you can always opt for protecting files or directories via file permission rules
- securing Apache/PHP/Nginx server
- using an Intrusion Detection System
- disabling USB devices