bsdnerds.org

Linux Server Hardening

A common opinion about Linux is the fact that it represents one of the most secure by default tool you can use.

Linux comes with several in-built security modes, these can be customized as needed, and can lead to a more secure system.

Linux is a bit trickier to manage, but at the same time if offers a lot in terms of configuration opportunities. Let’s see the top security tips to improve your Linux Server security.

Physical system security

The most common-sense approach for hardening a Linux Servers security is to use the BIOS. Set it up to disable booting from CD/DVD or any other external devices.

Afterward, enable BIOS password, and add an extra layer of security with a GRUB password. In this way, you will limit physical access to the system.

Use Disk Partitions

It is essential to create distinct partitions, as it will boost data security in case of loss.

In this way, you can group data, and in case of an accident, only a part of your info on a partition will be damaged, rather than losing all your data.

Keep in mind that you have to create separate partitions that require third party app in order to correctly separate file systems under the /opt command.

Don’t forget about listening network ports

Use the command netstat and check all open ports and linked programs.

The command ss -ntp can be used for this as well.

Type the chkconfig command to disable all unwanted network tools from your system.

use netstat or ss

Always use SSH

SSH represents one of the most secure protocols based on encryption tech for server communication.

  • Avoid logging in directly as root. Instead, use sudo to undergo commands.
  • Switch the default SSH port (22) to something else.
  • Disable root login
  • Enable two factor authentication (2FA)

Update your system

A simple and yet important security tip is to update your system. Having the latest updates gets you access to security fixes.

Under Ubuntu or Debian, you can use these commands:

sudo apt-get update
sudo apt-get upgrade

If you use Fedora, you can use this command:

sudo dnf upgrade

Linux update system

Use SELinux

Security Enhanced Linux represents an access control security tool offered in the kernel.

Enabling SELinux can add an extra layer of security to your system. You can select between three main modes of this Enforcing, Permissive and Disable.

SELinux ships with RHEL and Fedora.

It is NOT available on Ubuntu and other Linux distributions, because it’s part of the kernel too.

SELinux

Turn off IPv6

If you don’t need IPv6 for your system, it is always best to keep it disabled at all times.

Prevent users from using old passwords

One of the top Linux Server Hardening Security tips is to restrict users from using out of date passwords.

Open /etc/pam.d/system-auth file under RHEL / CentOS / Fedora.

Open /etc/pam.d/common-password file under Ubuntu/Debian/Linux Mint.

Add the following line:

auth section: auth        sufficient    pam_unix.so likeauth nullok

Use the password section to disallow a user from re-suing last 5 passwords.

Stop Linux password re-use on Ubuntu,Debian,Fedora,Redhat,CentOS

Lock user accounts if they fail to login in

Linux allows you to lock out users after multiple login failures. You can use the faillog command to create login limits.

Use Logwatch or Logchechk to analyse suspicious log messages

Using either of those commands will allow you to verify reports about unusual events in syslog.

Besides these 10 tips about hardening a Linux system,

  • you can always opt for protecting files or directories via file permission rules
  • securing Apache/PHP/Nginx server
  • using an Intrusion Detection System
  • disabling USB devices