- How to Secure Linux Server? Ways to Do Linux Hardening
- What is a Linux Server?
- Importance of Linux Security
- 8 ways to Improve Linux Server Security
- 1. Using complex and unpredictable passwords
- 2. Disable login with root user
- 3. Restrict user logins to secure VPS
- 4. Disable protocol 1
- 5. Use non-standard ports for SSH
- 6. Filter SSH connections with a firewall
- 7. Use the Security Keys for identification
- 8. Keep servers up to date
- Conclusion
- 7 steps to securing your Linux server
- 1. Update your server
- 2. Create a new privileged user account
- 3. Upload your SSH key
- 4. Secure SSH
- 5. Enable a firewall
- 6. Install Fail2ban
- 7. Remove unused network-facing services
How to Secure Linux Server? Ways to Do Linux Hardening
Do you know how to secure Linux Server? What is Linux Hardening? and Tips for Linux Server Security? Get all the details inside this blog post.
List of content you will read in this article:
The use of Linux in the cyber-space has grown enormously; with it, the number of possible security threats is now more than ever. Security has become an essential factor for any business in the information technology world. That is why you too need to upgrade your security around your Linux server. Inside this article, you will get various ways to secure Linux servers listed here.
Before diving to know more about these Linux hardening security tips, You should know what a Linux server is.
What is a Linux Server?
A Linux server is a powerful computer system used to host and manage services or applications in a network. It is typically configured with various services, such as web servers, database servers, file servers, and application servers, and it is used to support the needs of users or clients within an organization or across the internet. Linux servers are popular due to their stability, security, and flexibility, and they are often used in enterprise environments, hosting providers, and cloud computing platforms.
A Linux server is running on various distributions such as Debian, Ubuntu, CentOS, RHEL, etc.
Importance of Linux Security
When setting up any web server, keep its security in mind. The most preferred hosting server is a Linux server over a Windows Server for its improved security.
However, it is only as secure as the configuration you put on it. Many will opt for various layers, such as reacting in real time to different threats.:
1. WAF (i.e., Web Application Firewalls)
2. IDS (i.e., Intrusion Detection System)
3. Mod Security
If you are storing sensitive information on a virtual private server, it can all be stolen because of simple security oversight. Without proper security measures, malware could find its way onto the server, which is when the trouble starts.
Your server can also be used as a spam-sending relay and possibly be blocked from certain DNS providers, making your website invisible to anyone.
If your Linux server security is lacking, hackers can take control of your server and perform either malicious or outright illegal activities. Depending on what they do, you, as the owner of the server, might even be held responsible for it.
In the worst-case scenario, you might completely lose access to the server; however, in most such situations, your web hosting provider will delete the compromised server plan and provide you with a new one.
All these cyber security threats scratch the surface of what can happen if someone hacks into your server or certain malware is installed on it. Do not forget, however, that these are just that – threats.
If proper security measures are taken, they will only stay as threats and will never become a problem. Here are some measures you can have a look at:
8 ways to Improve Linux Server Security
You should read these best tips for Linux hardening and improving Linux security.
1. Using complex and unpredictable passwords
The utmost important step in securing a Linux server is to choose a strong password.
The first attempt by hackers will be to use Brute Force attacks to infiltrate your system. Having a complex and unpredictable password makes it nearly impossible for them to gain access to your server.
Here are a few tips for choosing a sophisticated password:
- Use at least 12 characters
- Use upper and lower case letters
- Put numbers between letters
- Use non-numeric and non-letter characters
Use the following commands to change the Linux password:
To change the root password:
2. Disable login with root user
Being a root user will give you all the power to make any kind of changes on your Linux Terminal. Disabling login with the root user means that the person logging in can no longer use the root privileges. This is a great safety measure to follow because in order to access root privileges, the user will have to provide the password again.
To disable logging in with the root user, follow these steps:
Step 1: Open the file “etc/ssh/sshd_config/” with an editor:
Step 2: Look for the following statement in this file and change the word yes to no.
Step 3: Restart the SSH service after making changes and save the file.
3. Restrict user logins to secure VPS
You might have a lot of usernames on your server, but you only need a few of the accounts to be logged in.
Let’s assume you have 10 users on Linux, but only two people (Sophia and Emma) should be allowed to connect remotely to the server.
To restrict Linux users, open the sshd_config file with an editor.
Restart the SSH service after making changes and save the file.
4. Disable protocol 1
The SSH service works with 2 protocols, namely Protocol 1 and 2. Protocol 1 has lesser security than the other, so it’s better to use protocol 2 in your communications.
To disable protocol 1, open the sshd_config file with an editor.
Find the following statement and change it to «protocol 2».
Restart the SSH service after making changes and save the file.
5. Use non-standard ports for SSH
The default SSH service port is 22, so hackers will check this port before anything else. In some cases, administrators can change the default SSH port from 22 to 2222, but you should know that hackers will surely scan port 22, and if they get no result, their second choice will be port 2222. It’s better to use ports with many digits that are not reserved for other services. The best choice is between 10,000 and 65,000, most of which are free.
6. Filter SSH connections with a firewall
If you only connect remotely to the server and use a particular IP, you can use the following command to isolate your connection to the SSH service.
iptables –A INPUT –p tcp –s 5.56.233.9 –dport 22 –j –ACCEPT
By entering the above command, you can only connect to the server from a system with an IP address of 5.56.233.9.
If you want to access the server from all locations, enter the below commands:
iptables -A INPUT -p tcp —dport 22 -m state —state NEW -m recent —set —name ssh –rsource
iptables -A INPUT -p tcp —dport 22 -m state —state NEW -m recent ! —rcheck —seconds 60 —hitcount 4 —name ssh —rsource -j ACCEPT
You open access to port 22 for all IPs in the first command.
In the second command firewall automatically blocks the IPs that send multiple requests in less than 60 seconds.
Note: To properly execute the second command, you must add the default DROP policies.
7. Use the Security Keys for identification
Using Security Keys has two main advantages.
- You can access your terminal without entering a password.
- You can disable password logging completely so that no password is required to connect to the server.
This feature protects against certain possible attacks, such as brute force attacks.
8. Keep servers up to date
Linux Server updates are one of the critical factors that you should always keep in mind. Updating a server regularly will keep security and fix performance issues. The developers often include security improvements and patches for recently discovered vulnerabilities in newly released versions. If your server is not up to date, hackers might exploit said vulnerabilities to gain access to your Linux VPS.
Conclusion
We have discussed a Linux server and the importance of having an exemplary security configuration on it. Along with this, we explained various Linux hardening Security tips that will improve your Linux server performance and keep you safe from hackers. We hope this article has been helpful to you, and if you have any questions, You can comment via the comment box.
People are also reading:
7 steps to securing your Linux server
This primer will introduce you to basic Linux server security. While it focuses on Debian/Ubuntu, you can apply everything presented here to other Linux distributions. I also encourage you to research this material and extend it where applicable.
1. Update your server
The first thing you should do to secure your server is to update the local repositories and upgrade the operating system and installed applications by applying the latest patches.
$ sudo apt update && sudo apt upgrade -y2. Create a new privileged user account
Next, create a new user account. You should never log into your server as root. Instead, create your own account (» «), give it sudo rights, and use it to log into your server.
Start out by creating a new user:
Give your new user account sudo rights by appending (-a) the sudo group (-G) to the user’s group membership:
3. Upload your SSH key
You’ll want to use an SSH key to log into your new server. You can upload your pre-generated SSH key to your new server using the ssh-copy-id command:
Now you can log into your new server without having to type in a password.
4. Secure SSH
Next, make these three changes:
- Disable SSH password authentication
- Restrict root from logging in remotely
- Restrict access to IPv4 or IPv6
Open /etc/ssh/sshd_config using your text editor of choice and ensure these lines:
PasswordAuthentication yes PermitRootLogin yesPasswordAuthentication no PermitRootLogin noNext, restrict the SSH service to either IPv4 or IPv6 by modifying the AddressFamily option. To change it to use only IPv4 (which should be fine for most folks) make this change:
Restart the SSH service to enable your changes. Note that it’s a good idea to have two active connections to your server before restarting the SSH server. Having that extra connection allows you to fix anything should the restart go wrong.
$ sudo service sshd restartOn Fedora or CentOS or anything using Systemd:
$ sudo systemctl restart sshd5. Enable a firewall
Now you need to install a firewall, enable it, and configure it only to allow network traffic that you designate. Uncomplicated Firewall (UFW) is an easy-to-use interface to iptables that greatly simplifies the process of configuring a firewall.
By default, UFW denies all incoming connections and allows all outgoing connections. This means any application on your server can reach the internet, but anything trying to reach your server cannot connect.
First, make sure you can log in by enabling access to SSH, HTTP, and HTTPS:
$ sudo ufw allow ssh $ sudo ufw allow http $ sudo ufw allow httpsYou can see what services are allowed and denied with:
If you ever want to disable UFW, you can do so by typing:
You can also use firewall-cmd, which is already installed and integrated into some distributions.
6. Install Fail2ban
Fail2ban is an application that examines server logs looking for repeated or automated attacks. If any are found, it will alter the firewall to block the attacker’s IP address either permanently or for a specified amount of time.
You can install Fail2ban by typing:
$ sudo apt install fail2ban -yThen copy the included configuration file:
$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local$ sudo service fail2ban restartThat’s all there is to it. The software will continuously examine the log files looking for attacks. After a while, the app will build up quite a list of banned IP addresses. You can view this list by requesting the current status of the SSH service with:
$ sudo fail2ban-client status ssh7. Remove unused network-facing services
Almost all Linux server operating systems come with a few network-facing services enabled. You’ll want to keep most of them. However, there are a few that you might want to remove. You can see all running network services by using the ss command:
The output from ss will differ depending on your operating system. This is an example of what you might see. It shows that the SSH (sshd) and Ngnix (nginx) services are listening and ready for connection:
tcp LISTEN 0 128 *:http *:* users:(("nginx",pid=22563,fd=7)) tcp LISTEN 0 128 *:ssh *:* users:(("sshd",pid=685,fd=3))How you go about removing an unused service (» «) will differ depending on your operating system and the package manager it uses.
To remove an unused service on Debian/Ubuntu:
To remove an unused service on Red Hat/CentOS: