Top 15 Tips to Secure Linux Server
A Linux-based operating system is an obvious choice when we talk about the performance and security of servers. Linux distributions including CentOS, RHEL, and Fedora have a feature of SELinux by default. This article covers the Top 15 Tips to Secure Linux Server and helps system administrators to enhance security.
(1) Disable SSH password login. Instead, use SSH keys.
This is a basic step to enhance security. It is recommended to disable SSH password login and use SSH keys. This will allow administrators to copy public keys to servers and access servers without passwords. This helps in restricting to access servers from other desktops.
(2) Change the default port on services.
This is a perfect example of security by obscurity. This option may add another layer of defense and bad actors may take some more time to identify correct configured open ports.
(3) Never enable direct root login.
Disable root login and use low-privilege accounts. But you need a root user to begin services all the time. In Ubuntu, you can check root access by using the below command:
(4) Set a strong password and don't reuse it.
This is usual practice and always recommended to set a strong password and also enable policy to not reuse it. It is also recommended to use a Password Manager.
In Ubuntu, pam_pwquality.so module needs to be configured for the strength of the password. You can install the pam_pwquality module by using the below command:
apt install libpam-pwquality
Edit /etc/security/pwquality.conf to enhance strength of password.
(5) Configured Two-Factor Authentication (2FA)
This step will add one more layer of security and come under defense in depth. It is recommended to use two-factor authentication and encrypted channels for all administrative account access. Encrypted channels ensure the security of passwords while communicating in transit.
(6) Disable IPv6
This simply means if you are not using IPv6, disable it. This will decrease the attack surface. In Ubuntu, edit /etc/default/grub and add ipv6.disable=1 to the GRUB_CMDLINE_LINUX.
(7) Server Updates
Check package manager repositories are configured correctly to receive the latest patches and updates. In addition, also ensures the verify the integrity of updates comes from the correct source. On Ubuntu Linux, you can check the update configuration by using the below command:
On Ubuntu Linux, use the below command to verify integrity by using GPG keys configurations:
(8) Ensure Banners are configured correctly
Warning banners can be configured by using /etc/motd, /etc/issue, and /etc/issue.net files. /etc/motd is used to display the banner after login, /etc/issue is used to display the banner prior to local login, and /etc/issue.net is used to display the banner prior to remote login.
(9) Take Backup Regularly
This is the most crucial step in case of any failure. Ensure proper policy for regular backup should be available and implemented it by the system administrator.
(10) Check logs are configured correctly and logs should be reviewed regularly
Configure the storage requirements for audit logs, login and logout events, deletion of the log after size, unsuccessful unauthorized file access, session initiation information, etc. according to requirements stated in the policy.
(11) Enable Firewall and configure it correctly
Ensure firewall policy must be available and implement firewall rules for all open ports as per firewall policy. You can use either iptables or ufw for blocking ports and services.
(12) Install Antivirus software
Antivirus is another layer of defense that helps in the protection of servers from malicious programs. Antivirus should be selected based on security, efficiency, and usability attributes.
(13) Disable USB
USB is one of the sources of inputs to the server and may be the source of malware. Restricting USB access on the system enhances the security of the server. In Ubuntu, you can edit or create a file in the /etc/modprobe.d/usb_storage.conf
install usb-storage /bin/true rmmod usb-storage
(14) Use SELinux
Enable Security-Enhanced Linux (SELinux) mechanism on the server to enhance access control security mechanism. It has three modes - Enforcing (default), Permissive and Disabled mode. You can check the status by using the below command:
You can further configure the policy by using the below command:
sudo nano /etc/selinux/config
(15) Disable Unused filesystems
Ensure the below filesystem is disabled:
This article covers most of the security tips to secure Linux servers. Still, a security audit is required to validate the configuration of the server.
Subscribe us to receive more such articles updates in your email.
If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!
Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.