Top 15 Tips to Secure Linux Server

A Linux-based operating system is an obvious choice when we talk about the performance and security of servers. Linux distributions including CentOS, RHEL, and Fedora have a feature of SELinux by default. This article covers the Top 15 Tips to Secure Linux Server and helps system administrators to enhance security.

(1) Disable SSH password login. Instead, use SSH keys.

This is a basic step to enhance security. It is recommended to disable SSH password login and use SSH keys. This will allow administrators to copy public keys at servers and access servers without passwords. This helps in restricting to access servers from other desktops.

(2) Change default port on services.

This is a perfect example of security by obscurity. This option may add another layer of defense and bad actors may take some more time to identify correct configured open ports.

(3) Never enable direct root login.

Disable root login and use low privilege accounts. But you need a root user to begin services all the time. In Ubuntu, you can check root access by using the below command:

cat /etc/securetty

(4) Set a strong password and don't reuse it.

This is usual practice and always recommended to set a strong password and also enable policy to not reuse it. It is also recommended to use a Password Manager.

In Ubuntu, pam_pwquality.so module needs to be configured for the strength of the password. You can install the pam_pwquality module by using the below command:

apt install libpam-pwquality

Edit /etc/security/pwquality.conf to enhance strength of password.

(5) Configured Two-Factor Authentication (2FA)

This step will add one more layer of security and come under defense in depth. It is recommended to use two-factor authentication and encrypted channels for all administrative account access. Encrypted channels ensure the security of passwords while communication in transit.

(6) Disable IPv6

This simply means if you are not using IPv6, disable it. This will decrease the attack surface. In Ubuntu, edit /etc/default/grub and add ipv6.disable=1 to the GRUB_CMDLINE_LINUX.

GRUB_CMDLINE_LINUX="ipv6.disable=1"

(7) Server Updates

Check package manager repositories configured correctly to receive the latest patches and updates. In addition, also ensures the verify the integrity of updates come from the correct source. On Ubuntu Linux, you can check update configuration by using the below command:

apt-cache policy

On Ubuntu Linux, use the below command to verify integrity by using GPG keys configurations:

apt-key list

(8) Ensure Banners are configured correctly

Warning banners can be configured by using /etc/motd, /etc/issue, and /etc/issue.net files. /etc/motd is used to display banner after login, /etc/issue is used to display banner prior to local login and /etc/issue.net is used to display banner prior to remote login.

(9) Take Backup Regularly

This is the most crucial step in case of any failure. Ensure proper policy for regular backup should be available and implement it by the system administrator.

(10) Check logs are configured correctly and logs should be review regularly

Configure the storage requirements for audit logs, login and logout events, deletion of the log after size, unsuccessful unauthorized file access, session initiation information, etc. according to requirements stated in the policy.

(11) Enable Firewall and configure it correctly

Ensure firewall policy must be available and implement firewall rules for all open ports as per firewall policy. You can use either iptables or ufw for blocking ports and services.

(12) Install Antivirus software

Antivirus is another layer of defense that helps in the protection of servers from malicious programs. Antivirus should be selected based on security, efficiency, and usability attributes.

(13) Disable USB

USB is one of the sources of inputs to the server and may be the source of malware. Restricting USB access on the system enhances the security of the server. In Ubuntu, you can edit or create a file in the /etc/modprobe.d/usb_storage.conf

install usb-storage /bin/true
rmmod usb-storage

(14) Use SELinux

Enable Security-Enhanced Linux (SELinux) mechanism on the server to enhance access control security mechanism. It has three modes - Enforcing (default), Permissive and Disabled mode. You can check the status by using the below command:

sestatus

You can further configure the policy by using the below command:

sudo nano /etc/selinux/config

(15) Disable Unused filesystems

Ensure the below filesystem to be disabled:

  • FAT
  • udf
  • squashfs
  • hfs
  • hfsplus
  • jffs2
  • cramfs
  • freevxfs

Conclusion

This article covers most of the security tips to secure Linux servers. Still, a security audit is required to validate the configuration of the server.

Subscribe us to receive more such articles updates in your email.

If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!

Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.

You may also like...

Leave a Reply

Your email address will not be published.