Open in app

Sign in

Write

Sign in

10 steps to secure Linux Server for Production Environment

Megha Pandey
Viithiisys
Published in
6 min readOct 5, 2017

Securing Linux Server is essential to protect our data from the hackers. But securing a server doesn’t require to be complicated .We should adopt a method that will protect our server from the most frequent attacks along with efficient administration .

However, don’t take things for granted. Even the most hardened servers can be hijacked by exploiting any vulnerable component running on that server.

1. Install what you need

The first rule is to keep your server lean and mean. Install only those packages that you really need. If there are unwanted packages; purge. The fewer the packages the less chance of unpatched code.

2. Turn on SELinux

Security-Enhanced Linux (SELinux) is an access control security mechanism provided in the kernel.

SELinux provides 3 basic modes of operation :

  • Enforcing: This is default mode which enable and enforce the SELinux security policy on the machine.
  • Permissive: In this mode, SELinux will not enforce the security policy on the system, only warn and log actions.
  • Disabled: SELinux is turned off.

It can be managed from ‘/etc/selinux/config’ file, where you can enable or disable it.

3. Secure Console Access

You must protect Linux servers console access by disabling the booting from external devices such as DVDs / CDs / USB pen after BIOS setup. Also ,Set BIOS and grub boot loader password to protect these settings.

4. Restrict using Old passwords

We can restrict users to use same old passwords. The old password file is located at /etc/security/opasswd. This can be done by using PAM module.

Open ‘/etc/pam.d/system-auth‘ file under RHEL / CentOS / Fedora.

# vi /etc/pam.d/system-auth

Open ‘/etc/pam.d/common-password‘ file under Ubuntu/Debian/Linux.

# vi /etc/pam.d/common-password

Add the following line to ‘auth’ section.

auth        sufficient    pam_unix.so likeauth nullok

Add the below line to ‘password’ section to disallow a user from re-using last 3 passwords.

password   sufficient    pam_unix.so nullok use_authtok md5 shadow remember=3

Last 3 passwords are remember by server. If you tried to use any of last 3 old passwords, you will get an error like.

5. Check Listening Ports

Use ‘netstat’ command to view open ports and and corresponding services .

netstat -tunlp

Disable the unwanted services from the system using ‘chkconfig’ command and close the ports that are not needed.

chkconfig serviceName off

6. Disable Root login

It’s not advisable to ssh into your server as superuser(root). We should disable ssh as root user on the server, but before doing so, let’s create a user with sudo powers so that you can ssh into the server and perform administrative tasks. Once you are logged into the server, you can always switch user to root, if needed.

Create a new user :

useradd user1

Create password for the user added :

passwd user1

Provide sudo permissions to the newly added user :

echo 'user1 ALL=(ALL) ALL' >> /etc/sudoers

SSH to the server with the new user and ensure that the login works.

We are now going to disable root login, which means no one can ssh or log into the server as root user. To do so, open the sshd configuration file:

nano /etc/ssh/sshd_conf

Next, uncomment the line that says

PermitRootLogin no

Then save and close this file and restart the service

service sshd restart

Important: Don’t log out of the server yet. First test whether you can successfully ssh into the server using the previously created user. Open another instance of the terminal and ssh into the server with user you previously created. If everything works fine, you can safely log out of the server as root.

7. Change the Port

We can change the default SSH Port to add a layer of opacity to keep your server safe .

Open the /etc/ssh/sshd_config file

replace default Port 22 with different port number say 1110

save & exit from the file

service sshd restart

Now to login define the port No.

ssh username@IP -p 1110

8. Disable Ctrl+Alt+Delete in Inittab

Hitting Ctrl+Alt+Delete will take your server to rebooting process. So this is always advisable to disable this as someone can mistakenly reboot the system.

The ctrl+Alt+Del action is defined in /etc/init/control-alt-delete.conf .Comment the below line

9. Password-less Login

We can easily login to our server through SSH without any password by generating the ssh-keys. Just be careful that you can log into your server only from that machine on which you generated the ssh keys

Generating SSH-keys :

ssh-keygen - t rsa

Copy your public SSH key , then add the same in the server

cat ~/.ssh/id_rsa.pub

To add ssh keys in the server

Suppose we have user-user1 to provide ssh-key access to the server

cd /home/user1
ls -ll

Create a .ssh directory and inside it create a file named authorized_keys and add the users public ssh key in the same

mkdir .ssh
cd /home/admin/.ssh
vim authorized_keys

Add the public SSH key and then change the owner of the file

chown user1 authorized_keys

Disable ssh login

Edit /etc/ssh/sshd_config

Passwordauthentication no
PermitRootLogin no

Now, only the authorized user can login to the server with the command

ssh user-name@serverIP -p(port Number)

10. Fail2Ban for SSH login

Fail2ban works by dynamically altering the firewall rules to ban addresses that have unsuccessfully attempted to log in a certain number of times.

Install Fail2ban :

sudo apt-get update
apt-get install fail2ban

Create a new file jail.local and copy the contents of jail.config to the same and make the changes in jail.local file only

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Edit /etc/fail2ban/jail.local file

Make the desired changes:

[sshd]
enabled  = true
port     = ssh ( provide the port number if the default port is changed )
protocol = tcp
filter   = sshd
logpath  = /var/log/secure
maxretry = 3 ( max no. of tries after which the host should be banned)
findtime = 600 (This parameter sets the window that fail2ban will pay attention to when looking for repeated failed authentication attempts in seconds)
bantime  = 600 (time duration for which the host is banned -in seconds)

Then restart the fail2ban services

service fail2ban restart

IP can be blocked permanently by setting bantime = -1.

Note: FAIL2BAN will block the Global IP .

Security used to be an inconvenience sometimes, but now it’s a necessity all the time — Martina Navratilova

Thanks for reading . If you found this article helpful, some claps would mean a lot!

Stay tuned :)

Deployment
Linux
Servers
Security

--

--

Megha Pandey
Viithiisys

Written by Megha Pandey

24 Followers
Writer for

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams