10 steps to secure Linux Server for Production Environment
Securing Linux Server is essential to protect our data from the hackers. But securing a server doesn’t require to be complicated .We should adopt a method that will protect our server from the most frequent attacks along with efficient administration .
However, don’t take things for granted. Even the most hardened servers can be hijacked by exploiting any vulnerable component running on that server.
1. Install what you need
The first rule is to keep your server lean and mean. Install only those packages that you really need. If there are unwanted packages; purge. The fewer the packages the less chance of unpatched code.
2. Turn on SELinux
Security-Enhanced Linux (SELinux) is an access control security mechanism provided in the kernel.
SELinux provides 3 basic modes of operation :
- Enforcing: This is default mode which enable and enforce the SELinux security policy on the machine.
- Permissive: In this mode, SELinux will not enforce the security policy on the system, only warn and log actions.
- Disabled: SELinux is turned off.
It can be managed from ‘/etc/selinux/config’ file, where you can enable or disable it.
3. Secure Console Access
You must protect Linux servers console access by disabling the booting from external devices such as DVDs / CDs / USB pen after BIOS setup. Also ,Set BIOS and grub boot loader password to protect these settings.
4. Restrict using Old passwords
We can restrict users to use same old passwords. The old password file is located at /etc/security/opasswd. This can be done by using PAM module.
Open ‘/etc/pam.d/system-auth‘ file under RHEL / CentOS / Fedora.
# vi /etc/pam.d/system-auth
Open ‘/etc/pam.d/common-password‘ file under Ubuntu/Debian/Linux.
# vi /etc/pam.d/common-password
Add the following line to ‘auth’ section.
auth sufficient pam_unix.so likeauth nullok
Add the below line to ‘password’ section to disallow a user from re-using last 3 passwords.
password sufficient pam_unix.so nullok use_authtok md5 shadow remember=3
Last 3 passwords are remember by server. If you tried to use any of last 3 old passwords, you will get an error like.
5. Check Listening Ports
Use ‘netstat’ command to view open ports and and corresponding services .
netstat -tunlp
Disable the unwanted services from the system using ‘chkconfig’ command and close the ports that are not needed.
chkconfig serviceName off
6. Disable Root login
It’s not advisable to ssh into your server as superuser(root). We should disable ssh as root user on the server, but before doing so, let’s create a user with sudo powers so that you can ssh into the server and perform administrative tasks. Once you are logged into the server, you can always switch user to root, if needed.
Create a new user :
useradd user1
Create password for the user added :
passwd user1
Provide sudo permissions to the newly added user :
echo 'user1 ALL=(ALL) ALL' >> /etc/sudoers
SSH to the server with the new user and ensure that the login works.
We are now going to disable root login, which means no one can ssh or log into the server as root user. To do so, open the sshd configuration file:
nano /etc/ssh/sshd_conf
Next, uncomment the line that says
PermitRootLogin no
Then save and close this file and restart the service
service sshd restart
Important: Don’t log out of the server yet. First test whether you can successfully ssh into the server using the previously created user. Open another instance of the terminal and ssh into the server with user you previously created. If everything works fine, you can safely log out of the server as root.
7. Change the Port
We can change the default SSH Port to add a layer of opacity to keep your server safe .
Open the /etc/ssh/sshd_config file
replace default Port 22 with different port number say 1110
save & exit from the file
service sshd restart
Now to login define the port No.
ssh username@IP -p 1110
8. Disable Ctrl+Alt+Delete in Inittab
Hitting Ctrl+Alt+Delete will take your server to rebooting process. So this is always advisable to disable this as someone can mistakenly reboot the system.
The ctrl+Alt+Del action is defined in /etc/init/control-alt-delete.conf .Comment the below line
9. Password-less Login
We can easily login to our server through SSH without any password by generating the ssh-keys. Just be careful that you can log into your server only from that machine on which you generated the ssh keys
Generating SSH-keys :
ssh-keygen - t rsa
Copy your public SSH key , then add the same in the server
cat ~/.ssh/id_rsa.pub
To add ssh keys in the server
Suppose we have user-user1 to provide ssh-key access to the server
cd /home/user1
ls -ll
Create a .ssh directory and inside it create a file named authorized_keys and add the users public ssh key in the same
mkdir .ssh
cd /home/admin/.ssh
vim authorized_keys
Add the public SSH key and then change the owner of the file
chown user1 authorized_keys
Disable ssh login
Edit /etc/ssh/sshd_config
Passwordauthentication no
PermitRootLogin no
Now, only the authorized user can login to the server with the command
ssh user-name@serverIP -p(port Number)
10. Fail2Ban for SSH login
Fail2ban works by dynamically altering the firewall rules to ban addresses that have unsuccessfully attempted to log in a certain number of times.
Install Fail2ban :
sudo apt-get update
apt-get install fail2ban
Create a new file jail.local and copy the contents of jail.config to the same and make the changes in jail.local file only
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Edit /etc/fail2ban/jail.local file
Make the desired changes:
[sshd]
enabled = true
port = ssh ( provide the port number if the default port is changed )
protocol = tcp
filter = sshd
logpath = /var/log/secure
maxretry = 3 ( max no. of tries after which the host should be banned)
findtime = 600 (This parameter sets the window that fail2ban will pay attention to when looking for repeated failed authentication attempts in seconds)
bantime = 600 (time duration for which the host is banned -in seconds)
Then restart the fail2ban services
service fail2ban restart
IP can be blocked permanently by setting bantime = -1.
Note: FAIL2BAN will block the Global IP .
Security used to be an inconvenience sometimes, but now it’s a necessity all the time — Martina Navratilova
Thanks for reading . If you found this article helpful, some claps would mean a lot!
Stay tuned :)