Securing your Linux server is important to protect your data, intellectual property, and time, from the hands of hackers. This is the article which explain how to secure your Linux server. Linux is considered a secure operating system, thus considered as the primary choice for server installations. This is true to an extend. But the security of the server is always at risk. Securing your Linux server is important to protect your data, intellectual property, and time, from the hands of crackers.
1. BIOS Protection
You need to protect the BIOS of the host with a password so the end-user won’t be able to change and override the security settings in the BIOS; it’s important to keep this area protected from any changes. Next, you need to disable the booting from external media devices (USB/CD/DVD). If you omit to change this setting, anyone can use a USB stick that contains a bootable OS and can access your OS data
2. Hard disk encryption (confidentiality)
Most of the Linux distributions will allow you to encrypt your disks before installation. Disk encryption is important in case of theft because the person who stole your computer won’t be able to read your data if they connect the hard disk to their machine.
3. Disk protection
It’s important to have different partitions to obtain higher data security in case if any disaster happens. By creating different partitions, data can be separated and grouped. When an unexpected accident occurs, only data of that partition will be damaged, while the data on other partitions survived. Make sure you must have following separate partitions and sure that third party applications should be installed on separate file systems under /opt.
/ /boot /usr /var /home /tmp /opt
4, Keep your system updated as all time.
Linux operating system is always receiving updates and security patches. Applying security patches is an important part of maintaining a Linux server. Linux provides all necessary tools to keep your system updated and allows for easy upgrades between versions. An RPM package manager such as yum or apt-get to apply the updates in the server.
# yum update OR # apt-get update && apt-get upgrade
5. Minimize Software to Minimize Vulnerability in Linux
Avoid installing unnecessary software to avoid vulnerabilities in software. Use the RPM package manager such as yum or apt-get and/or dpkg to review all installed set of software packages on a system. Delete all unwanted packages.
# yum list installed # yum list packageName # yum remove packageName OR # dpkg –list # dpkg --info# apt-get remove
6. Lock down Cron jobs
Cron has it’s own built in feature, where it allows to specify who may, and who may not want to run jobs. This is controlled by the use of files called /etc/cron.allow and /etc/cron.deny. To lock a user using cron, simply add user names in cron.deny and to allow a user to run cron add in cron.allow file. If you would like to disable all users from using cron, add the ‘ALL‘ line to cron.deny file.
# echo ALL >>/etc/cron.deny
7. Disable USB stick to Detect
Many times it happens that we want to restrict users from using USB stick in systems to protect and secure data from stealing. Create a file ‘/etc/modprobe.d/no-usb‘ and adding below line will not detect USB storage.
install usb-storage /bin/true
8. Turn on SELinux
Security-Enhanced Linux (SELinux) is a compulsory access control security mechanism provided in the kernel You can view current status of SELinux mode from the command line using ‘system-configselinux‘, ‘getenforce‘ or ‘sestatus‘ commands.
# sestatus
If it is disabled, enable SELinux using the following command.
# setenforce enforcing
9. Restrict Users to Use Old Passwords
This is very useful if you want to disallow users to use same old passwords. The old password file is located at /etc/security/opasswd. This can be achieved by using PAM module. Open ‘/etc/pam.d/system-auth‘ file
# vi /etc/pam.d/system-auth
Add the following line to ‘auth‘ section.
auth sufficient pam_unix.so likeauth nullok
Add the following line to ‘password‘ section to disallow a user from re-using last 5 password of his or her.
password sufficient pam_unix.so nullok use_authtok md5 shadow remember=5
Only last 5 passwords are remember by server. If you tried to use any of last 5 old passwords, you will get an error like.
Password has been already used. Choose another
10. Disable Ctrl+Alt+Delete in Inittab
In most Linux distributions, pressing ‘CTRL-ALT-DELETE’ will takes your system to reboot process. So, it’s not a good idea to have this option enabled at least on production servers, if someone by mistakenly does this. This is defined in ‘/etc/inittab‘ file, if you look closely in that file you will see a line similar to below. By default line is not commented out. We have to comment it out. This particular key sequence signaling will shut-down a system.
# Trap CTRL-ALT-DELETE # ca::ctrlaltdel:/sbin/shutdown -t3 -r now
11. Keep /boot as read-only
Linux kernel and its related files are in /boot directory which is by default as read-write. Changing it to read-only reduces the risk of unauthorized modification of critical boot files. To do this, open “/etc/fstab” file.
# vi /etc/fstab
Add the following line at the bottom, save and close it.
LABEL=/boot /boot ext2 defaults,ro 1 2
Please note that you need to reset the change to read-write if you need to upgrade the kernel in future.
12. Use Secure Shell(SSH)
Telnet and rlogin protocols uses plain text, not encrypted format which is the security breaches. SSH is a secure protocol that use encryption technology during communication with server. It’s also recommended to change default SSH 22 port number with some other higher level port number.
13. Keep SSH (Secure Shell) secure
The most common way into a Linux server is SSH and it is also the most attacked part in a server. Any one gaining access to the root level of the server through SSH can perform any changes to the server, upload or download content from the server. There are ways to prevent such actions in the server. The configuration file for SSH server and client is /etc/ssh/sshd_config.
Change the SSH port number from 22 : The standard port for SSH connection is 22. To change the port number edit the sshd_config file and change Port 22 to Port
Use public-key login : Avoid using password based logins to the server if possible. You can generate a key using the command ssh-keygen
# ssh-keygen -t key_type -b bits -f file_to_save_key -C "comment"
Example :
# ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_ras_login -C "Login for clients"
Once key is generated you can copy it to a client using ssh-copy-id
# ssh-copy-id -i /path/to/public-key-file user@host
Once the key is setup edit sshd_config and set the PasswordAuthentication
PasswordAuthentication no
Now add the following to the sshd_config file
AuthenticationMethods publickey PubkeyAuthentication yes
Disable root login to the server : Create a new user with sudo permission in the server. Once the user is set up properly disable the root access into the server by editing the sshd_config and set PermitRootLogin
PermitRootLogin no
Sudo also allows for a logging of the commands run using sudo.
Disable empty passwords : Run the following command
# awk -F: '($2 == "") {print}' /etc/shadow
If any accounts are listed block it at once and investigate then remove that account or set a proper passowrd. In sshd_config file set
PermitEmptyPasswords to no PermitEmptyPasswords no
Limit users accessing the SSH using hosts.allow : Add the service sshd and the IP addresses you want to accesss the SSH service in the server.
Example :
sshd : 10.0.0.10 192.168.1.2
14 . Linux User Accounts and Strong Password Policy
Use the useradd / usermod commands to create and maintain user accounts. Along with a good password policy. Install libpam-cracklib in the server for the purpose of setting up such rules (installed in Centos by default).
# yum install libpam-cracklib OR # apt-get install libpam-cracklib
Once installed edit the configuration file /etc/pam.d/system-auth and add the line
password required /lib/security/pam_cracklib.so retry=X minlen=X difok=X
rentry : Prompt user at most X times before returning with error. This value at most be set at 3 minlen : Minimum length required for an account password. difok : How many characters can be the same in the new password relative to the old. Also the following can be added to the line dcredit=X : Digits characters ucredit=X : Upper characters lcredit=X : Lower characters ocredit=X : Other characters
Where X is a natural number.
Also setting password age for each account in the server is important so that passwords are changed in the server at reasonable time. This can be done using change command or editing the /etc/shadow file or editing the /etc/login.defs file.
Example:
chage -M 60
Editing the fields in /etc/shadow file (Method not recommended)
{userName}:{password}:{lastpasswdchanged}:{Minimum_days}: {Maximum_days}:{Warn}:{Inactive}:{Expire}:
Editing the fields in /etc/login.defs file
PASS_MAX_DAYS X PASS_MIN_DAYS X PASS_WARN_AGE X
where X is a natural number.
15 . Disable Unwanted Services
You can disable unwanted system functions in the server. You can see all the services and their states using the command.
# systemctl list-unit-files --type=service # systemctl list-dependencies
Once listed you can see the enabled and disabled services. Then using the command
# systemctl disable service
You can disable the service you no longer want or need.
16. Installing a Firewall in the Server
A firewall is used to filter traffic to and from the server. You can install a iptalbles based firewall in the server and control the IP address access in to the server. Also disable the ports you do not want anyone connecting to in the server like port 22 once it is changed as the port for SSH connection. Blocking users in firewall based on the IP address and blocking unwanted services from using the network.
17. Setup separate disk partition for /var /usr /home and /tmp and securing tmp
Separating operating files from files users can access is a good practice. By separating the operating file system and limiting user access to them may increase better and safer server. Also adding nosuid, nodev and noexec to the tmp partition in /etc/fstab file will protect some one breaching the server through the /tmp partition
18. Installing an Intrusion Detection System
Install and use fail2ban and Advanced Intrusion Detection Environment (AIDE) software in the server and configure them using their respective configuration files to protect against brute forcing passwords, DDoS attacks or Port scans etc. Both these software can be installed using yum or apt-get
# yum insyall fail2ban # yum install aide OR # apt-get install fail2ban # apt-get install aide
The default configuration file for fail2ban is /etc/fail2ban/jail.conf and default configuration files for AIDE are located at locations /etc/aide/aide.conf and /etc/aide/aide.conf.d. You will need to generate a database for AIDE using the command
# aideinit
19. Linux Kernel /etc/sysctl.conf Hardening
Add or uncomment the following lines to /etc/sysctl.conf to harden the kernel
kernel.exec-shield=1 kernel.randomize_va_space=1 net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.all.accept_source_route=0 net.ipv4.icmp_echo_ignore_broadcasts=1 net.ipv4.icmp_ignore_bogus_error_messages=1 net.ipv4.conf.all.log_martians = 1
20. Limiting Cron jobs in the server
Cron jobs are a great way to automate regular tasks in the server. But if a user is running unwanted or dangerous script using it can cause problems for the server. Limit the users that can access the cron service by using the files cron.allow and cron.deny. If a user or service is added the cron.allow then they can use the cron service without issue but all others are prohibited from accessing the cron service. If users or services are added to cron.deny file then only those who are listed in the cron.deny file are denied cron services and all others are able to use the cron service. The location of the files are under /etc/cron.d/
21. Install Antivirus and Rootkit checker in the Server
Installing and use an antivirus and rootkit identifier in the server. ClamAV is a free open source antivirus for Linux. To install ClamAV in a server run the following commands.
# yum install epel-release # yum clean all # yum install clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd
Once ClamAV is installed to configure it :
Edit the file /etc/clamd.d/scan.conf and comment the line starting with Example. Then uncomment the line LocalSocket /var/run/clamd.scan/clamd.sock in the same file
Edit the file /etc/freshclam.conf and comment the line starting with Example. Then run the command
# freshclam
Last enable the clam service on boot using systemctl command
# systemctl start clamd@scan # systemctl enable clamd@scan
You can choose Rkhunter and Chkrootkit for moniotring rootkits in the server.
Rkhunter and Chkrootkit can be installed uisng yum or apt-get
# yum install chkrootkit # yum install rkhunter OR # apt-get install chkrootkit # apt-get install rkhunter
22. Create Regular Backup
Backup of the server accounts, settings and databases are important. In case of a failure of the server the entire data in the will not be lost in case of regular backups. Backups should be configured to a remote location so that and issue in the server will not affect the backups that were already taken from the server.
23. Disable compilers
Disable the compilers for non-root users is a must option. So this will prevent building binaries from the user. An example is given below,
# chmod 700 /usr/bin/gcc
You may need to disable all compiles
24. Secure php.ini files
You may need to disable some function in php.ini so that you can prevent users running malitious scripts . Open the php.ini file and modify the following line
disable_functions = show_source, system, shell_exec, passthru, exec, popen, proc_open
25. Shell fork Bomb Protection
Fork bombs start a cascade of small processes on a server that duplicate themselves until the server’s resources are depleted. To configure fork bomb protection add the following line to /etc/bashrc
ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/null LIMITUSER=$USER if [ -e "/usr/bin/whoami" ]; then LIMITUSER=$(/usr/bin/whoami) fi # Limit the user only if we are not root and are a regular user (UID greater # than or equal to UID_MIN). if [ "$LIMITUSER" != "root" ] && ! id -Gn | grep -qsP '(^| )wheel( |$)' && [ "$(id -u)" -ge "$( (grep -s '^UID_MIN' /etc/login.defs || echo 'x 500') | awk '{print $2}')" ] then ulimit -n 100 -u 35 -m 200000 -d 200000 -s 8192 -c 200000 -v unlimited 2>/dev/null else ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/null fi #cPanel Added Limit Protections -- END
We hope you now understand some basic security setting that you can apply to your server. This will help you to secure you devops server easilty
You recomment still a rsa ssh key?
Seriously?
I would just like to correct the following:
/boot partition:
/dev/sda1 /boot ext4 defaults,ro,noatime,nosuid,noexec,nodev 1 2
Sysctl.
Currently:
kernel.randomize_va_space=2
Shell Fork Bomb Protection:
vi /etc/security/limits.conf
*hard nproc 300