Linux/Unix powers almost everything on the internet. Nearly all the websites that you visit on the internet are hosted on a server that is running Linux.
These servers host critical and confidential data. This could include apps and websites that are very popular. In this Linux server hardening guide, you will learn the 8 best ways to secure your Linux server and protect it from Hackers. The process of security should always be simple and straightforward. Hackers are always looking for vulnerabilities that they exploit in order to get access to your server. Security is not a one-time setting. You must constantly monitor any suspicious activities going on your server. There are many downsides of being hacked and the amount of damage that it can do to your company is crazy. Below we will be sharing with you best practices and Linux system hardening techniques to secure production environment servers. Let's get started!
What Is Linux Server Hardening and Why Is It Important?
Linux server security is a very professional skill and in high demand. This is one of the most searched for topics about Linux. The reason why is because most critical infrastructure apps and websites are running on this operating system. Many system administrators often take security for granted. If you think and feel that something hasn't happened to you in the past, don't assume it's not ever going to happen. Linux server security/hardening consists of configurations/settings that are proven best practices and recommendations for improving the security of a server running Linux. By securing a Linux Box you are automatically reducing the attack surface for a Hacker. Also, the fewer functions a server does, the fewer chances there will be of it being hacked. This is because there will be fewer applications to exploit. Vulnerabilities can occur at any day and time. There may be chances of vulnerabilities being over a decade old and it's just a matter of time until it's found by a security researcher. If you care about security then hardening is very important! This will make sure your server is secure from threats like hackers. Your customer's data will be secure, there will be no downtime, services will run 24/7 and you will maintain client trust.
How To Easily Secure Linux Server (8 Best Linux Server Security/Hardening Tips) - 2021 Edition
Below is a step-by-step guide for Linux system hardening techniques. After following the steps below, we can assure you that your server will be at least 70% more secure than it previously was. Please make sure to always have a backup first before doing any changes. The below steps can also be used as a checklist to ensure you have done everything on your end. Recommended read: How to Secure your Website from Hackers.
Physical Server Security - Protecting the Console
There are 101 ways a hacker can hack your Linux box. But there are 1001 ways you can secure against their attacks. To secure your Linux console you will have to make sure you disable it to boot from specific external devices which are:
- Flash drives or USBs.
- DVD and CDs.
You should only disable the boot process to the above drives once you have your BIOS configured. As an additional security measure, you should lock the grub bootloader and the BIOS. This will ensure that the above settings cannot be changed by anyone with even physical access to your critical systems.
Enable SELinux (Security-Enhanced Linux)
This is an access control security method in Linux at the kernel level. It provides a range of modes of what it can do.
- Permissive - This is a mode where your server will not enforce any of the security policies. However, it will log any changes and warn you of what happened.
- Enforcing - This will enable SELinux and enforce all the security policies you have created.
- Disabled - This will turn SELinux off, please don't.
Below is the command to change the configuration of SELinux:
/etc/selinux/config
Close Unused Ports - Netstat
The Netstat command allows you to view all the active connections to your server. This will show you all the open ports and the services they are using. It will show you a list of services and it is best practice to turn off the ports to services your server doesn't use. Use the netstat -tunlp command to check for open ports. Now, to disable the unwanted ports you will need to use another command. To turn off services in Linux, use the command chkconfig Nameofservice off
Secure SSH Connection
SSH (Secure Shell) is the most secure way to connect to your server. However, hackers know which port it operates on and that is 'Port 22'. Changing the SSH port number gives you an edge for security. Follow the steps below to change the default SSH port number in Linux:
- Go to /etc/ssh/sshd_config.
- Now change the default port number with any port number you want. For example, 2211.
- Once you have changed the port number, save and exit the configuration.
- Now to enable the changes you've made run 'service sshd restart' command in the CLI.
Reminder: When you log in again using SSH use the new port number. Let's say it was the port number we gave in the above example, so it will be, example@IP -p 2211.
Root Login - Turn it off
It is advised by many professionals and it is also a proven good practice that you should never SSH with a superuser/root account. You need to disable root access via SSH onto the server. To disable root login on your Linux server for enhanced security follow the steps below:
- Open the SSH configuration file: nano /etc/ssh/sshd_conf.
- Uncomment the following line: PermitRootLogin no.
- Save the file and restart your service.
I would advise you to test if this works. Do not log out of the existing terminal. Open a new terminal, try to connect again and then exit.
No Old Passwords - Don't Reuse Them
As a rule of thumb, you should never reuse old passwords ever. You can easily restrict users from using their old passwords on the same machine. The location for the old password file is: /etc/security/opasswd. This can only be changed using the PAM module in Linux. Follow the steps below to restrict the use of old passwords: For RHEL (Red Hat Enterprise Linux), CentOS and Fedora:
- Go to '/etc/pam.d/system-auth'
For Debian and Ubuntu:
- Go to '/etc/pam.d/common-password'.
After you have opened the location of the old passwords, do the following steps:
- In the 'auth' section you will need to enter the following line: 'auth sufficient pam_unix.so likeauth nullok'
- If you want to allow a user to reuse his/her password from a number of passwords that were last used to add the following line the 'password' section: 'password sufficient pam_unix.so nullok use_authtok md5 shadow remember=3'
- Now after you have activated this security feature it will give an error to the user who is trying to use an old password, from its last three passwords on the server.
Read: How to Wipe your Hard Drive (HDD) using DBAN.
Fewer Packages = Fewer Chances of Getting Hacked
You should only install the packages that you need. Do NOT install any packages that you might not need or use on your Linux box. Packages can have vulnerabilities that can compromise your system. You don't need many services at once installed on your system. You will need to find any unused/unwanted packages on your Linux server. This will also reduce the attack surface for a Hacker. The fewer services you have installed, the less are the chances of you being vulnerable to an attack. Follow the steps below to disable packages you don't need:
- Use the 'chkconfig' command (cmd). This will show you the services running at 'runlevel 3'.
- Now run the following command to give you a list of all the services: '# /sbin/chkconfig --list |grep '3:on'.
- The command to disable services is: 'chkconfig Nameofservice off'.
You can also use RPM package manager for YUM or APT-GET. This will also show you a list of all the available packages installed. To remove packages with YUM:
- yum -y remove name-of-package
To remove packages using apt-get:
- sudo apt-get remove name-of-package
Always keep Your Server Updated
Make sure you always install the latest version of any software you are running. This also includes any important Linux updates. There are kernel vulnerabilities coming up every day that need patching. Security fixes are critical for your infrastructure. They are a lifesaver and have many benefits for the health of your system. To update your Linux server run the following commands in the command line:
- yum check-update
- yum updates
Bonus Linux security tips:
- Always monitor your server for any unwanted activities.
- Check your log files for any suspicious file changes or permission changes.
- Check your firewall for any warnings or notifications.
- Keep all your packages updated.
- Lockdown Cronjobs to only authorized users.
- Turn off any protocols you are not using such as IPv6.
- Enable Linux firewall and turn on iptables.
- Back up regularly in case of any disaster.
Please note: There are many different distributions/flavors of Linux. This includes Ubuntu, CentOS, RHEL, Mint, Arch, OpenSUSE and Debian. The above tutorial should work on all of them and there will be only slight changes at the CLI.
Conclusion - Never Ignore Security on Your Server
Security is vital to any part of our digital lives and work. You must keep everything updated, secure and encrypted. You should never ignore security especially on a production server or live environment. Hackers are always looking for vulnerable Linux servers on the web. I hope you have enjoyed reading the above Linux hardening guide and learned how to secure your Linux server in 2021 by following best practices and standards. You can use this as a script if you combine all the commands together.