How to secure your Linux server (part 1)

How to secure a Linux Server (Part 1)

 

There are many people and companies which don’t believe in security. I wish 'security' was just a myth, but I am afraid there are many people out there with the intent of cause disruption and take advantage of it. I heard and read many times on the news, stories about data being stollen, compromised servers being used to attack other systems, back dorrs, trojans, keyloggers, crackers, hackers, bored teenagers, industrial espionage, even country sabotage.

There are many unscrupulous people in the world, and with the easiness of the Internet, anyone from anywhere can easily connect to any system around the globe and just cause havoc.

I wish I could spend my time just improving the system and making it more reliable, user friendly, more robust but we have to keep an eye on the bad guys.

At least if you can’t stop them, make it harder, so they have to spend more time trying to get into your system.

I am going to show you few things I do, to harden you Linux servers and give you some space for breathing.

Tips

1.    Only install the software you need onto your Linux server

2.    Disable unnecessary processes and services

3.    Change SSH default port from 22 to something like 2297

4.    Configure iptables and only allow IN the services you MUST

a.    If you only need Apache, just allow in port 80

5.    Make use of TCPwrapers

                a.  /etc/hosts.allow

                b.  /etc/hosts.deny

6.    Disable Apache signature

7.    Do not allow root login via SSH

8.    Create an user with an unusual name to be your admin

9.    Create a list of allowed users and set it on /etc/ssh/sshd_config

10.  Setup sudo and always use it

11.  Don’t log in directly as root to manage the server

12.  Create a banner /etc/issue

                a.    Add a security disclaimer

                b.    Make sure you specify that the server is not public

13.  Install and configure tripwire – IDS (Intrusion Detection System)

14.  Configure /tmp as a loopback mounted file

15.  Mount /tmp with the following options on /etc/fstab

                a. tmpdir /tmp ext4 loop,noexec,nosuid,rw 0 0

16.  Send logs to a remote syslog server

17.  Keep your Linux server patched and up-to-date

18.  Use different passwords for root and for your admin user

19.  Use different passwords for different servers and services

20.  Change your Password regularly (every 3 months)

21.  Set ssh login attempts to:

             a. MaxAuthTries 5

22.  Install and configure Fail2Ban to automatically block too many password failures

23.  Set grub boot password

Note: Be careful if you reboot your Server remotely

24.  Always create separate file systems or partitions

25.  Mount your application file system as follows on /etc/fstab

      a.  nosuid,nodev,noexec 1 2

26.  Disable SUID and SGID for binaries

27.  Install a log analyser

 

If you follow these tips, your server will become much harder to crack.

There are many more things you can do, to improve your security, keep your eyes open and be alert, always check your logs. Make sure you rotate your logs and save them to a remote location.
 
I will in the next post show you how to set these things up and which files you need to modify.
 
I hope this will be useful to you.

 

By Renato de Oliveira