Linux servers are widely used in various domains such as web hosting, cloud computing, database management, and more. They are known for their stability, performance, and security. However, no system is immune to cyberattacks, and Linux servers are no exception. Hackers are constantly looking for vulnerabilities and exploits to compromise Linux servers and gain access to sensitive data or resources.
That’s why Linux server hardening is a crucial process that every system administrator should perform regularly. Linux server hardening is the process of applying security measures and best practices to reduce the attack surface and improve the security posture of your Linux servers. By hardening your Linux servers, you can protect them from unauthorized access, malware infection, data breach, denial-of-service attacks, and other threats.
In this article, we will share some of the most effective Linux server hardening tips and best practices that you can follow to secure your Linux servers. We will also introduce some of the tools that you can use to audit and harden your Linux servers. Let’s get started!
Patch the operating system and third party applications
One of the most basic but essential steps in Linux server hardening is to keep your operating system and third party applications up to date with the latest security patches and updates. Patches are released by developers to fix bugs, vulnerabilities, and performance issues that may affect your system. If you don’t apply patches regularly, you may expose your system to known exploits that hackers can use to compromise your server.
To update your operating system, you can use the package manager of your Linux distribution, such as apt for Debian-based systems or yum for Red Hat-based systems. For example, to update all packages on a Debian-based system, you can run the following command:
sudo apt update && sudo apt upgrade
To update third party applications, you can use their respective update mechanisms or repositories. You should also remove any unnecessary or unused packages or applications from your system, as they may pose security risks or consume resources unnecessarily. To remove a package on a Debian-based system, you can run the following command:
sudo apt remove package_name
Disable remote root access and restrict root privileges
The root user is the superuser on a Linux system that has full access and control over everything on the system. While this can be useful for administrative tasks, it can also be dangerous if misused or compromised by hackers. If someone gains remote access to your server as root, they can do anything they want on your system, such as deleting files, installing malware, changing configurations, or stealing data.
That’s why you should disable remote root access on your server and use a regular user account with sudo privileges instead. Sudo allows you to execute commands as root without logging in as root. This way, you can limit the exposure of root privileges and enforce accountability for actions performed on the system.
To disable remote root access on your server, you need to edit the SSH
configuration file located at /etc/ssh/sshd_config
. Find the line that says
PermitRootLogin and change it to no:
PermitRootLogin no
Then save the file and restart the SSH service:
sudo systemctl restart sshd
To create a regular user account with sudo privileges on your server, you can use the useradd and usermod commands. For example, to create a user named alice and add her to the sudo group, you can run the following commands:
sudo useradd -m alice
sudo usermod -aG sudo alice
Then set a strong password for the user:
sudo passwd alice
Now you can log in to your server as alice and use sudo to execute commands as root. For example, to update the system, you can run the following command:
sudo apt update && sudo apt upgrade
You should also restrict root privileges for other users and applications on
your system. For example, you can use the chmod
and chown
commands to
change the permissions and ownership of files and directories. You can also
use the umask
command to set the default permissions for newly created files
and directories.
3. Enable and configure firewall and encrypt network transmissions
A firewall is a software or hardware device that filters incoming and outgoing network traffic based on a set of rules. A firewall can help you block unwanted or malicious connections to your server and allow only the ones that you need. For example, you can allow SSH connections on port 22, but block FTP connections on port 21.
There are different types of firewalls available for Linux servers, such as
iptables
, nftables
, ufw
, firewalld
, and more. You can choose the one
that suits your needs and preferences. If you not familiar with Linux, ufw
would be a good choice. ufw
is a simple and easy-to-use firewall that wraps
around iptables. To install ufw on a Debian-based system, you can run the
following command:
sudo apt install ufw
To enable ufw
on your system, you can run the following command:
sudo ufw enable
To allow SSH connections on port 22, you can run the following command:
sudo ufw allow 22/tcp
To deny FTP connections on port 21, you can run the following command:
sudo ufw deny 21/tcp
To check the status of ufw
and the rules that are applied, you can run the
following command:
sudo ufw status
You should also encrypt your network transmissions to prevent attackers from intercepting or modifying your data in transit. Encryption ensures that only the intended recipient can read or access your data. For example, you can use SSL/TLS certificates to secure your web server and HTTPS connections. You can also use VPN or SSH tunneling to encrypt your remote access to your server.
4. Secure SSH and enable SELinux
SSH (Secure Shell) is a protocol that allows you to securely connect to your server remotely over an encrypted channel. SSH is one of the most common ways to access and manage Linux servers. However, SSH can also be a target for hackers who try to brute force or guess your login credentials or exploit vulnerabilities in the SSH service.
That’s why you should secure your SSH configuration and follow some best practices to harden your SSH access. Some of these best practices are:
- Use strong passwords or passphrase for your user accounts and change them regularly.
- Use public key authentication instead of password authentication for SSH login. Public key authentication uses a pair of keys (private and public) to authenticate users. The private key is kept by the user and the public key is stored on the server. The user proves their identity by using the private key to decrypt a message encrypted by the public key.
- Change the default SSH port from 22 to a different port. This can help you avoid automated scans and attacks that target port 22.
- Limit the number of login attempts or use
fail2ban
to block repeated failed login attempts from an IP address. - Disable X11 forwarding, TCP forwarding, and agent forwarding if you don’t need them. These features allow you to forward graphical or network connections from your server to your local machine or vice versa.
- Use SSH keys with passphrase protection or use ssh-agent to store your keys securely.
- Use SSH hardening tools such as ssh-audit or ssh_scan to check your SSH configuration for vulnerabilities or misconfigurations.
To secure your SSH configuration, you need to edit the /etc/ssh/sshd_config
file and make the following changes:
-
To disable password authentication and enable public key authentication, find the lines that say PasswordAuthentication and PubkeyAuthentication and change them to no and yes respectively:
PasswordAuthentication no PubkeyAuthentication yes
-
To change the default SSH port from 22 to a different port (for example, 2222), find the line that says Port and change it to your desired port number:
Port 2222
-
To limit the number of login attempts, find the line that says
MaxAuthTries
and change it to a low number (for example, 3):MaxAuthTries 3
-
To disable X11 forwarding, TCP forwarding,Continuing the article:
and agent forwarding, find the lines that say X11Forwarding, AllowTcpForwarding, and AllowAgentForwarding and change them to no:
X11Forwarding no
AllowTcpForwarding no
AllowAgentForwarding no
Then save the file and restart the SSH service:
sudo systemctl restart sshd
To generate SSH keys for your user account, you can use the ssh-keygen command. For example, to generate a 4096-bit RSA key pair for alice, you can run the following command:
ssh-keygen -t rsa -b 4096 -C "[email protected]"
Then follow the prompts to choose a file name and a passphrase for your keys.
The default file name is ~/.ssh/id_rsa
for the private key and
~/.ssh/id_rsa.pub
for the public key. The passphrase is optional but
recommended for extra security.
To copy your public key to the server, you can use the ssh-copy-id command. For example, to copy Alice’s public key to the server with IP address 192.168.0.1 on port 2222, you can run the following command:
ssh-copy-id -p 2222 [email protected]
Then enter your password when prompted. This will append your public key to
the ~/.ssh/authorized_keys
file on the server.
To log in to the server using your SSH key, you can use the ssh command with
the -i
option to specify your private key file. For example, to log in as
Alice to the server with IP address 192.168.0.1 on port 2222 using her private
key file ~/.ssh/id_rsa
, you can run the following command:
ssh -i ~/.ssh/id_rsa -p 2222 [email protected]
Then enter your passphrase when prompted. You should be able to log in without entering your password.
Another important step in Linux server hardening is to enable SELinux (Security-Enhanced Linux) on your system. SELinux is a security module that enforces mandatory access control (MAC) policies on Linux processes and objects. SELinux can prevent unauthorized or malicious actions by restricting what processes can do and what resources they can access.
SELinux has three modes of operation: enforcing, permissive, and disabled. In enforcing mode, SELinux enforces the policies and denies any actions that violate them. In permissive mode, SELinux only logs the violations but does not deny them. In disabled mode, SELinux is turned off and does not enforce or log anything.
To check the status and mode of SELinux on your system, you can use the sestatus command:
sestatus
To enable SELinux on your system, you need to edit the /etc/selinux/config
file and change the value of SELINUX
to enforcing
:
SELINUX=enforcing
Then save the file and reboot your system for the changes to take effect.
To manage SELinux policies and settings, you can use tools such as semanage
,
seinfo
, sesearch
, audit2allow
, restorecon
, and more. You can also use
graphical tools such as system-config-selinux or sealert.
5. Set Network Parameters and Manage Password Policies
Another aspect of Linux server hardening is to configure some network parameters that can improve the security and performance of your system. For example, you can disable IPv6 if you don’t use it, enable SYN cookies to prevent SYN flood attacks, enable reverse path filtering to prevent IP spoofing attacks, and more.
To configure network parameters on your system, you need to edit the
/etc/sysctl.conf
file and add or modify some lines according to your needs.
For example, to disable IPv6 on all interfaces, add or modify the following
line:
net.ipv6.conf.all.disable_ipv6 = 1
To enable SYN cookies on all interfaces, add or modify the following line:
net.ipv4.tcp_syncookies = 1
To enable reverse path filtering on all interfaces, add or modify the following line:
net.ipv4.conf.all.rp_filter = 1
Then save the file and apply the changes with the sysctl command:
sudo sysctl -p
You should also manage password policies on your system to ensure that users choose strong and secure passwords for their accounts. Password policies can enforce rules such as minimum length, complexity, expiration date, history, and more.
To manage password policies on your system, you need to edit the
/etc/login.defs
file and the /etc/pam.d/*
files. For example, to set the
minimum password length to 8 characters, edit the /etc/login.defs
file and
modify the following line:
PASS_MIN_LEN 8
To set the password expiration date to 90 days, edit the /etc/login.defs
file and modify the following line:
PASS_MAX_DAYS 90
To enforce password complexity rules, edit the /etc/pam.d/common-password
file and add or modify the following line:
password requisite pam_cracklib.so retry=3 minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1
This line uses the pam_cracklib
module to check the password strength and
requires at least one uppercase letter, one lowercase letter, one digit, and
one special character.
To prevent users from reusing their previous passwords, edit the
/etc/pam.d/common-password
file and add or modify the following line:
password sufficient pam_unix.so remember=5 use_authtok md5 shadow
This line uses the pam_unix
module to store the password hashes in the
/etc/shadow
file and remembers the last 5 passwords used by each user.
Linux Server Hardening Tools
In addition to following the Linux server hardening tips and best practices mentioned above, you can also use some tools that can help you audit and harden your Linux servers. These tools can scan your system for vulnerabilities, misconfigurations, compliance issues, and more. They can also provide you with recommendations and reports on how to improve your system security. Some of these tools are:
- Lynis: A security auditing tool that performs an in-depth scan of your system and provides suggestions for hardening and compliance.
- OpenSCAP: A security compliance tool that checks your system against various security standards and benchmarks such as CIS, PCI-DSS, STIG, and more.
- Nmap: A network scanning tool that can discover hosts, services, ports, vulnerabilities, and more on your network.
- Rkhunter: A rootkit detection tool that can scan your system for hidden processes, files, ports, and more that may indicate a rootkit infection.
Conclusion
Linux server hardening is a vital process that can enhance the security and performance of your Linux servers. By following the Linux server hardening tips and best practices discussed in this article, you can protect your Linux servers from various threats and attacks. You can also use some of the tools mentioned in this article to audit and harden your Linux servers.