A secure Linux Server is essential to protect our data from hackers. But securing a server doesn’t require to be complicated. Here we have collected 7 Useful tips to improve the security of Linux server
- 1 How to secure linux server from hackers
- 1.1 Turn on SELinux
- 1.2 Secure Console Access
- 1.3 Restrict using Old passwords
- 1.4 Disable Root Login
- 1.5 Change the Port
- 1.6 Disable Ctrl+Alt+Delete in Inittab
- 1.7 Password-less Login
- 1.8 Turn off IPv6 to boost Linux server security
- 1.9 Use SFTP, not FTP
- 1.10 Always install updates
- 1.11 Fail2Ban for SSH login
How to secure linux server from hackers
The first rule is to keep your server lean and mean. Install only those packages that you really need. If there are unwanted packages; purge. The fewer the packages the less chance of unpatched code.
Turn on SELinux
Security-Enhanced Linux (SELinux) is an access control security mechanism provided in the kernel. It can easily enforce a security policy of your choosing, which is a must for a rock-solid Linux server.
SELinux provides 3 basic modes of operation :
- Enforcing: This is the default mode that enables and enforces the SELinux security policy on the machine.
- Permissive: In this mode, SELinux will not enforce the security policy on the system, only warn and log actions.
- Disabled: SELinux is turned off.
It can be managed from ‘/etc/selinux/config’ file, where you can enable or disable it.
CentOS and RedHat Enterprise Linux both ship with the SELinux security system. It is pre-configured for good security, so no further instructions are needed.
To set it up on the Ubuntu server use: sudo apt install selinux
Debian: sudo apt-get install selinux-basics selinux-policy-default auditd
Secure Console Access
You must protect Linux server’s console access by disabling the booting from external devices such as DVDs / CDs / USB pen after BIOS setup. Also, Set BIOS and grub boot loader password to protect these settings.
Restrict using Old passwords
We can restrict users to use the same old passwords. The old password file is located at /etc/security/password. This can be done by using PAM module.
Open ‘/etc/pam.d/system-auth‘ file under RHEL / CentOS / Fedora.
# vi /etc/pam.d/system-auth
Open ‘/etc/pam.d/common-password‘ file under Ubuntu/Debian/Linux.
# vi /etc/pam.d/common-password
Add the following line to ‘auth’ section.
auth sufficient pam_unix.so likeauth nullok
Add the below line to ‘password’ section to disallow a user from re-using last 3 passwords.
password sufficient pam_unix.so nullok use_authtok md5 shadow remember=3
Last 3 passwords are remembered by server. If you tried to use any of last 3 old passwords, you will get an error like.
Password has been already used. Choose another
Check Listening Ports
Use ‘netstat’ command to view open ports and corresponding services.
Disable the unwanted services from the system using ‘chkconfig’ command and close the ports that are not needed.
chkconfig serviceName off
Disable Root Login
By shutting access off to Root account, you’ll be able to ensure that bad actors cannot get full access to the system files, install problematic software (like malware), etc. It’s not advisable to ssh into your server as superuser(root). We should disable ssh as root user on the server, but before doing so, let’s create a user with sudo powers so that you can ssh into the server and perform administrative tasks. Once you are logged into the server, you can always switch user to root, if needed.
Create a new user :
Create password for the user added :
Provide sudo permissions to the newly added user :
echo 'user1 ALL=(ALL) ALL' >> /etc/sudoers
SSH to the server with the new user and ensure that the login works.
We are now going to disable root login, which means no one can ssh or log into the server as root user. To do so, open the sshd configuration file:
Next, uncomment the line that says
Then save and close this file and restart the service
service sshd restart
Important: Don’t log out of the server yet. First test whether you can successfully ssh into the server using the previously created user. Open another instance of the terminal and ssh into the server with user you previously created. If everything works fine, you can safely log out of the server as root.
Change the Port
We can change the default SSH Port to add a layer of opacity to keep your server safe .
Open the /etc/ssh/sshd_config file
replace default Port 22 with a different port number say 1110
save & exit from the file
service sshd restart
Now to login define the port No.
ssh username@IP -p 1110
Disable Ctrl+Alt+Delete in Inittab
Hitting Ctrl+Alt+Delete will take your server to reboot process. So this is always advisable to disable this as someone can mistakenly reboot the system.
The ctrl+Alt+Del action is defined in /etc/init/control-alt-delete.conf .Comment the below line
#start on control-alt-delete
We can easily login to our server through SSH without any password by generating the ssh-keys. Just be careful that you can log into your server only from that machine on which you generated the ssh keys
Generating SSH-keys :
ssh-keygen – t rsa
Copy your public SSH key, then add the same in the server
To add ssh keys in the server
Suppose we have user-user1 to provide ssh-key access to the server
cd /home/user1 ls -ll
Create a .ssh directory and inside it create a file named authorized_keys and add the users public ssh key in the same
mkdir .ssh cd /home/admin/.ssh vim authorized_keys
Add the public SSH key and then change the owner of the file
chown user1 authorized_keys
Disable ssh login
Passwordauthentication no PermitRootLogin no
Now, only the authorized user can login to the server with the command
ssh user-name@serverIP -p(port Number)
Turn off IPv6 to boost Linux server security
IPv6 is better than IPv4, but you probably aren’t getting much out of it because neither is anyone else. Hackers get something from it, because they use it to send malicious traffic, so shutting down IPv6 will close the door in their faces. Go to edit /etc/sysconfig/ network and change the settings to read NETWORKING_ IPV6=no and IPV6INIT=no. Simple as that.
Use SFTP, not FTP
File transfer protocol (FTP) isn’t safe anymore, even if you encrypt your connection. FTP and FTPS won’t keep you safe from packet sniffing, which is where your network traffic gets logged by someone else. Only the credentials are encrypted, which isn’t much use to anyone.
SFTP is “FTP over SSH” (also called “secure FTP”), and it encrypts all the data, credentials and files included.
Always install updates
This seems like an obvious point, but you’d be surprised to learn how many Linux server operators forgo updates on their system. The choice is understandable, as every update has the potential to screw up running applications, but by choosing to avoid system updates, you miss out on security patches that fix exploits and bugs that hackers use to breach Linux systems.
It’s true that updating on a production Linux server is a lot more annoying it will ever be on the Desktop. The simple fact is that you can’t just stop everything to install patches. To get around this, consider setting up a planned update schedule.
To be clear there’s no set science on update schedules. They can vary depending on your use case, but, it’s best to install patches weekly, or bi-weekly for maximum security.
Fail2Ban for SSH login
Fail2ban works by dynamically altering the firewall rules to ban addresses that have unsuccessfully attempted to log in a certain number of times.
Install Fail2ban :
sudo apt-get update apt-get install fail2ban
Create a new file jail.local and copy the contents of jail.config to the same and make the changes in jail.local file only
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Edit /etc/fail2ban/jail.local file
Make the desired changes:
[sshd] enabled = true port = ssh ( provide the port number if the default port is changed ) protocol = tcp filter = sshd logpath = /var/log/secure maxretry = 3 ( max no. of tries after which the host should be banned) findtime = 600 (This parameter sets the window that fail2ban will pay attention to when looking for repeated failed authentication attempts in seconds) bantime = 600 (time duration for which the host is banned -in seconds)
Then restart the fail2ban services
service fail2ban restart
IP can be blocked permanently by setting bantime = -1.
Note: FAIL2BAN will block the Global IP .
Security used to be an inconvenience sometimes, but now it’s a necessity all the time — Martina Navratilova