9 Powerful steps to secure Linux server in production.
Securing Linux Server is important to guard our data from the hackers. But securing a server doesn’t require to be complicated .We should adopt a way which will protect our server from the foremost frequent attacks along side efficient administration.
Let me tell you, don’t take things for granted. Even the most hardened servers can be hijacked by exploiting any vulnerable component running on that server.
1. Install only required software or packages.
First of all to stay your server lean and mean. Install only those packages that you actually need . If there are unwanted packages then purge it immediately. Less packages, less chance of unpatched code.
2. Restrict using old passwords
Restrict users from to use same old passwords. The old password file is located at /etc/security/opasswd. This can be done by using PAM module.
Open ‘/etc/pam.d/system-auth‘ file under RHEL / CentOS / Fedora.
# vi /etc/pam.d/system-auth
Open ‘/etc/pam.d/common-password‘ file under Ubuntu/Debian/Linux.
# vi /etc/pam.d/common-password
Add the following line to ‘auth’ section.
auth sufficient pam_unix.so likeauth nullok
Add the below line to ‘password’ section to disallow a user from re-using last 3 passwords.
password sufficient pam_unix.so nullok use_authtok md5 shadow remember=3
Last 3 passwords are remember by server. If you tried to use any of last 3 old passwords, you will get an error like.
Password has been already used. Choose another
3. SELinux should be enable always
SELinux stands for Security-Enhanced Linux it is an access control security mechanism provided in the kernel.So, it show be always on in your server.
SELinux provides 3 operation modes :
Enforcing: This is often often default mode which enable and enforce the SELinux security policy on the machine. Permissive: During this mode, SELinux won’t enforce the security policy on the system, only warn and log actions. Disabled: SELinux is turned off. It are often managed from ‘/etc/selinux/config’ file, where you’ll enable or disable it.
4. Secure all console access
We must have to protect Linux servers console access by disabling the booting from external devices.
Disable DVDs / CDs / USB pen drive access after done BIOS setup. Also you must have to set BIOS and Grub boot loader password to protect login of the server.
5. Root login should be disabled
Its always good to disable root user ssh access. Before doing this we have to create our custom sudo user and it will have the power same as root user. You can use this sudo user for ssh login and once you logged in you can switch to root user and perform your task.
Steps to create sudo user:
Now, create password for this sudo user using below command
Now provide the sudo permission for the user by using below command.
echo 'user1 ALL=(ALL) ALL' >> /etc/sudoers
Do another SSH connection and access server using sudo user if you succeeded to login then we will disable root user ssh access so that no one can ssh login using root user. Open below configuration file.
Now find “PermitRootLogin no” in the file and uncomment this line (remove # from the start of this line)
same like mentioned below
Now please save and close the file and restart sshd service using below command
service sshd restart
systemctl restart sshd
6. Change default port for ssh
By changing default SSH port we can add extra layer of security to our Linux server. Please open below file to do this
Go to /etc/ssh and open sshd_config file and find Port 22 and replace 22 port with yours custom one.
i.e. i am using 2220 here.
Then again restart sshd service using below command
service sshd restart
systemctl restart sshd
Now try and test to log in with newly defined port as mention below. You should be able to log in to SSH.
ssh username@IP -p 2220
7. We need to check what ports currently opened on server
To check currently opened ports use ‘netstat’ command as mentioned below
Now you can disable unwanted services from the system using ‘chkconfig’ command and close the ports that are not needed.
chkconfig serviceName off
8. Password less log in by generate ssh-key
By generating ssh-key on your host machine you can easily login to your server but this password less login will be possible only from that machine on which you generated ssh-key.
So, please use below command on your host machine to generate ssh-key
ssh-keygen - t rsa
You will get out put as mentioned below,
Now you please copy your public SSH key and then add the same in your server. To add this public key in server follow below steps,
Lets say here I want to add this public key for devops user which is already created on server. so, use below commands.
Now hare create a hidden directory and inside it create a file named authorized_keys and add this public key in authorized_keys file. Use below step by step commands for this.
mkdir .ssh cd /home/admin/.ssh vim authorized_keys
Now please change the ownership of this file using below command
chown devops authorized_keys
Now we need to disable SSH login by modifying below changes in in /etc/ssh/sshd_config file
Find “Passwordauthentication yes” and change it to ‘Passwordauthentication no‘
Now only the authorized user can login to the server with using below command and without password.
ssh user-name@serverIP -p(port Number)
9. Configure firewalld.
If you not have firewalld installed on the server please use the below steps and commands.
By default firewalld package is installed in RHEL/CentOS 7 and Fedora 21. If not, you can install it using below command on RHEL/CentOS 7 and Fedora distributions.
sudo yum install firewalld -y
firewalld is a regular systemd service that can be managed via the systemctl command.
$ sudo systemctl start firewalld #start the service for the mean time $ sudo systemctl enable firewalld #enable the service to auto-start at boot time $ sudo systemctl status firewalld #view service status
You can also check whether the daemon is running or not, using below command.
sudo firewall-cmd --state
You can reload firewalld. This will reload firewall rules and keep state information. The current permanent configuration will become new runtime configuration.
$ sudo firewall-cmd --reload
How to block and open ports in firewalld:
Below example show to add port 80 and 443 to allow in-bound web traffic via the HTTP and HTTPS protocols, respectively.
$ sudo firewall-cmd --zone=public --permanent --add-port=80/tcp --add-port=443/tcp
Then, reload firewalld and check the enabled features in the public zone using below commands, you should be able see the just added ports.
$ sudo firewall-cmd --reload $ sudo firewall-cmd --info-zone public
For block or close ports in firewall simply use below commands.
$ sudo firewall-cmd --zone=public --permanent --remove-port=80/tcp --remove-port=443/tcp
You can use the service name instead of using port or port/protocol combination.
$ sudo firewall-cmd --zone=public --permanent --add-service=http $ sudo firewall-cmd --reload
You can use below command to disable service.
$ sudo firewall-cmd --zone=public --permanent --remove-service=http $ sudo firewall-cmd --reload
If you feel this article helpful for you, please like, share and subscribe to https://devopsarticle.com
Thanks for visiting to https://devopsarticle.com