How to secure Linux server

9 Powerful steps to secure Linux server in production.

Securing Linux Server is important to guard our data from the hackers. But securing a server doesn’t require to be complicated .We should adopt a way which will protect our server from the foremost frequent attacks along side efficient administration.

Let me tell you, don’t take things for granted. Even the most hardened servers can be hijacked by exploiting any vulnerable component running on that server.

1. Install only required software or packages.

First of all to stay your server lean and mean. Install only those packages that you actually need . If there are unwanted packages then purge it immediately. Less packages, less chance of unpatched code.

2. Restrict using old passwords

Restrict users from to use same old passwords. The old password file is located at /etc/security/opasswd. This can be done by using PAM module.

Open ‘/etc/pam.d/system-auth‘ file under RHEL / CentOS / Fedora.

# vi /etc/pam.d/system-auth

Open /etc/pam.d/common-password‘ file under Ubuntu/Debian/Linux.

# vi /etc/pam.d/common-password

Add the following line to ‘auth’ section.

auth sufficient pam_unix.so likeauth nullok

Add the below line to ‘password’ section to disallow a user from re-using last 3 passwords.

password sufficient pam_unix.so nullok use_authtok md5 shadow remember=3

Last 3 passwords are remember by server. If you tried to use any of last 3 old passwords, you will get an error like.

Password has been already used. Choose another

3. SELinux should be enable always

SELinux stands for Security-Enhanced Linux it is an access control security mechanism provided in the kernel.So, it show be always on in your server.

SELinux provides 3 operation modes :

Enforcing:   This is often often default mode which enable and enforce the SELinux security policy on the machine. Permissive: During this mode, SELinux won’t enforce the security policy on the system, only warn and log actions. Disabled:      SELinux is turned off. It are often managed from ‘/etc/selinux/config’ file, where you’ll enable or disable it.

4. Secure all console access

We must have to protect Linux servers console access by disabling the booting from external devices.
Disable DVDs / CDs / USB pen drive access after done BIOS setup. Also you must have to set BIOS and Grub boot loader password to protect login of the server.

5. Root login should be disabled

Its always good to disable root user ssh access. Before doing this we have to create our custom sudo user and it will have the power same as root user. You can use this sudo user for ssh login and once you logged in you can switch to root user and perform your task.

Steps to create sudo user:

useradd devops

Now, create password for this sudo user using below command

passwd devops

Now provide the sudo permission for the user by using below command.

echo 'user1 ALL=(ALL) ALL' >> /etc/sudoers

Do another SSH connection and access server using sudo user if you succeeded to login then we will disable root user ssh access so that no one can ssh login using root user. Open below configuration file.

/etc/ssh/sshd_conf

Now find “PermitRootLogin no” in the file and uncomment this line (remove # from the start of this line)

same like mentioned below

PermitRootLogin no

Now please save and close the file and restart sshd service using below command

 

 

service sshd restart

OR

systemctl restart sshd

6. Change default port for ssh

By changing default SSH port we can add extra layer of security to our Linux server. Please open below file to do this

Go to  /etc/ssh and open sshd_config file and find Port 22 and replace 22 port with yours custom one.

i.e. i am using 2220 here.

Then again restart sshd service using below command

service sshd restart

OR

systemctl restart sshd

Now try and test to log in with newly defined port as mention below. You should be able to log in to SSH.

ssh username@IP -p 2220

7. We need to check what ports currently opened on server

To check currently opened ports use ‘netstat’ command as mentioned below

netstat -tunlp

Now you can disable unwanted services from the system using ‘chkconfig’ command and close the ports that are not needed.

chkconfig serviceName off

8. Password less log in by generate ssh-key

By generating ssh-key on your host machine you can easily login to your server but this password less login will be possible only from that machine on which you generated ssh-key.

So, please use below command on your host machine to generate ssh-key

ssh-keygen - t rsa

You will get out put as mentioned below,

 

 

Now you please copy your public SSH key and then add the same in your server. To add this public key in server follow below steps,

Lets say here I want to add this public key for devops user which is already created on server. so, use below commands.

cd /home/user1

 

Now hare create a hidden directory and inside it create a file named authorized_keys and add this public key in authorized_keys file. Use below step by step commands  for this.

 

mkdir .ssh
cd /home/admin/.ssh
vim authorized_keys

Now please change the ownership of this file using below command

chown devops authorized_keys

 

Now we need to disable SSH login by modifying below changes in in /etc/ssh/sshd_config file

Find “Passwordauthentication yes” and change it to ‘Passwordauthentication no

 

Passwordauthentication no

Now only the authorized user can login to the server with using below command and without password.

ssh user-name@serverIP -p(port Number)

9. Configure firewalld.

If you not have firewalld installed on the server please use the below steps and commands.

By default firewalld package is installed in RHEL/CentOS 7 and Fedora 21. If not, you can install it using below command on RHEL/CentOS 7 and Fedora distributions.

 sudo yum install firewalld -y

Manage firewalld: 

firewalld is a regular systemd service that can be managed via the systemctl command.

$ sudo systemctl start firewalld	#start the service for the mean time
$ sudo systemctl enable firewalld	#enable the service to auto-start at boot time
$ sudo systemctl status firewalld	#view service status

You can also check whether the daemon is running or not, using below command.

sudo firewall-cmd --state

You can reload firewalld. This will reload firewall rules and keep state information. The current permanent configuration will become new runtime configuration.

$ sudo firewall-cmd --reload

How to block and open ports in firewalld:

Below example show to add port 80 and 443 to allow in-bound web traffic via the HTTP and HTTPS protocols, respectively.

$ sudo firewall-cmd --zone=public --permanent --add-port=80/tcp --add-port=443/tcp

Then, reload firewalld and check the enabled features in the public zone using below commands, you should be able see the just added ports.

$ sudo firewall-cmd --reload
$ sudo firewall-cmd --info-zone public

For block or close ports in firewall simply use below commands.

$ sudo firewall-cmd --zone=public --permanent --remove-port=80/tcp --remove-port=443/tcp

You can use the service name instead of using port or port/protocol combination.

For example:

$ sudo firewall-cmd --zone=public --permanent --add-service=http 
$ sudo firewall-cmd --reload

You can use below command to disable service.

$ sudo firewall-cmd --zone=public --permanent --remove-service=http 
$ sudo firewall-cmd --reload

If you feel this article helpful for you, please like, share and subscribe to https://devopsarticle.com

 

Recent articles

What is CI-CD, Understand with 5 easy steps

How to install Jenkins with 5 easy steps

What is devops ? 15 smart and powerful tools

Download and install redhat linux 8 with 5 easy steps

 

Thanks for visiting to https://devopsarticle.com

 

Suresh Dike

Suresh Dike I am Suresh, working on Cloud, DevOps, Linux, Firewalls,Docker and Kubernetes. Believes in sharing the knowledge.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.