How to Secure Your Linux Server in 5 Easy Steps
If you check your log files, you’ll quickly notice a constant stream of failed login attempts. There’s a seemingly never-ending horde of botnets and hackers trying to penetrate your server. With the 5 easy steps outlined in this guide, you’ll be able to secure your Linux server and prevent the majority of these low-level attacks.
Step 1: Update packages
Vulnerabilities are found frequently and subsequent patches are typically released soon after. So it’s important to keep the kernel up to date and run the latest versions of the packages that you have installed on your server.
apt-get update && apt-get upgrade
Step 2: Disable root logins
By allowing SSH root logins, all a hacker needs to do is successfully bruteforce the root password and they’ll then gain access to your entire server.
Before disabling root logins, make sure that you’ve created a normal user account first with access to run su and sudo.
adduser eric
usermod -aG eric
To disable root logins, you’ll need to change the value of PermitRootLogin to no inside of your SSHD config file located at /etc/ssh/sshd_config.
sed -i -r 's/^PermitRootLogin .*/PermitRootLogin no/g' /etc/ssh/sshd_config
service ssh restart
Step 3: Disable password authenicated logins
SSH allows the usage of public/private keys for authentication. By enabling this feature, and disabling password based logins, you’ll prevent the accounts on your server from being able to have their passwords cracked via bruteforce.
Before disabling password authenticated logins, make sure you have at least one account with a public key uploaded for it to ~/.ssh/authorized_keys.
su eric
mkdir ~/.ssh
nano ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
chmod 700 ~/.ssh
If you’re running Windows, you can follow our guide on how to generate a SSH key pair with PuTTYgen.
In order to disable password logins, change the value of PasswordAuthentication to no in your SSHD config file located at /etc/ssh/sshd_config.
sed -i -r 's/^PasswordAuthentication .*/PasswordAuthentication no/g' /etc/ssh/sshd_config
service ssh restart
Step 4: Implement a firewall
Iptables is a powerful firewall utility that comes pre-installed on the majority of all Linux distros. It allows you to restrict access based on the rules that you specify. For this guide, we’ll only allow access to the ports that we’re using the server for - SSH and a HTTP web server - and block all other traffic to it.
For a detailed explanation of how iptables works, I suggest you read my guide on how to secure your server with Iptables firewall.
If you’re unsure of a specific port that you’re running a service on, you can use the netstat command to view all of the ports that your server is currently listening on.
netstat -tulnp
Here’s a basic set of Iptables rules which will block all ports besides 22 (SSH) and 80 (HTTP).
iptables -F
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
apt-get update
apt-get install iptables-persistent
iptables-save > /etc/iptables/rules.v4
Step 5: Add intrusion detection
Fail2ban will monitor your log files for failed login attempts. After a specified amount of failed attempts, it will place a rule in Iptables banning the attacker’s IP address for a specified amount of time.
Install Fail2ban if you don’t already have it installed
apt-get install fail2ban
Fail2ban will override the settings located in the .conf files with the settings from the matching .local files. So let’s go ahead and copy the jail.conf file over to jail.local.
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Under the SSH configuration, modify the settings accordingly.
nano /etc/fail2ban/jail.local
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 600
Congratulations! You’ve disabled root logins, disabled password based logins, enabled key based logins, implemented a firewall and are running an intrustion detection system. This should keep the majority of script kiddies out of your server.
Besides the steps outlined in this guide, what else do you do to personally secure your server? Let us know in the comments below.