Guides on system administration, 3D printing and other technology related projects.

How to Secure Your Linux Server in 5 Easy Steps

How to Secure Your Linux Server in 5 Easy Steps

If you check your log files, you’ll quickly notice a constant stream of failed login attempts. There’s a seemingly never-ending horde of botnets and hackers trying to penetrate your server. With the 5 easy steps outlined in this guide, you’ll be able to secure your Linux server and prevent the majority of these low-level attacks.


Step 1: Update packages

Vulnerabilities are found frequently and subsequent patches are typically released soon after. So it’s important to keep the kernel up to date and run the latest versions of the packages that you have installed on your server.

apt-get update && apt-get upgrade

Step 2: Disable root logins

By allowing SSH root logins, all a hacker needs to do is successfully bruteforce the root password and they’ll then gain access to your entire server.

Before disabling root logins, make sure that you’ve created a normal user account first with access to run su and sudo.

adduser eric
usermod -aG eric

To disable root logins, you’ll need to change the value of PermitRootLogin to no inside of your SSHD config file located at /etc/ssh/sshd_config.

sed -i -r 's/^PermitRootLogin .*/PermitRootLogin no/g' /etc/ssh/sshd_config
service ssh restart

Step 3: Disable password authenicated logins

SSH allows the usage of public/private keys for authentication. By enabling this feature, and disabling password based logins, you’ll prevent the accounts on your server from being able to have their passwords cracked via bruteforce.

Before disabling password authenticated logins, make sure you have at least one account with a public key uploaded for it to ~/.ssh/authorized_keys.

su eric
mkdir ~/.ssh
nano ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
chmod 700 ~/.ssh

If you’re running Windows, you can follow our guide on how to generate a SSH key pair with PuTTYgen.

In order to disable password logins, change the value of PasswordAuthentication to no in your SSHD config file located at /etc/ssh/sshd_config.

sed -i -r 's/^PasswordAuthentication .*/PasswordAuthentication no/g' /etc/ssh/sshd_config
service ssh restart

Step 4: Implement a firewall

Iptables is a powerful firewall utility that comes pre-installed on the majority of all Linux distros. It allows you to restrict access based on the rules that you specify. For this guide, we’ll only allow access to the ports that we’re using the server for - SSH and a HTTP web server - and block all other traffic to it.

For a detailed explanation of how iptables works, I suggest you read my guide on how to secure your server with Iptables firewall.

If you’re unsure of a specific port that you’re running a service on, you can use the netstat command to view all of the ports that your server is currently listening on.

netstat -tulnp

Here’s a basic set of Iptables rules which will block all ports besides 22 (SSH) and 80 (HTTP).

iptables -F
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
apt-get update
apt-get install iptables-persistent
iptables-save > /etc/iptables/rules.v4

Step 5: Add intrusion detection

Fail2ban will monitor your log files for failed login attempts. After a specified amount of failed attempts, it will place a rule in Iptables banning the attacker’s IP address for a specified amount of time.

Install Fail2ban if you don’t already have it installed

apt-get install fail2ban

Fail2ban will override the settings located in the .conf files with the settings from the matching .local files. So let’s go ahead and copy the jail.conf file over to jail.local.

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Under the SSH configuration, modify the settings accordingly.

nano /etc/fail2ban/jail.local
enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 3
bantime = 600

Congratulations! You’ve disabled root logins, disabled password based logins, enabled key based logins, implemented a firewall and are running an intrustion detection system. This should keep the majority of script kiddies out of your server.

Besides the steps outlined in this guide, what else do you do to personally secure your server? Let us know in the comments below.

© Eric Mathison 2017-2020.