How to Secure Your Linux Server in 5 Easy Steps

How to Secure Your Linux Server in 5 Easy Steps

comments

If you check your log files, you'll quickly notice a constant stream of failed login attempts. There's a seemingly never-ending horde of botnets and hackers trying to penetrate your server. With the 5 easy steps outlined in this guide, you'll be able to secure your Linux server and prevent the majority of these low-level attacks.

failed-login-attempts

Step 1: Update packages

Vulnerabilities are found frequently and subsequent patches are typically released soon after. So it's important to keep the kernel up to date and run the latest versions of the packages that you have installed on your server.

sudo apt-get update && sudo apt-get upgrade

Step 2: Disable root logins

By allowing SSH root logins, all a hacker needs to do is successfully bruteforce the root password and they'll then gain access to your entire server.

Before disabling root logins, make sure that you've created a normal user account first with access to run su and sudo.

adduser eric
usermod -aG sudo eric

To disable root logins, you'll need to change the value of PermitRootLogin to no inside of your SSHD config file located at /etc/ssh/sshd_config.

sudo sed -i -r 's/^PermitRootLogin .*/PermitRootLogin no/g' /etc/ssh/sshd_config
sudo service ssh restart

Step 3: Disable password authenicated logins

SSH allows the usage of public/private keys for authentication. By enabling this feature, and disabling password based logins, you'll prevent the accounts on your server from being able to have their passwords cracked via bruteforce.

Before disabling password authenticated logins, make sure you have at least one account with a public key uploaded for it to ~/.ssh/authorized_keys.

su eric
mkdir ~/.ssh
nano ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
chmod 700 ~/.ssh

If you're running Windows, you can follow our guide on how to generate a SSH key pair with PuTTYgen.

In order to disable password logins, change the value of PasswordAuthentication to no in your SSHD config file located at /etc/ssh/sshd_config.

sudo sed -i -r 's/^PasswordAuthentication .*/PasswordAuthentication no/g' /etc/ssh/sshd_config
sudo service ssh restart

Step 4: Implement a firewall

Iptables is a powerful firewall utility that comes pre-installed on the majority of all Linux distros. It allows you to restrict access based on the rules that you specify. For this guide, we'll only allow access to the ports that we're using the server for - SSH and a HTTP web server - and block all other traffic to it.

For a detailed explanation of how iptables works, I suggest you read my guide on how to secure your server with Iptables firewall.

If you're unsure of a specific port that you're running a service on, you can use the netstat command to view all of the ports that your server is currently listening on.

netstat -tulnp

Here's a basic set of Iptables rules which will block all ports besides 22 (SSH) and 80 (HTTP).

sudo iptables -F
sudo iptables -A INPUT -i lo -p all -j ACCEPT
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT
sudo apt-get update
sudo apt-get install iptables-persistent
sudo iptables-save > /etc/iptables/rules.v4

Step 5: Add intrusion detection

Fail2ban will monitor your log files for failed login attempts. After a specified amount of failed attempts, it will place a rule in Iptables banning the attacker's IP address for a specified amount of time.

Install Fail2ban if you don't already have it installed

sudo apt-get install fail2ban

Fail2ban will override the settings located in the .conf files with the settings from the matching .local files. So let's go ahead and copy the jail.conf file over to jail.local.

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Under the SSH configuration, modify the settings accordingly.

sudo nano /etc/fail2ban/jail.local
[ssh]
enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 3
bantime = 600

Congratulations! You've disabled root logins, disabled password based logins, enabled key based logins, implemented a firewall and are running an intrustion detection system. This should keep the majority of script kiddies out of your server.

Besides the steps outlined in this guide, what else do you do to personally secure your server? Let us know in the comments below.