If you check your log files, you'll quickly notice a constant stream of failed login attempts. There's a seemingly never-ending horde of botnets and hackers trying to penetrate your server. With the 5 easy steps outlined in this guide, you'll be able to secure your Linux server and prevent the majority of these low-level attacks.
Step 1: Update packages
Vulnerabilities are found frequently and subsequent patches are typically released soon after. So it's important to keep the kernel up to date and run the latest versions of the packages that you have installed on your server.
sudo apt-get update && sudo apt-get upgrade
Step 2: Disable root logins
By allowing SSH root logins, all a hacker needs to do is successfully bruteforce the root password and they'll then gain access to your entire server.
Before disabling root logins, make sure that you've created a normal user account first with access to run su and sudo.
adduser eric usermod -aG sudo eric
To disable root logins, you'll need to change the value of PermitRootLogin to no inside of your SSHD config file located at /etc/ssh/sshd_config.
sudo sed -i -r 's/^PermitRootLogin .*/PermitRootLogin no/g' /etc/ssh/sshd_config sudo service ssh restart
Step 3: Disable password authenicated logins
SSH allows the usage of public/private keys for authentication. By enabling this feature, and disabling password based logins, you'll prevent the accounts on your server from being able to have their passwords cracked via bruteforce.
Before disabling password authenticated logins, make sure you have at least one account with a public key uploaded for it to ~/.ssh/authorized_keys.
su eric mkdir ~/.ssh nano ~/.ssh/authorized_keys chmod 600 ~/.ssh/authorized_keys chmod 700 ~/.ssh
If you're running Windows, you can follow our guide on how to generate a SSH key pair with PuTTYgen.
In order to disable password logins, change the value of PasswordAuthentication to no in your SSHD config file located at /etc/ssh/sshd_config.
sudo sed -i -r 's/^PasswordAuthentication .*/PasswordAuthentication no/g' /etc/ssh/sshd_config sudo service ssh restart
Step 4: Implement a firewall
Iptables is a powerful firewall utility that comes pre-installed on the majority of all Linux distros. It allows you to restrict access based on the rules that you specify. For this guide, we'll only allow access to the ports that we're using the server for - SSH and a HTTP web server - and block all other traffic to it.
For a detailed explanation of how iptables works, I suggest you read my guide on how to secure your server with Iptables firewall.
If you're unsure of a specific port that you're running a service on, you can use the netstat command to view all of the ports that your server is currently listening on.
Here's a basic set of Iptables rules which will block all ports besides 22 (SSH) and 80 (HTTP).
sudo iptables -F sudo iptables -A INPUT -i lo -p all -j ACCEPT sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT sudo iptables -P INPUT DROP sudo iptables -P FORWARD DROP sudo iptables -P OUTPUT ACCEPT sudo apt-get update sudo apt-get install iptables-persistent sudo iptables-save > /etc/iptables/rules.v4
Step 5: Add intrusion detection
Fail2ban will monitor your log files for failed login attempts. After a specified amount of failed attempts, it will place a rule in Iptables banning the attacker's IP address for a specified amount of time.
Install Fail2ban if you don't already have it installed
sudo apt-get install fail2ban
Fail2ban will override the settings located in the .conf files with the settings from the matching .local files. So let's go ahead and copy the jail.conf file over to jail.local.
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Under the SSH configuration, modify the settings accordingly.
sudo nano /etc/fail2ban/jail.local
[ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3 bantime = 600
Congratulations! You've disabled root logins, disabled password based logins, enabled key based logins, implemented a firewall and are running an intrustion detection system. This should keep the majority of script kiddies out of your server.
Besides the steps outlined in this guide, what else do you do to personally secure your server? Let us know in the comments below.