Hardening is a catch-all term for the changes made in configuration, access control, network settings and server environment, including applications, in order to improve the server security and overall security of an organization’s IT infrastructure.
The first thing you should do to secure your server is to update the local repositories and upgrade the operating system and installed applications by applying the latest patches.
As soon as you can access the server as root, make sure it is up to date.
On Ubuntu and Debian:
$ sudo apt update && sudo apt upgrade –y
On Fedora, CentOS, or RHEL:
$ sudo dnf upgrade
2.Create a new privileged user account
To decrease the possibility of unauthorized access, create a primary user with limited permissions to accomplish specific tasks. You should never log into your server as root. Instead, create your own account ("<user>"), give it sudo rights, and use it to log into your server.
Start out by creating a new user:
$ adduser <username>
Give your new user account sudo rights by appending (-a) the sudo group (-G) to the user's group membership:
$ usermod -a -G sudo <username>
3.Setup SSH Keys (Password-less Login)
SSH Keys allow for you to connect to the server securely with a stored key pair. This would be an extra step in securing the server to disallow additional access. You can upload your pre-generated SSH key to your new server using the ssh-copy-id command:
$ ssh-copy-id <username>@ip_address
Now you can log into your new server without having to type in a password.
4.Secure SSH
Next, make these three changes:
- Disable SSH password authentication
- Restrict root from logging in remotely
- Restrict access to IPv4 or IPv6
Open /etc/ssh/sshd_config using your text editor of choice and ensure these lines:
PasswordAuthentication yes
PermitRootLogin yes
look like this:
PasswordAuthentication no
PermitRootLogin no
Next, restrict the SSH service to either IPv4 or IPv6 by modifying the AddressFamily option. To change it to use only IPv4 (which should be fine for most folks) make this change:
AddressFamily inet
Restart the SSH service to enable your changes.
On Ubuntu:
$ sudo service sshd restart
On Fedora or CentOS or anything using Systemd:
$ sudo systemctl restart sshd
5. Check and Configure the Firewall
Now you need to install a firewall, enable it, and configure it only to allow network traffic that you designate. Uncomplicated Firewall (UFW) is an easy-to-use interface to iptables that greatly simplifies the process of configuring a firewall. Iptables is a user space application program that allows you to configure the firewall (Netfilter) provided by the Linux kernel.
You can install UFW with:
$ sudo apt install ufw
Enable UFW:
$ sudo ufw enable
You can see what services are allowed and denied with:
$ sudo ufw status
If you ever want to disable UFW, you can do so by typing:
$ sudo ufw disable
6.Install Fail2Ban for SSH login
Fail2ban or denyhost scans the log files for too many failed login attempts and blocks the IP address which is showing malicious signs.
If any are found, it will alter the firewall to block the attacker's IP address either permanently or for a specified amount of time.
You can install Fail2ban by typing:
$ sudo apt install fail2ban -y
Then copy the included configuration file:
$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
And restart Fail2ban:
$ sudo service fail2ban restart
7. Remove unused network-facing services
Almost all Linux server operating systems come with a few network-facing services enabled. You'll want to keep most of them. However, there are a few that you might want to remove. You can see all running network services by using the ss command:
$ sudo ss –atpu
To remove an unused service on Debian/Ubuntu:
$ sudo apt purge <service_name>
To remove an unused service on Red Hat/CentOS:
$ sudo yum remove <service_name>
8. Check Listening Ports
Use ‘netstat’ command to view open ports and and corresponding services .
netstat -tunlp
Disable the unwanted services from the system using ‘chkconfig’ command and close the ports that are not needed.
chkconfig serviceName off
9. Restrict using Old passwords
We can restrict users to use same old passwords. The old password file is located at /etc/security/opasswd. This can be done by using PAM module.
Open ‘/etc/pam.d/system-auth‘ file under RHEL / CentOS / Fedora.
# vi /etc/pam.d/system-auth
Open ‘/etc/pam.d/common-password‘ file under Ubuntu/Debian/Linux.
# vi /etc/pam.d/common-password
Add the following line to ‘auth’ section.
auth sufficient pam_unix.so likeauth nullok
Add the below line to ‘password’ section to disallow a user from re-using last 3 passwords.
password sufficient pam_unix.so nullok use_authtok md5 shadow remember=3
8. Disable Ctrl+Alt+Delete in Inittab
Hitting Ctrl+Alt+Delete will take your server to rebooting process. So this is always advisable to disable this as someone can mistakenly reboot the system.
The ctrl+Alt+Del action is defined in /etc/init/control-alt-delete.conf