How to Secure Linux Server

Securing Linux Server is essential to protect your data, intellectual property, and time, from the hands of crackers (hackers). The system administrator is responsible for the security of the Linux box. Securing a server doesn’t require to be complicated. We should adopt a method that will protect our server from the most frequent attacks along with efficient administration.

Linux Server Hardening Security Tips

Hardening is a catch-all term for the changes made in configuration, access control, network settings and server environment, including applications, in order to improve the server security and overall security of an organization’s IT infrastructure.



1. Update your server

The first thing you should do to secure your server is to update the local repositories and upgrade the operating system and installed applications by applying the latest patches.

As soon as you can access the server as root, make sure it is up to date.

On Ubuntu and Debian:

$ sudo apt update && sudo apt upgrade –y

On Fedora, CentOS, or RHEL:

$ sudo dnf upgrade

2.Create a new privileged user account

To decrease the possibility of unauthorized access, create a primary user with limited permissions to accomplish specific tasks. You should never log into your server as root. Instead, create your own account ("<user>"), give it sudo rights, and use it to log into your server.

Start out by creating a new user:

$ adduser <username>

Give your new user account sudo rights by appending (-a) the sudo group (-G) to the user's group membership: 

$ usermod -a -G sudo <username>

3.Setup SSH Keys (Password-less Login)

SSH Keys allow for you to connect to the server securely with a stored key pair. This would be an extra step in securing the server to disallow additional access. You can upload your pre-generated SSH key to your new server using the ssh-copy-id command:

$ ssh-copy-id <username>@ip_address

Now you can log into your new server without having to type in a password.

4.Secure SSH

Next, make these three changes:

  • Disable SSH password authentication
  • Restrict root from logging in remotely
  • Restrict access to IPv4 or IPv6

Open /etc/ssh/sshd_config using your text editor of choice and ensure these lines:

PasswordAuthentication yes
PermitRootLogin yes

look like this:

PasswordAuthentication no
PermitRootLogin no

Next, restrict the SSH service to either IPv4 or IPv6 by modifying the AddressFamily option. To change it to use only IPv4 (which should be fine for most folks) make this change:

AddressFamily inet

Restart the SSH service to enable your changes.

On Ubuntu: 

$ sudo service sshd restart

On Fedora or CentOS or anything using Systemd:

$ sudo systemctl restart sshd

5. Check and Configure the Firewall

Now you need to install a firewall, enable it, and configure it only to allow network traffic that you designate. Uncomplicated Firewall (UFW) is an easy-to-use interface to iptables that greatly simplifies the process of configuring a firewall. Iptables is a user space application program that allows you to configure the firewall (Netfilter) provided by the Linux kernel.

You can install UFW with: 

$ sudo apt install ufw

Enable UFW:

$ sudo ufw enable

You can see what services are allowed and denied with:

$ sudo ufw status

If you ever want to disable UFW, you can do so by typing:

$ sudo ufw disable

6.Install Fail2Ban for SSH login

Fail2ban or denyhost scans the log files for too many failed login attempts and blocks the IP address which is showing malicious signs.

If any are found, it will alter the firewall to block the attacker's IP address either permanently or for a specified amount of time. 

You can install Fail2ban by typing:

$ sudo apt install fail2ban -y

Then copy the included configuration file:

$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

And restart Fail2ban:

$ sudo service fail2ban restart

7. Remove unused network-facing services

Almost all Linux server operating systems come with a few network-facing services enabled. You'll want to keep most of them. However, there are a few that you might want to remove. You can see all running network services by using the ss command:

$ sudo ss –atpu

To remove an unused service on Debian/Ubuntu:

$ sudo apt purge <service_name>

To remove an unused service on Red Hat/CentOS:

$ sudo yum remove <service_name>

8. Check Listening Ports

Use ‘netstat’ command to view open ports and and corresponding services .

netstat -tunlp 

Disable the unwanted services from the system using ‘chkconfig’ command and close the ports that are not needed.

chkconfig serviceName off

9. Restrict using Old passwords

We can restrict users to use same old passwords. The old password file is located at /etc/security/opasswd. This can be done by using PAM module.

Open ‘/etc/pam.d/system-auth‘ file under RHEL / CentOS / Fedora.

# vi /etc/pam.d/system-auth

Open ‘/etc/pam.d/common-password‘ file under Ubuntu/Debian/Linux.

# vi /etc/pam.d/common-password

Add the following line to ‘auth’ section.

auth     sufficient    pam_unix.so likeauth nullok

Add the below line to ‘password’ section to disallow a user from re-using last 3 passwords.

password   sufficient    pam_unix.so nullok use_authtok md5 shadow remember=3

8. Disable Ctrl+Alt+Delete in Inittab

Hitting Ctrl+Alt+Delete will take your server to rebooting process. So this is always advisable to disable this as someone can mistakenly reboot the system.

The ctrl+Alt+Del action is defined in /etc/init/control-alt-delete.conf

  • 0 användare blev hjälpta av detta svar
Hjälpte svaret dig?

Relaterade artiklar

Basic Linux Commands

What is Linux? Just like Windows, iOS, and Mac OS, Linux is an operating system based on the...

Linux Hosting Vs Windows Hosting

  Most web hosting service providers offer two kinds of hosting: Linux hosting and Windows...