25 Linux Server Security and Hardening Tips: How can Secure Linux Server | Iserver Admin
24/7 Customer Support
25Sep 2019

0

87

0

25 Linux Server Security and Hardening Tips: How can Secure Linux Server

Let us Read for you.
Subscribe

 25 Linux Server Security and Hardening Tips: How can Secure Linux Server

Everybody says that Linux is secure by default and agreed to some extent (It’s debatable topics). However, Linux has an in-built security model in place by default. Need to tune it up and customize as per your need which may help to make a more secure system. 25 Linux Server Security and Hardening Tips is harder to manage but offers more flexibility and configuration options.

 

Everybody says that Linux is secure by default and agreed to some extent (It’s debatable topics). However, Linux has an in-built security model in place by default. Need to tune it up and customize as per your need which may help to make a more secure system. Linux Server Security and Hardening is harder to manage but offers more flexibility and configuration options.
25 Linux Server Security and Hardening Tips: How can Secure Linux Server

Securing a system during production from the hands of hackers and cracked could be a difficult task for a computer user.

This is our 1st article associated with “How to Secure Linux box” or “Hardening a Linux Box“.
In this post, We’ll justify 25 helpful tips & tricks to secure your Linux server management and system.
Hope, below tips & tricks, can assist you some extend to secure your system.

 

1. Physical System Security

Configure the BIOS to disable booting from CD/DVDExternal DevicesFloppy Drive in BIOS. Next, enable BIOS password & also protect GRUB with a password and physical access of your system.

 

2. Disk Partitions

The main reason why partition is necessary is that it helps to obtain high security in case of any disasters. By creating partitions data are separated into different groups and sections and during a disaster data of only that particular group is destroyed, the rest remains intact and unharmed. We need to make sure that third-party applications are installed in separate files systems under /opt

   /
   /boot
   /usr
   /var
   /home
   /tmp
   /opt

3. Minimize Packages to Minimize Vulnerability

It is recommended so that we avoid installing packages that are not important and we avoid vulnerabilities in packages. This may minimize the risk it posses to other services. By using the command ‘chkconfig’ command we can find the services which are running on runlevel3 and disable the unwanted services to reduce the vulnerability.

 

  1.      1. # /sbin/chkconfig –list |grep ‘3:on’
  2. Once you’ve found out any unwanted service is running, disable them using the following command.

    2. # chkconfig serviceName off
 
RPM package manager such as “yum” or “apt-get” tools to list all installed packages on a system

    3.# yum -y remove package-name

    4.# sudo apt-get remove package-name

4. Check Listening Network Ports

By using ‘netstat’ networking command we can view all open ports and associated programs and by using ‘chkconfig’ we can close all the unwanted network services.

 

    # netstat -tulpn

5. Use Secure Shell(SSH)

Using plain text and not encrypted ones is a breach of security. SSH is a secure protocol that uses encryption technology during communication with server. Never login directly as root unless necessary. Use “sudo” to execute commands. sudo is specified in /etc/sudoers file also can be edited with the “visudo” utility which opens in VI editor.

 

It’s also recommended to change the default SSH 22 port number with some other higher and lower level port number. Open the main SSH configuration file and some parameters to restrict users to access.

 

    # vi /etc/ssh/sshd_config
 

Disable root Login

PermitRootLogin no
 

Only allow Specific Users

AllowUsers username

Use SSH Protocol 2 Version

Protocol 2
 

6. Keep System updated

Always keep the system updated with latest releases patches, security fixes, and kernel when it’s available

 

   # yum updates
  # yum check-update

7. Lockdown Cronjobs

Cron has its own facility, which specify who may and who may not want to run jobs, this is controlled with the help of files named /etc/cron.allow and /etc/cron.deny. we can lock a user from using cron by simply adding the user name in cron.deny and allow a user to use Cron by adding a cron. allow file. We can also deny all users from using cron by simply adding ‘all’to cron. deny file.

 

   # echo ALL >>/etc/cron.deny

8. Disable USB stick to Detect

we want to restrict users from using a USB stick in systems to protect and secure data from stealing. Create a file ‘/etc/modprobe.d/no-usb‘ and adding below line will not detect USB storage.

install usb-storage /bin/true

9. Turn on SELinux

Security-Enhanced Linux (SELinux) is an access control security mechanism which is provided by Kernel, disabling SELinux means making the system vulnerable to security. We need to think very carefully before removing SELinux and especially when our system is attached to the internet and can be accessed by the public.SELinux has given us 3 modes of operations.

1. Enforcing– This is the default mode that enables and enforces the SELinux security policy on the machines.

2.Permissive– In this mode, SELinux will not enforce a security system without permission, but will only warn about it and log actions. This mode is very useful if you want to SELinux related issues.

3.Disabled– In this mode, SELinux is turned off.

We can also view the present status of SELinux by using the command ‘system-config-selinux’, ‘getenforce’, ‘sestatus’.

   # sestatus

If it is disabled, enable SELinux using the following command.

   # setenforce enforcing

 

It also can be managed from ‘/etc/selinux/config‘ file, where you can enable or disable it.

 

10. Remove KDE/GNOME Desktops

There is no need to run X Window desktops like KDE or GNOME on your dedicated LAMP server. You can remove or disable them to increase the security of server and performance. To disable simple open the file ‘/etc/inittab‘ and set runlevel to 3. If you wish to remove it completely from the system use the below command.

 

   # yum groupremove "X Window System"

 

11. Turn Off IPv6

If you’re using IPv6 protocol, then it will be wise if you disable it because most of the applications and policies don’t require IPv6 protocol and also it is not required in the server. Go to the network configuration file and add followings lines to disable it.

 

   # vi /etc/sysconfig/network

NETWORKING_IPV6=no
IPV6INIT=no

 

12. Restrict Users to Use Old Passwords

This is useful if you want to stop the users from using the same password again and again. The old password file is located in the /etc/security/password and can be achieved by using PAM module.

 

Open ‘/etc/pam.d/system-auth‘ file under RHEL / CentOS / Fedora.

   
    # vi /etc/pam.d/system-auth


13. How to Check Password Expiration of User

In Linux, user’s passwords are stored in ‘/etc/shadow‘ files in an encrypted format. To check the password expiration of users, you need to use ‘chage‘ command. It displays information on password expiration details along with the last password change date. These details are used by the system to decide when a user must change his/her password.

To view any existing user’s aging information such as expiry date and time, use the following command.

 

Parameters

  1. -M Set the maximum number of days
  2. -m Set minimum number of days
  3. -W Set the number of days of warning

14. Lock and Unlock Account Manually

The lock and unlock features are very useful, instead of removing an account from the system, you can lock it for a week or a month.

 

   # passwd -l accountName

The locked user is still available for root user only.

# su - accountName
This account is currently not available.

 This will remove (!) string with encrypted password.

   # passwd -u accountName

15. Enforcing Stronger Passwords

A number of users use soft or weak passwords and their password might be hacked with a dictionary-based or brute-force attacks. The ‘pam_cracklib‘ module is available in PAM (Pluggable Authentication Modules) module stack which will force a user to set strong passwords.

 

    # vi /etc/pam.d/system-auth

/lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-2 dcredit=-2 ocredit=-1

16. Enable Iptables (Firewall)

It’s highly recommended to enable Linux firewalls to secure and safe unauthorized access to your servers. Apply rules in all users to filters incoming, outgoing and forwarding packets. We can specify and unhappily the source and destination location to allow and deny in specific udp/tcp port number.

25 Linux Server Security and Hardening Tips

17. Disable Ctrl+Alt+Delete in Inittab

In Linux distributions, pressing the button Ctrl+Alt+Delete to take the system to reboot process, it is not a good option to have this system enabled, especially in the production server where one mistake can reboot the whole system. This is defined in the file ‘/etc/inittab’ and by looking closely at the file we can see a file similar to that. The line is not commented out by default we have to comment it out. This key signal will shut down the system.

 

18. Checking Accounts for Empty Passwords

Any account having AN empty word suggests that its opened for unauthorized access to anyone on the net and it’s a section of security among a Linux server.
So, you want to check that all accounts have sturdy passwords and nobody has any approved access.
Empty word accounts ar security risks that are often simply hackable.
To check if there have been any accounts with empty words, use the subsequent command.

 
    # cat /etc/shadow | awk -F: '($2==""){print $1}'

19. Display SSH Banner Before Login

It’s always an idea to have a legal banner of security banners with some security warnings show before SSH authentication.

 

20. Monitor User Activities

In the case of lots of users, it is important to collect the information of each user activity and analyze them later in case of any performance or security issues. But the question remains about how we can collect and monitor the user activities, we can do that with the help of two tools namely “psacct” and “acct”. this system runs in the background and tracks each user’s activity and resources consumed by services such as Apache, MySQL, SSH, FTP and etc.


21. Review Logs Regularly

   /var/log/message – Where whole system logs or current activity logs are available.
/var/log/auth.log – Authentication logs.
/var/log/kern.log – Kernel logs.
/var/log/cron.log – Crond logs (cron job).
/var/log/maillog – Mail server logs.
/var/log/boot.log – System boot log.
/var/log/mysqld.log – MySQL database server log file.
/var/log/secure – Authentication log.
/var/log/utmp or /var/log/wtmp : Login records file.
/var/log/yum.log: Yum log files.

 

22. Important file Backup

It is necessary to take important files backup.

 

23. NIC Bonding

The two types of NIC bonding that needs to be mentioned in the bonding interface are-

   

  1.      mode=0 – Round Robin
  2.     mode=1 – Active and Backup

To avoid single point failure we use NIC Bonding. we bond two or more Network Ethernet Cards both’s and one single virtual Interface where we can assign IP address to talk with other servers. Our network will be available in case of one NIC Card is slow, down or unavailable due to any reason.

 

24. Keep /boot as read-only

Linux kernel and servers it’s related files are in /boot directory which is by default as read-write. To do this, open “/etc/fstab” file.

  
   # vi /etc/fstab

 

LABEL=/boot     /boot     ext2     defaults,ro     1 2

 

you need to reset the change to read-write and upgrade in-kernel Linux.

25. Ignore ICMP or Broadcast Request

 “/etc/sysctl.conf” file to ignore ping or broadcast request.

 

Ignore ICMP request: net.ipv4.icmp_echo_ignore_all = 1 Ignore Broadcast request: net.ipv4.icmp_echo_ignore_broadcasts = 1

Load new setting and running following command

#sysctl -p

If you have missed any other important Linux security or hardening tip in the above list, or you’ve any other tip that needs to be included in the list. Please drop your comments in our comment box. Iserveradmin.com is always interested in comments, suggestions, discussion for improvement.

 

Comments (0)