Linux Server Hardening (Part-1)
Linux hardening is the process of securing a Linux system by implementing a set of best practices and techniques to minimize vulnerabilities and reduce the risk of unauthorized access, data loss, and other security threats.
The process of Linux hardening includes several steps such as:
- Initial system configuration: This includes tasks such as disabling unnecessary services, installing security patches, configuring firewalls, and setting up user accounts and passwords.
- System updates: Regular updates are necessary to fix security vulnerabilities and other bugs that could compromise system security. Updates should be installed as soon as they become available.
- Network security: This involves configuring firewalls, securing network protocols, and using encryption to protect data in transit.
- User management: This includes enforcing strong password policies, limiting access to system resources based on user roles, and disabling unused user accounts.
- File system security: This involves setting file permissions, encrypting sensitive data, and monitoring file access to prevent unauthorized modifications.
- Monitoring and logging: This involves setting up tools to monitor system activity and generate logs that can be used to detect and respond to security incidents.
Overall, Linux hardening is an ongoing process that requires regular attention and updates to ensure the continued security of the system.
Initial system configuration
1.Disable unnecessary services: Many Linux systems come with a variety of services enabled by default. However, not all of these services are needed for the system to function properly. It is recommended to disable all unnecessary services to reduce the attack surface of the system.
sudo systemctl list-unit-files --type=services --state=enabled
This will list all the enabled services on your system. You can disable them with the following commands:
sudo systemctl disable <service-name>
2. Install security patches: Regularly check for available security updates and apply them as soon as possible. Keeping the system up to date with the latest security patches can prevent attackers from exploiting known vulnerabilities.
- Ubuntu/Debian:
sudo apt update && sudo apt list --upgradable
- CentOS/RHEL:
sudo yum check-update
- Fedora:
sudo dnf check-update
These commands will check for available updates and list the packages that can be updated.
Once you have identified the packages that need to be updated, you can use the following command to install the updates:
- Ubuntu/Debian:
sudo apt upgrade
- CentOS/RHEL/Fedora:
sudo yum update
It is recommended to install security updates as soon as possible to ensure that your system is protected against known vulnerabilities.
To automate the process of checking for and installing updates, you can set up a cron job to run the package manager commands at regular intervals. However, it is important to monitor the updates to ensure that they do not cause any issues with your system.
3. Configure firewalls: Configure firewalls to block unwanted traffic and only allow necessary services to communicate with the system.
There are several firewall software that can be used to configure the ingress/egress for network traffic. Although, we will be using firewalld.
sudo apt install firewalld && systemctl status firewalld
# IF NOT STARTED THEN:
systemctl start firewalld
List all the available services in firewalld
sudo firewall-cmd --get-services
Enable services that you want to enable in firewalld
sudo firewall-cmd --add-service=<service-name> --permanent
Reload the firewalld for changes to take effect.
sudo firewall-cmd --reload
Few more useful commands:
# TO ALLOW SPECIFIC IP TO ACCESS SPECIFIC SERVICE
sudo firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.1.100" service name="the_service" accept'
# OPEN SPECIFIC PORT WITH FIREWALLD
sudo firewall-cmd --add-port=80/tcp --permanent
# ALLOWING SPECIFIC IP TO ACCESS THE SERVER
sudo firewall-cmd --add-source=<IP-address/network> --permanent
# TO CHECK THE EXISTING SERVICES ON FIREWALLD
sudo firewall-cmd --list-all
4. Set up user accounts and passwords: Ensure that user accounts and passwords are set up securely with strong passwords that are changed regularly.
Setting up user accounts and passwords securely is an important aspect of Linux hardening. User accounts and passwords should be configured to ensure that unauthorized users cannot access the system and that user passwords are not easily guessed or cracked. Here are some best practices for setting up user accounts and passwords:
- Use strong passwords: Strong passwords are long and complex, including a mix of uppercase and lowercase letters, numbers, and symbols. Passwords should be at least 12 characters long and not include easily guessable information such as birthdays, names, or common words.
- Enforce password policies: Set up password policies to enforce password complexity and require users to change their passwords regularly. For example, you can use the
passwd
command to set password policies such as minimum password length, password expiration, and password history. - Use multi-factor authentication: Multi-factor authentication adds an additional layer of security to user accounts by requiring users to provide additional authentication factors beyond a password. This can include biometric authentication, security tokens, or one-time codes.
- Limit user privileges: Limit user privileges to only what is necessary for the user to perform their job duties. This can help reduce the risk of unauthorized access to sensitive data or system resources.
- Disable unnecessary accounts: Disable any user accounts that are no longer needed or that have not been used in a long time. This can help prevent unauthorized access by attackers who may use these accounts to gain entry to the system.
- Regularly review user accounts: Regularly review user accounts to ensure that they are still necessary and that user privileges are appropriate. This can help identify and remove any unnecessary accounts or privileges that may pose a security risk.
By following these best practices, you can help ensure that user accounts and passwords are set up securely, reducing the risk of unauthorized access to your Linux system.
5. Disable root login: The root user account is the most powerful account on the system and is often targeted by attackers. Disable direct root login and use a less privileged user account for routine tasks.
Disabling direct root login is a good security practice to minimize the risk of unauthorized access to your system. Here are the steps to disable direct root login:
- Log in to your system as root or with a user account with sudo privileges.
- Open the SSH configuration file
/etc/ssh/sshd_config
using a text editor like nano or vim. - Find the line that says
PermitRootLogin yes
and change it toPermitRootLogin no
. - Save the file and exit the editor.
- Restart the SSH service to apply the changes by running the command
sudo systemctl restart sshd
.
After disabling direct root login, you should use a less privileged user account for routine tasks. When you need to perform administrative tasks, use the sudo
command to temporarily elevate your privileges. This will allow you to execute commands with root privileges without logging in directly as the root user.
By following these steps, you can improve the security of your system and reduce the risk of unauthorized access.
6. Configure SSH access: Secure Shell (SSH) is a protocol used for remote access to the system. Configure SSH to use secure authentication methods and only allow authorized users to access the system.
Configuring SSH to use secure authentication methods and limiting access to authorized users is an important step to ensure the security of your system. Here are the steps to configure SSH access:
- Install the OpenSSH server if it is not already installed on your system. You can do this by running the command
sudo apt-get install openssh-server
on Debian-based systems orsudo yum install openssh-server
on Red Hat-based systems. - Open the SSH configuration file
/etc/ssh/sshd_config
using a text editor like nano or vim. - Set the following options to improve SSH security:
- Disable SSH protocol version 1 by setting
Protocol 2
. - Disable root login by setting
PermitRootLogin no
. - Enable key-based authentication by setting
PubkeyAuthentication yes
. - Disable password-based authentication by setting
PasswordAuthentication no
. - Set
AllowUsers
orAllowGroups
to specify which users or groups are allowed to access the system via SSH.
4. Save the file and exit the editor.
5. If you changed the SSH port number in the configuration file, you need to allow incoming traffic on the new port. You can do this by adding a new rule to the firewall using the command sudo ufw allow <port>/tcp
.
7. Restart the SSH service to apply the changes by running the command sudo systemctl restart sshd
.
After completing these steps, SSH access to your system will be more secure. Users will need to use a public key to authenticate, and only authorized users will be able to access the system via SSH.
By following these initial system configuration best practices, you can reduce the attack surface of your Linux system and increase its overall security.
System updates
regular system updates are an important part of Linux hardening process. Updating the system with the latest security patches and bug fixes helps to fix vulnerabilities and bugs that can be exploited by attackers to compromise the system security.
Here are some best practices for system updates:
- Set up automatic updates: Set up your system to automatically check for and install updates as soon as they become available. This can be done through the package manager of your Linux distribution.
- Check for updates regularly: Even if you have automatic updates enabled, it is still a good idea to manually check for updates regularly to ensure that you are running the latest software versions.
- Prioritize security updates: When checking for updates, prioritize security updates over other updates. Security updates should be installed as soon as possible to fix vulnerabilities that can be exploited by attackers.
- Test updates before installation: Before installing updates on production systems, it is a good practice to test the updates on a non-production system to ensure that they do not cause any compatibility or performance issues.
- Maintain backups: Always maintain backups of your system, so that in case an update causes issues, you can easily revert to a previous state.
By following these best practices for system updates, you can help ensure that your Linux system stays up-to-date with the latest security patches and bug fixes, reducing the risk of security breaches and other issues.
Make Automatic Updates:
On Ubuntu and Debian, you can use the unattended-upgrades
package to set up automatic updates. First, install the package using the following command:
sudo apt-get install unattended-upgrades
Next, edit the configuration file at /etc/apt/apt.conf.d/50unattended-upgrades
to enable automatic updates. Uncomment the following line to enable automatic updates for security updates:
"${distro_id}:${distro_codename}-security";
You can also configure the unattended-upgrades
package to automatically install all available updates by uncommenting the following line in the same configuration file:
"${distro_id}:${distro_codename}-updates";
We need to wrap up this article, where we have mentioned the starting configuration needed for hardening your Linux server. Soon, we will be covering the above mentioned points in our next article next week.
Thanks for reading ❤