How To Make Your Linux Server More Secure


I run a couple of Linux servers; one at home as a file server and three live servers for my site, my mail, and my cloud storage, respectively. Although I don't worry about the home server because it doesn't talk to the external world, the other three servers need to be maintained, all the time. Those who are new to Linux and want to run their own servers must keep a few points in mind...which is the focus of this article.
Install What You Need

If you are planning to run a server, you might think "I have 40GB of SSD storage from Linode so I can install whatever service I want." That's true: your server, your software. However, don't take things for granted. Even the most hardened servers can be hijacked by exploiting any unpatched or vulnerable component running on that server.
So, the first rule is to keep your server lean and mean. Install only those packages that you really need. If there are unwanted packages; purge. The fewer the packages the less chance of unpatched code. Before installing any software and dependent packages (e.g., ownCloud), you should read the documentation for ownCloud and install only those packages that it needs.
Run What You Need

The second rule is to run only those services that you need. Many distros, or packages, may start certain services, running on different ports. That could pose security risk. So, open the terminal and run:
netstat -nplThe output will show you which services are running on which ports. If you spot any service that is not supposed to be running, stop it. You should also keep an eye on the services that are enabled and run at system startup. You can check it by running the following command on systems running systemd:
systemctl list-unit-files --type=service | grep enabledDepending on your system you will get an output like that shown in Figure 1 above. If you spot any unwanted service, you can disable it using the mighty systemctl command:
systemctl disable service_nameRestrict Access to Your Server

In the same way that you would not give your house keys to just anyone you know, you should not give server access to just someone you know. Once this rule is clear, you can restrict access to your server. Keep one thing in mind: None of this will discourage someone who is hellbent on taking your server down. What it will do, however, is add more layers of security to your server to fend off casual offenders.
Never Log In As Root

It’s not a good practice to ssh into your server as superuser. We will be disabling sshing as root user on the server, but before doing so, let's create a user with sudo powers so that you can ssh into the server and perform administrative tasks. Once you are logged into the server, you can always switch user to root, if needed. If you already have a user on your system, skip these steps; otherwise, stay with me.
Different distributions use different methods to add a new user; Red Hat/CentOS use useradd and Ubuntu/Debian use user adduser.
Create a new user on Fedora/CentOS:
useradd swapnilThen create a password for the user:
passwd swapnilIt will ask you to provide it with the new password for the user. Now you need to give this user sudo powers. Run the following command:
EDITOR=nano visudoAnd look for the following line (Figure 2):
# %wheel ALL=(ALL) ALL
Uncomment the line (the # symbol means it is commented; just remove the symbol to uncomment) so that it looks like this:
%wheel ALL=(ALL) ALLNow save and close the file. If the user doesn't belong to the wheel group, you can easily add it to the group by running this command:
# usermod -aG wheel swapnilOn Ubuntu systems, you can add a new user by running:
adduser swapnilAnswer some questions that the system will ask, including creation of the password for this user. Once created, provide the user with sudo powers:
gpasswd -a swapnil sudoOpen another terminal window and try to log into the server as the newly created user and try performing some administrative jobs with sudo. If it works, move to the next step.
Disable root Login

We are now going to disable root login, which means no one can ssh or log into the server as root user. To do so, open the sshd configuration file:
nano /etc/ssh/sshd_confNext, look for the commented line that says:
#PermitRootLogin noThen save and close this file and restart the service:
service ssh restartor
systemctl restart sshdImportant: Don't log out of the server yet. You need to test whether you can successfully ssh into the server using the previously created user. Open another instance of the terminal and ssh into the server with user you previously created. You don't want to be totally locked out of your server. If everything works fine, you can safely log out of the server as root.
Change the Port

The second change that we are going to make to the sshd config file is changing the default port. It's more about adding a layer of obscurity to keep your server safe instead adding of any real security to the server. Think of it as security services using identical vehicles to transport an important person so that an attacker won't know which vehicle to take down.
Open the sshd_config file (this time as sudo, because you can no longer log into the server as root.):
sudo nano /etc/ssh/sshd_confThen, find this commented line:
#Port 22Uncomment the line and choose a port number. While choosing a port, do ensure that it’s not used by any other service on your system. You can learn more about which ports are commonly used from this Wikipedia article and avoid such ports. I chose 1977 for my server:
Port 1977Next, save and close the file and restart the sshd service. Once again, before logging out of the server, check the settings by opening another terminal window and then log in using this pattern:
ssh -p{port_number}@server_IP Example:
ssh -p1977
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
If you can successfully log in; it’s all set.
Passwordless Login

You can make it easier to ssh into your server via passwordless login and add another layer of security by totally disabling password authentication. Just keep in mind that you will be able to log into your server only from that machine on which you generated the ssh keys.
Let’s generate the ssh key on your local system (Figure 3) using the following command:
ssh-keygen - t rsa
It will ask some questions; you can leave the location of the key to default and provide it with a hard-to-guess passphrase. Next, you need to copy these keys to the server so that the two machines can communicate with each other using the keys.
cat ~/.ssh/id_rsa.pub | ssh -p 1977 swapnil@remote-server ";mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"Now try sshing into the server from another terminal and, if everything is working fine, it will not ask you to enter the password.
This step was more about convenience than some real security. You can add some security by disabling password authentication for the server. Just open the sshd_config file and look for commented line:
#PasswordAuthentication yesUncomment the line and change it from yes to no; save and close the file. Then, restart the sshd service. Once again, don't close the connection to the server from the current window yet. Open another terminal and log into the server (make sure it didn’t ask for the password).
The flip side of this setting is that you can now ssh into your server only from the machine where you generated the ssh keys. If you often log into your server from different machines, please don’t use this method.
In Closing

These are some of the basic considerations for new users trying to run their own servers. Keep in mind that crackers are always a step ahead; they keep looking for any holes to hack into your server. Therefore, the best practice is to keep an always updated backup of your server. I recommend you take a backup before and after you make any changes to your site. That way, in case your server is compromised, you can always restore from the previous backup.
If you have any questions or suggestions, feel free to share in the comments section below.









[IMG]https://cdn-images-1.medium.com/max/800/1*wq18pN81EEOAK_RvQtvseg .jpeg[/IMG]

Securing Linux Server is essential to protect our data from the hackers. But securing a server doesn’t require to be complicated .We should adopt a method that will protect our server from the most frequent attacks along with efficient administration .
However, don’t take things for granted. Even the most hardened servers can be hijacked by exploiting any vulnerable component running on that server.
1. Install what you need

The first rule is to keep your server lean and mean. Install only those packages that you really need. If there are unwanted packages; purge. The fewer the packages the less chance of unpatched code.
2. Turn on SELinux

Security-Enhanced Linux (SELinux) is an access control security mechanism provided in the kernel.
SELinux provides 3 basic modes of operation :

  • Enforcing: This is default mode which enable and enforce the SELinuxsecurity policy on the machine.
  • Permissive: In this mode, SELinux will not enforce the security policy on the system, only warn and log actions.
  • Disabled: SELinux is turned off.

It can be managed from ‘/etc/selinux/config’ file, where you can enable or disable it.
3. Secure Console Access

You must protect Linux servers console access by disabling the booting from external devices such as DVDs / CDs / USB pen after BIOS setup. Also ,Set BIOS and grub boot loader password to protect these settings.
4. Restrict using Old passwords

We can restrict users to use same old passwords. The old password file is located at /etc/security/opasswd. This can be done by using PAM module.
Open ‘/etc/pam.d/system-auth‘ file under RHEL / CentOS / Fedora.
# vi /etc/pam.d/system-authOpen ‘/etc/pam.d/common-password‘ file under Ubuntu/Debian/Linux.
# vi /etc/pam.d/common-passwordAdd the following line to ‘auth’ section.
auth sufficient pam_unix.so likeauth nullokAdd the below line to ‘password’ section to disallow a user from re-using last 3 passwords.
password sufficient pam_unix.so nullok use_authtok md5 shadow remember=3Last 3 passwords are remember by server. If you tried to use any of last 3 old passwords, you will get an error like.

[IMG]https://cdn-images-1.medium.com/max/800/1*I2x0f64neiAnMPZX3knt3Q .png[/IMG]
5. Check Listening Ports

Use ‘netstat’ command to view open ports and and corresponding services .
netstat -tunlp Disable the unwanted services from the system using ‘chkconfig’ command and close the ports that are not needed.
chkconfig serviceName off6. Disable Root login

It’s not advisable to ssh into your server as superuser(root). We should disable ssh as root user on the server, but before doing so, let’s create a user with sudo powers so that you can ssh into the server and perform administrative tasks. Once you are logged into the server, you can always switch user to root, if needed.
Create a new user :
useradd user1Create password for the user added :
passwd user1Provide sudo permissions to the newly added user :
echo 'user1 ALL=(ALL) ALL' >> /etc/sudoersSSH to the server with the new user and ensure that the login works.
We are now going to disable root login, which means no one can ssh or log into the server as root user. To do so, open the sshd configuration file:
nano /etc/ssh/sshd_confNext, uncomment the line that says
PermitRootLogin no
[IMG]https://cdn-images-1.medium.com/max/800/1*rb-9Vh6F0xGlbt5R3CpYGQ.png[/IMG]
Then save and close this file and restart the service
service sshd restartImportant: Don’t log out of the server yet. First test whether you can successfully ssh into the server using the previously created user. Open another instance of the terminal and ssh into the server with user you previously created. If everything works fine, you can safely log out of the server as root.
7. Change the Port

We can change the default SSH Port to add a layer of opacity to keep your server safe .
Open the /etc/ssh/sshd_config file
replace default Port 22 with different port number say 1110
save & exit from the file
service sshd restartNow to login define the port No.
ssh username@IP -p 11108. Disable Ctrl+Alt+Delete in Inittab

Hitting Ctrl+Alt+Delete will take your server to rebooting process. So this is always advisable to disable this as someone can mistakenly reboot the system.
The ctrl+Alt+Del action is defined in /etc/init/control-alt-delete.conf .Comment the below line

[IMG]https://cdn-images-1.medium.com/max/800/1*H-JRKiLChrK7aejHk51T7A.png[/IMG]
9. Password-less Login

We can easily login to our server through SSH without any password by generating the ssh-keys. Just be careful that you can log into your server only from that machine on which you generated the ssh keys
Generating SSH-keys :
ssh-keygen - t rsa
[IMG]https://cdn-images-1.medium.com/max/800/1*M3UDtnxFjowa09M509CgdA .png[/IMG]

Copy your public SSH key , then add the same in the server
cat ~/.ssh/id_rsa.pubTo add ssh keys in the server
Suppose we have user-user1 to provide ssh-key access to the server
cd /home/user1
ls -llCreate a .ssh directory and inside it create a file named authorized_keysand add the users public ssh key in the same
mkdir .ssh
cd /home/admin/.ssh
vim authorized_keysAdd the public SSH key and then change the owner of the file
chown user1 authorized_keysDisable ssh login
Edit /etc/ssh/sshd_config
Passwordauthentication no
PermitRootLogin no
[IMG]https://cdn-images-1.medium.com/max/800/1*kgF_MHHqxAgp9PD0L_6NxA .png[/IMG]
Now, only the authorized user can login to the server with the command
ssh user-name@serverIP -p(port Number)
[IMG]https://cdn-images-1.medium.com/max/800/1*Id5zhDde1L98SZvZT0zkmg .png[/IMG]
10. Fail2Ban for SSH login

Fail2ban works by dynamically altering the firewall rules to ban addresses that have unsuccessfully attempted to log in a certain number of times.
Install Fail2ban :
sudo apt-get update
apt-get install fail2banCreate a new file jail.local and copy the contents of jail.config to the same and make the changes in jail.local file only
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.localEdit /etc/fail2ban/jail.local file
Make the desired changes:
[sshd]
enabled = true
port = ssh ( provide the port number if the default port is changed )
protocol = tcp
filter = sshd
logpath = /var/log/secure
maxretry = 3 ( max no. of tries after which the host should be banned)
findtime = 600 (This parameter sets the window that fail2ban will pay attention to when looking for repeated failed authentication attempts in seconds)
bantime = 600 (time duration for which the host is banned -in seconds) Then restart the fail2ban services
service fail2ban restartIP can be blocked permanently by setting bantime = -1.
Note: FAIL2BAN will block the Global IP .
Security used to be an inconvenience sometimes, but now it’s a necessity all the time — Martina Navratilova
Thanks for reading . If you found this article helpful, some claps would mean a lot!
Stay tuned
[IMG]https://cdn-images-1.medium.com/max/800/1*wq18pN81EEOAK_RvQtvseg .jpeg[/IMG]

[COLOR=rgba(0, 0, 0, 0.84)]Securing Linux Server is essential to protect our data from the hackers. But securing a server doesn’t require to be complicated .We should adopt a method that will protect our server from the most frequent attacks along with efficient administration .[/COLOR]
[COLOR=rgba(0, 0, 0, 0.84)]However, don’t take things for granted. Even the most hardened servers can be hijacked by exploiting any vulnerable component running on that server.[/COLOR]
1. Install what you need

[COLOR=rgba(0, 0, 0, 0.84)]The first rule is to keep your server lean and mean. Install only those packages that you really need. If there are unwanted packages; purge. The fewer the packages the less chance of unpatched code.[/COLOR]
2. Turn on SELinux

[COLOR=rgba(0, 0, 0, 0.84)]Security-Enhanced Linux (SELinux) is an access control security mechanism provided in the kernel.[/COLOR]
[COLOR=rgba(0, 0, 0, 0.84)]SELinux provides 3 basic modes of operation :[/COLOR]

  • Enforcing: This is default mode which enable and enforce the SELinuxsecurity policy on the machine.
  • Permissive: In this mode, SELinux will not enforce the security policy on the system, only warn and log actions.
  • Disabled: SELinux is turned off.

[COLOR=rgba(0, 0, 0, 0.84)]It can be managed from ‘/etc/selinux/config’ file, where you can enable or disable it.[/COLOR]
3. Secure Console Access

[COLOR=rgba(0, 0, 0, 0.84)]You must protect Linux servers console access by disabling the booting from external devices such as DVDs / CDs / USB pen after BIOS setup. Also ,Set BIOS and grub boot loader password to protect these settings.[/COLOR]
4. Restrict using Old passwords

[COLOR=rgba(0, 0, 0, 0.84)]We can restrict users to use same old passwords. The old password file is located at /etc/security/opasswd. This can be done by using PAM module.[/COLOR]
[COLOR=rgba(0, 0, 0, 0.84)]Open ‘/etc/pam.d/system-auth‘ file under RHEL / CentOS / Fedora.[/COLOR]
# vi /etc/pam.d/system-auth[COLOR=rgba(0, 0, 0, 0.84)]Open ‘/etc/pam.d/common-password‘ file under Ubuntu/Debian/Linux.[/COLOR]
# vi /etc/pam.d/common-password[COLOR=rgba(0, 0, 0, 0.84)]Add the following line to ‘auth’ section.[/COLOR]
auth sufficient pam_unix.so likeauth nullok[COLOR=rgba(0, 0, 0, 0.84)]Add the below line to ‘password’ section to disallow a user from re-using last 3 passwords.[/COLOR]
password sufficient pam_unix.so nullok use_authtok md5 shadow remember=3[COLOR=rgba(0, 0, 0, 0.84)]Last 3 passwords are remember by server. If you tried to use any of last 3 old passwords, you will get an error like.[/COLOR]

[IMG]https://cdn-images-1.medium.com/max/800/1*I2x0f64neiAnMPZX3knt3Q .png[/IMG]
5. Check Listening Ports

[COLOR=rgba(0, 0, 0, 0.84)]Use ‘netstat’ command to view open ports and and corresponding services .[/COLOR]
netstat -tunlp [COLOR=rgba(0, 0, 0, 0.84)]Disable the unwanted services from the system using ‘chkconfig’ command and close the ports that are not needed.[/COLOR]
chkconfig serviceName off6. Disable Root login

[COLOR=rgba(0, 0, 0, 0.84)]It’s not advisable to ssh into your server as superuser(root). We should disable ssh as root user on the server, but before doing so, let’s create a user with sudo powers so that you can ssh into the server and perform administrative tasks. Once you are logged into the server, you can always switch user to root, if needed.[/COLOR]
[COLOR=rgba(0, 0, 0, 0.84)]Create a new user :[/COLOR]
useradd user1[COLOR=rgba(0, 0, 0, 0.84)]Create password for the user added :[/COLOR]
passwd user1[COLOR=rgba(0, 0, 0, 0.84)]Provide sudo permissions to the newly added user :[/COLOR]
echo 'user1 ALL=(ALL) ALL' >> /etc/sudoers[COLOR=rgba(0, 0, 0, 0.84)]SSH to the server with the new user and ensure that the login works.[/COLOR]
[COLOR=rgba(0, 0, 0, 0.84)]We are now going to disable root login, which means no one can ssh or log into the server as root user. To do so, open the sshd configuration file:[/COLOR]
nano /etc/ssh/sshd_conf[COLOR=rgba(0, 0, 0, 0.84)]Next, uncomment the line that says[/COLOR]
PermitRootLogin no
[IMG]https://cdn-images-1.medium.com/max/800/1*rb-9Vh6F0xGlbt5R3CpYGQ.png[/IMG]
[COLOR=rgba(0, 0, 0, 0.84)]Then save and close this file and restart the service[/COLOR]
service sshd restart[COLOR=rgba(0, 0, 0, 0.84)]Important: Don’t log out of the server yet. First test whether you can successfully ssh into the server using the previously created user. Open another instance of the terminal and ssh into the server with user you previously created. If everything works fine, you can safely log out of the server as root.[/COLOR]
7. Change the Port

[COLOR=rgba(0, 0, 0, 0.84)]We can change the default SSH Port to add a layer of opacity to keep your server safe .[/COLOR]
[COLOR=rgba(0, 0, 0, 0.84)]Open the /etc/ssh/sshd_config file[/COLOR]
[COLOR=rgba(0, 0, 0, 0.84)]replace default Port 22 with different port number say 1110[/COLOR]
[COLOR=rgba(0, 0, 0, 0.84)]save & exit from the file[/COLOR]
service sshd restart[COLOR=rgba(0, 0, 0, 0.84)]Now to login define the port No.[/COLOR]
ssh username@IP -p 11108. Disable Ctrl+Alt+Delete in Inittab

[COLOR=rgba(0, 0, 0, 0.84)]Hitting Ctrl+Alt+Delete will take your server to rebooting process. So this is always advisable to disable this as someone can mistakenly reboot the system.[/COLOR]
[COLOR=rgba(0, 0, 0, 0.84)]The ctrl+Alt+Del action is defined in /etc/init/control-alt-delete.conf .Comment the below line[/COLOR]

[IMG]https://cdn-images-1.medium.com/max/800/1*H-JRKiLChrK7aejHk51T7A.png[/IMG]
9. Password-less Login

[COLOR=rgba(0, 0, 0, 0.84)]We can easily login to our server through SSH without any password by generating the ssh-keys. Just be careful that you can log into your server only from that machine on which you generated the ssh keys[/COLOR]
[COLOR=rgba(0, 0, 0, 0.84)]Generating SSH-keys :[/COLOR]
ssh-keygen - t rsa
[IMG]https://cdn-images-1.medium.com/max/800/1*M3UDtnxFjowa09M509CgdA .png[/IMG]

[COLOR=rgba(0, 0, 0, 0.84)]Copy your public SSH key , then add the same in the server[/COLOR]
cat ~/.ssh/id_rsa.pub[COLOR=rgba(0, 0, 0, 0.84)]To add ssh keys in the server[/COLOR]
[COLOR=rgba(0, 0, 0, 0.84)]Suppose we have user-user1 to provide ssh-key access to the server[/COLOR]
cd /home/user1
ls -ll[COLOR=rgba(0, 0, 0, 0.84)]Create a .ssh directory and inside it create a file named authorized_keysand add the users public ssh key in the same[/COLOR]
mkdir .ssh
cd /home/admin/.ssh
vim authorized_keys[COLOR=rgba(0, 0, 0, 0.84)]Add the public SSH key and then change the owner of the file[/COLOR]
chown user1 authorized_keys[COLOR=rgba(0, 0, 0, 0.84)]Disable ssh login[/COLOR]
[COLOR=rgba(0, 0, 0, 0.84)]Edit /etc/ssh/sshd_config[/COLOR]
Passwordauthentication no
PermitRootLogin no
[IMG]https://cdn-images-1.medium.com/max/800/1*kgF_MHHqxAgp9PD0L_6NxA .png[/IMG]
[COLOR=rgba(0, 0, 0, 0.84)]Now, only the authorized user can login to the server with the command[/COLOR]
ssh user-name@serverIP -p(port Number)
[IMG]https://cdn-images-1.medium.com/max/800/1*Id5zhDde1L98SZvZT0zkmg .png[/IMG]
10. Fail2Ban for SSH login

[COLOR=rgba(0, 0, 0, 0.84)]Fail2ban works by dynamically altering the firewall rules to ban addresses that have unsuccessfully attempted to log in a certain number of times.[/COLOR]
[COLOR=rgba(0, 0, 0, 0.84)]Install Fail2ban :[/COLOR]
sudo apt-get update
apt-get install fail2ban[COLOR=rgba(0, 0, 0, 0.84)]Create a new file jail.local and copy the contents of jail.config to the same and make the changes in jail.local file only[/COLOR]
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local[COLOR=rgba(0, 0, 0, 0.84)]Edit /etc/fail2ban/jail.local file[/COLOR]
[COLOR=rgba(0, 0, 0, 0.84)]Make the desired changes:[/COLOR]
[sshd]
enabled = true
port = ssh ( provide the port number if the default port is changed )
protocol = tcp
filter = sshd
logpath = /var/log/secure
maxretry = 3 ( max no. of tries after which the host should be banned)
findtime = 600 (This parameter sets the window that fail2ban will pay attention to when looking for repeated failed authentication attempts in seconds)
bantime = 600 (time duration for which the host is banned -in seconds) [COLOR=rgba(0, 0, 0, 0.84)]Then restart the fail2ban services[/COLOR]
service fail2ban restart[COLOR=rgba(0, 0, 0, 0.84)]IP can be blocked permanently by setting bantime = -1.[/COLOR]
[COLOR=rgba(0, 0, 0, 0.84)]Note: FAIL2BAN will block the Global IP .[/COLOR]
Security used to be an inconvenience sometimes, but now it’s a necessity all the time — Martina Navratilova
[COLOR=rgba(0, 0, 0, 0.84)]Thanks for reading . If you found this article helpful, some claps would mean a lot![/COLOR]
[COLOR=rgba(0, 0, 0, 0.84)]Stay tuned [/COLOR]