Last Updated on November 1, 2019 by Aether
Linux is generally considered a safe and secure operating system that is less vulnerable to attacks. However, with an exponential increase in sophisticated cyberattacks, it’s prudent to take the appropriate essential steps to secure your Linux server. Let’s have a look at some of the measures you need to implement to secure your system from attackers.
Disable remote root login
During the initial server setup of a Linux server, remote root login is highly unrecommended and for a good reason. If someone grabs a hold of the root user’s password, they can log in and tamper with your system. If it’s a hacker, they can steal files, upload malware or even render your system unusable. Best practice recommends the creation of a new regular user whose credentials will be used to log in instead of the root user. The new user will then be granted superuser or user privileges and once the user logs in, they can switch to root or superuser and proceed with administrative tasks.
To create a new user execute the command:
# adduser user (For Debian/Ubuntu)
# useradd user ( For RHEL/CentOS)
To assign sudo or superuser or root privileges run
# usermod -aG sudo user (For Debian/Ubuntu)
# echo ‘user ALL=(ALL) ALL’ >> /etc/sudoers
Now we will disable remote root login via SSH. To accomplish this, open the configuration file below
Scroll and uncomment the line below to block SSH root logins
Next, close the file and restart SSH service
# systemctl restart ssh
Change the default SSH port
The SSH port is one of the most preyed upon ports by hackers who incessantly keep tried to brute force the connection. To add an extra layer of protection and make it harder for hackers to gain entry consider changing the default SSH port.
Open the configuration file below
Be sure to replace default Port 22 with a different port number say 1520
Once done, save and exit the configuration file
Finally, restart SSH service
# systemctl restart ssh
Now to login define the port
$ ssh username@IP -p 1520
Ensure only the necessary services are running on the server
Best Linux security practices demand that only the crucial services are running and non-essential ones or those currently not in use be turned off. The same also applies to ports. Unused ports should also be closed.
To check open ports, use the netstat command as shown
$ netstat -pnltu
Secure your BIOS
By securing your BIOS, you ensure that nobody can boot from a flash or optical drive. Thus, nobody can overwrite your Linux system files and tamper with your data. After installing Linux, you should access your BIOS and disable the boot option from any external drives. Also, adding a BIOS password will prevent any unauthorized user from accessing your BIOS. A point to note is that a BIOS password is not recoverable, therefore save it in a secure place.
Passwordless SSH login
To make your life easier, you don’t always have to log in to your server using a password when connecting via SSH. You can configure a passwordless SSH login such that during login, you will only provide the username and IP address and that’s it and BOOM ! You will gain entry.
This can be achieved by the generation of SSH keys
This generates both public and private SSH keys which are stored in /root/.ssh/ directory
The Public key is identified by id_rsa.pub
The private key is denoted by id_rs
The Private SSH key remains on the system connecting to the server while the public key is sent and saved on the Linux server system. During subsequent login, the Linux server checks to see if the Public key matches with the private key and grants access without requiring a password.
Disable USB Mount
Most hackers use USB-based malware which activates when an infected flash drive is inserted to your Linux server. So to avoid these kinds of malware, you should disable the automatic USB mount on your system. The only throwback to using this method is that you will have to manually open the files in any USB drive you insert to your system. It can be a bit slower to access content stored in flash drives, but your security will be enhanced.
To disable USB mount, use the following commands on a text editor.
install usb-storage /bin/true
Next, save in the following location as a .conf file
Finally, restart your machine for the changes to take effect.
Enable SELinux (For RHEL, CentOS & Fedora users)
SElu=inux, short for Security-Enhanced Linux is a kernel security module that provides added protection to your Linux server. It grants the user total administrative control over daemons and their connections. By default, it comes enabled on CentOS.
As a good practice, it always advised to have SELinux up and running. To check the current status of SELinux, execute the command:
You can manage SELinux from the /etc/selinux/config file where you can either enable or disable it.
In this guide, you have learned the basic steps that you can take to secure your Linux server. These will protect the server from unauthorized access and breaches which can be prevented. We hope that you found this article informative and that you will now take the requisite measures to fortify your server’s security.