Linux 109: Securing Your Linux Server

As the popularity of Linux servers continues to rise, so does the importance of securing them. Whether you’re running a small home server or managing a large production environment, securing your Linux server is crucial to protect against threats and vulnerabilities. In this article, we’ll cover key practices and tools to help you secure your Linux server from common security risks.

---

1. Start with System Updates

One of the easiest and most important steps in securing a Linux server is ensuring that your system is up to date. Security patches and bug fixes are regularly released to address vulnerabilities, so keeping your system updated is essential.

Automatic Updates

You can configure your Linux server to automatically update packages, ensuring that critical updates are applied without manual intervention.

For Ubuntu/Debian-based systems, enable automatic updates:

bash

sudo apt install unattended-upgrades

For RHEL/CentOS systems, use:

bash

sudo yum install yum-cron

Manual Updates

To manually update packages, use the following commands:

For Ubuntu/Debian:

bash

sudo apt update
sudo apt upgrade

For RHEL/CentOS:

bash

sudo yum update

---

2. Secure SSH Access

SSH (Secure Shell) is one of the most common methods to access a Linux server remotely. However, it can also be a target for attackers if not properly secured. Here are some best practices to secure SSH:

Disable Root Login

Allowing direct root access via SSH is a significant security risk. Disable it to require users to log in with their own accounts and use sudo for administrative tasks.

Edit the SSH configuration file:

bash

sudo nano /etc/ssh/sshd_config

Find the line PermitRootLogin and set it to no:

bash

PermitRootLogin no

Restart SSH to apply the changes:

bash

sudo systemctl restart sshd

Use SSH Key Authentication

SSH key authentication is more secure than using passwords. To set up SSH key authentication:

1. Generate SSH keys on the client machine:

   bash
   
   ssh-keygen
   

2. Copy the public key to the server:

   bash
   
   ssh-copy-id user@your_server_ip
   

Change the Default SSH Port

By default, SSH runs on port 22. Changing this to a non-standard port can reduce automated attack attempts.

Edit the SSH configuration file again:

bash

sudo nano /etc/ssh/sshd_config

Change the port line to something like:

bash

Port 2222

Restart SSH to apply the changes:

bash

sudo systemctl restart sshd

---

3. Configure a Firewall

A firewall helps block unwanted traffic and restricts access to only necessary services. The most common firewall tool in Linux is ufw (Uncomplicated Firewall) for Ubuntu/Debian systems, and firewalld for RHEL/CentOS systems.

For Ubuntu/Debian:

1. Enable ufw:

   bash
   
   sudo ufw enable
   

2. Allow SSH (if SSH is running on the default port):

   bash
   
   sudo ufw allow ssh
   

3. Allow specific ports for web services (e.g., HTTP/HTTPS):

   bash
   
   sudo ufw allow http
   sudo ufw allow https
   

4. Check status:

   bash
   
   sudo ufw status
   

For RHEL/CentOS:

1. Enable firewalld:

   bash
   
   sudo systemctl start firewalld
   sudo systemctl enable firewalld
   

2. Allow SSH and HTTP/HTTPS:

   bash
   
   sudo firewall-cmd --permanent --add-service=ssh
   sudo firewall-cmd --permanent --add-service=http
   sudo firewall-cmd --permanent --add-service=https
   

3. Reload firewalld:

   bash
   
   sudo firewall-cmd --reload
   

---

4. Install and Configure Fail2Ban

Fail2Ban is a tool that protects your server from brute-force attacks by monitoring log files and banning IP addresses that have too many failed login attempts.

Install Fail2Ban:

For Ubuntu/Debian:

bash

sudo apt install fail2ban

For RHEL/CentOS:

bash

sudo yum install fail2ban

Configure Fail2Ban:

Once installed, edit the jail configuration to ensure SSH is protected:

bash

sudo nano /etc/fail2ban/jail.local

Ensure the following lines are set to enable protection for SSH:

bash

[sshd]
enabled = true
port = ssh
maxretry = 3
bantime = 600

Restart Fail2Ban:

bash

sudo systemctl restart fail2ban

---

5. Set Up Intrusion Detection with AIDE

AIDE (Advanced Intrusion Detection Environment) helps monitor file integrity and can alert you when files are modified unexpectedly. This is useful for detecting potential tampering or unauthorized changes.

Install AIDE:

For Ubuntu/Debian:

bash

sudo apt install aide

For RHEL/CentOS:

bash

sudo yum install aide

Configure AIDE:

Run the initial database setup:

bash

sudo aideinit

After the first run, you can check file integrity with:

bash

sudo aide --check

---

6. Regular Backups and Security Audits

Regular backups are essential to ensure you can recover from potential security breaches or hardware failures. Use tools like rsync or automated backup systems like Bacula or Amanda.

Additionally, perform regular security audits using tools like Lynis:

bash

sudo apt install lynis
sudo lynis audit system

Lynis performs an in-depth security scan of your system and suggests improvements.

---

7. Harden Kernel and System Settings

To further secure your server, harden kernel and system settings by adjusting security parameters like Sysctl, SELinux, and AppArmor.

• Sysctl settings: Modify /etc/sysctl.conf to enable kernel parameters that improve security (e.g., disable IP forwarding, enable TCP SYN cookies).
• SELinux/AppArmor: Enable and configure SELinux (RHEL/CentOS) or AppArmor (Ubuntu) for mandatory access control.

---

8. Conclusion

Securing a Linux server is an ongoing process that involves multiple layers of protection. By following the steps outlined in this article — from updating your system to securing SSH access, setting up firewalls, and monitoring with tools like Fail2Ban and AIDE — you can drastically reduce the risk of your server being compromised.

Next Steps:

• Set up log management using logrotate.
• Enable automatic security updates for critical patches.
• Test your server’s security using tools like Nmap or OpenVAS.

Stay tuned for the next article in our series: "Linux 110: Monitoring and Performance Tuning Your Linux Server".