# Basic Security for a Linux Server #

These are basic steps for hardening a linux server. Of course, specifics will vary depending on the server role and exposure.

## Disable root login via ssh ##

Make a normal user account that can escalate with sudo.
    - See visudo(8), usermod(8)
    - Test it to make sure.

Make sure we have the appropriate keys in ~/.ssh/authorized_keys for our remote logins.

Disable root ssh logins. See sshd_config(5). Edit /etc/ssh/sshd_config:

	PermitRootLogin no

or:

	# sed -i 's/^PermitRootLogin yes$/PermitRootLogin no/' /etc/ssh/sshd_config

For a public server, we might want to change the ssh port too, if only to cut down on the log noise from bots.

We probably don't want password-only authentication. Use key-based auth or (on newer versions of sshd) key _and_ password. Edit /etc/ssh/sshd_config:

	PasswordAuthentication no

or

	# sed -i 's/^#PasswordAuthentication yes$/PasswordAuthentication no/' /etc/ssh/sshd_config

or

    AuthenticationMethods publickey,password

and:

	# systemctl restart sshd

## iptables firewall ##

See http://paulgorman.org/technical/linux-iptables.txt

Set rules with both iptables and ip6tables.

List rules:

	# iptables -nvL --line-numbers

Starting point for rules:

	# iptables --flush INPUT
	# iptables -I INPUT 1 -m state --state ESTABLISHED -j ACCEPT
	# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
	# iptables -A INPUT -i lo -j ACCEPT
	# iptables --policy INPUT DROP

Rules will not persist across reboots by default.

	mkdir -p /etc/iptables
	iptables-save > /etc/iptables/rules.v4
	iptables-restore < /etc/iptables/rules.v4
	cat > /etc/network/if-pre-up.d/iptables << EOL
	#!/bin/bash
	/sbin/iptables-restore < /etc/iptables/rules.v4
	EOL
	chmod 0755 /etc/network/if-pre-up.d/iptables

## Make sure email alerts go somewhere that gets read ##

Get mail working. On Debian:

	# dpkg-reconfigure exim4-config

See etc-aliases(5). Edit /etc/aliases, then run:

	# newaliases

Futhermore, to make identifying the source of alerts easier, set a full name for root that includes the machine name:

	# chfn -f "$(hostname -f) root"

## fail2ban ##

NOTE: `sshguard` may be preferable to `fail2ban`. Remember to add friendly IP's to `/etc/sshguard/whitelist`.

We may want to install fail2ban, and set options in /etc/fail2ban/jail.local.

## Review open ports and running services ##

	$ netstat -npl

What's using that port?

	# lsof -i :80
	COMMAND  PID     USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
	nginx   1569     root    6u  IPv4  20483      0t0  TCP *:http (LISTEN)

	$ systemctl list-unit-files --type=service | grep enabled

- Disable a service:

	# systemctl stop foo.service
	# systemctl disable foo.service

# tripwire #

We may want to install an intrusion detection system, like tripwire.

See https://www.digitalocean.com/community/tutorials/how-to-use-tripwire-to-detect-server-intrusions-on-an-ubuntu-vps