Basic Security for a Linux Server

These are basic steps for hardening a linux server. Of course, specifics will vary depending on the server role and exposure.

Make a normal user account that can escalate with sudo. - See visudo(8), usermod(8) - Test it to make sure.

Make sure we have the appropriate keys in ~/.ssh/authorized_keys for our remote logins.

Disable root ssh logins. See sshd_config(5). Edit /etc/ssh/sshd_config:

PermitRootLogin no

or:

# sed -i 's/^PermitRootLogin yes$/PermitRootLogin no/' /etc/ssh/sshd_config

For a public server, we might want to change the ssh port too, if only to cut down on the log noise from bots.

We probably don’t want password-only authentication. Use key-based auth or (on newer versions of sshd) key and password. Edit /etc/ssh/sshd_config:

PasswordAuthentication no

# sed -i 's/^#PasswordAuthentication yes$/PasswordAuthentication no/' /etc/ssh/sshd_config

AuthenticationMethods publickey,password

and:

# systemctl restart sshd

iptables firewall

See http://paulgorman.org/technical/linux-iptables.txt

Set rules with both iptables and ip6tables.

List rules:

# iptables -nvL --line-numbers

Starting point for rules:

# iptables --flush INPUT
# iptables -I INPUT 1 -m state --state ESTABLISHED -j ACCEPT
# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# iptables -A INPUT -i lo -j ACCEPT
# iptables --policy INPUT DROP

Rules will not persist across reboots by default.

mkdir -p /etc/iptables
iptables-save > /etc/iptables/rules.v4
iptables-restore < /etc/iptables/rules.v4
cat > /etc/network/if-pre-up.d/iptables << EOL
#!/bin/bash
/sbin/iptables-restore < /etc/iptables/rules.v4
EOL
chmod 0755 /etc/network/if-pre-up.d/iptables

Make sure email alerts go somewhere that gets read

Get mail working. On Debian:

# dpkg-reconfigure exim4-config

See etc-aliases(5). Edit /etc/aliases, then run:

# newaliases

Futhermore, to make identifying the source of alerts easier, set a full name for root that includes the machine name:

# chfn -f "$(hostname -f) root"

fail2ban

NOTE: sshguard may be preferable to fail2ban. Remember to add friendly IP’s to /etc/sshguard/whitelist.

We may want to install fail2ban, and set options in /etc/fail2ban/jail.local.

Review open ports and running services

$ netstat -npl

What’s using that port?

# lsof -i :80
COMMAND  PID     USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
nginx   1569     root    6u  IPv4  20483      0t0  TCP *:http (LISTEN)

$ systemctl list-unit-files --type=service | grep enabled

Disable a service:

systemctl stop foo.service

systemctl disable foo.service

tripwire

We may want to install an intrusion detection system, like tripwire.

See https://www.digitalocean.com/community/tutorials/how-to-use-tripwire-to-detect-server-intrusions-on-an-ubuntu-vps

Basic Security for a Linux Server

Disable root login via ssh

iptables firewall

Make sure email alerts go somewhere that gets read

fail2ban

Review open ports and running services

systemctl stop foo.service

systemctl disable foo.service

tripwire