Server security is critical in today’s threat landscape. This comprehensive guide will walk you through the essential steps to harden your Linux server and protect it against common attack vectors.
Understanding Server Hardening
Server hardening is the process of enhancing server security through systematic configuration changes, software updates, and security policy implementation. A properly hardened server significantly reduces the attack surface available to potential threats.
In this guide, we’ll cover practical steps that both beginners and experienced administrators can implement to improve their server security posture.
1. User Account Security
Proper user account management is your first line of defense:
Secure the Root Account
- Disable direct root login via SSH
- Use
sudofor administrative tasks - Implement strong password policies
# Edit SSH config
sudo nano /etc/ssh/sshd_config
# Add or modify these lines
PermitRootLogin no
PasswordAuthentication no
Code language: PHP (php)Implement Password Policies
- Install password quality checking library:
sudo apt install libpam-pwquality
- Configure password policies in
/etc/security/pwquality.conf:
minlen = 12 # Minimum password length
minclass = 3 # Require 3 character classes
try_first_pass # Use previous password before prompting
Code language: PHP (php)2. Network Security
Configure Firewall Rules
Implement UFW (Uncomplicated Firewall) with strict rules:
# Install UFW
sudo apt install ufw
# Set default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow SSH (modify port if needed)
sudo ufw allow 22/tcp
# Enable firewall
sudo ufw enable
Code language: PHP (php)Secure SSH Configuration
Modify /etc/ssh/sshd_config with these security-focused settings:
# Use SSH Protocol 2
Protocol 2
# Limit authentication attempts
MaxAuthTries 3
# Set login grace time
LoginGraceTime 60
# Disable empty passwords
PermitEmptyPasswords no
Code language: PHP (php)3. System Updates and Package Management
Automated Security Updates
Install and configure unattended-upgrades:
# Install package
sudo apt install unattended-upgrades
# Configure automatic updates
sudo dpkg-reconfigure unattended-upgrades
Code language: PHP (php)Remove Unnecessary Services
# List running services
systemctl list-units --type=service
# Disable unnecessary services
sudo systemctl disable <service_name>
sudo systemctl stop <service_name>
Code language: PHP (php)4. File System Security
Secure Mount Options
Modify /etc/fstab to include secure mount options:
# Add these options to relevant mount points
defaults,noexec,nosuid,nodev
Code language: PHP (php)Set Proper File Permissions
# Secure important directories
sudo chmod 700 /root
sudo chmod 700 /home/*
sudo chmod 644 /etc/passwd
sudo chmod 600 /etc/shadow
Code language: PHP (php)5. Monitoring and Logging
Configure System Logging
Install and configure fail2ban for intrusion prevention:
# Install fail2ban
sudo apt install fail2ban
# Create local config
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
# Edit configuration
sudo nano /etc/fail2ban/jail.local
Code language: PHP (php)Basic fail2ban configuration:
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600
Code language: JavaScript (javascript)6. Regular Security Audits
Implement regular security scanning with Lynis:
# Install Lynis
sudo apt install lynis
# Run security audit
sudo lynis audit system
Code language: PHP (php)Best Practices for Ongoing Maintenance
- Regular Security Updates
- Schedule weekly system updates
- Monitor security advisories
- Test updates in development environment first
- Access Control Reviews
- Audit user accounts quarterly
- Review sudo permissions
- Update SSH keys regularly
- Backup Strategy
- Implement automated backups
- Test backup restoration regularly
- Store backups securely off-site
Conclusion
Server hardening is an ongoing process that requires regular attention and updates. By implementing these security measures, you’ll significantly improve your server’s security posture against common threats and vulnerabilities.
Remember to document all changes made to your system and maintain a regular schedule for security reviews and updates.
Additional Resources
Stay vigilant and keep your systems secure!