Linux is the most commonly used operating system for web-facing computers, running on nearly 75% of servers according to Netcraft’s August 2019 data — we’ll cover how to make your Linux servers more secure.
Linux powers the internet as we know it — it took over the digital world early on and hasn’t let up since then. This is why Linux server security is crucial to data security.
Whether you rely on your trusty Android smartphone or enjoy browsing social media platforms like Facebook or Pinterest, Linux likely plays an important role in your daily life — even if you’re not fully aware of it. This reality is even more evident in the business world, where Linux is responsible for the web presence of companies of all sizes. In fact, Netcraft’s June 2020 survey shows that Linux also powers nine of the top 10 most reliable host companies’ websites.
Unfortunately, security concerns are nearly as common as Linux itself. These servers have been under assault for years, but many users remain unaware of the extent to which their data can be compromised without proactive server security measures.
But what can you do to protect your server and increase your Linux server security? We’ll explore the role of Linux hardening and cover 10 best practices you can put into action right away.
Let’s hash it out.
The Role of Linux Hardening in Linux Server Security
Many of the Linux server security issues you may experience occur, in part, because they don’t arrive hardened out of the box.. Rather, it’s the user’s responsibility to set up systems that reveal suspicious activities. Without this extra effort, Linux servers can be shockingly vulnerable.
Further complicating matters, many of today’s top security initiatives focus on the front office rather than the server rack. This provides plenty of opportunities for malicious parties to acquire sensitive data, and the results can be devastating. The good news? There’s no need to take a passive approach and succumb to Linux server security concerns — a strategic protocol focused on risk prevention and early mitigation can make all the difference.
10 Security Best Practices for Linux Servers
While securing Linux servers may seem like a hassle, the process comes with a clear silver lining: it provides an extra degree of control. What’s more, server security isn’t necessarily difficult to achieve. A few basic Linux hardening and Linux server security best practices can make all the difference, as we explain below:
1. Use Strong and Unique Passwords
Strong passwords form the basis of any secure server. If possible, these should feature a minimum length of at least 10 characters, plus requirements for using special characters or upper and lowercase letters. The same password should never be used for multiple users or software systems. Don’t forget to configure expiration, as no password can provide adequate security indefinitely.
Several excellent password managers are available for the Linux platform. Many of these offer crucial features, such as:
Bitwarden, LastPass, Enpass, and Dashlane represent some of the best options available. However, no one password manager is ideal for every server; therefore, it’s important to examine your options thoroughly to ensure you find a tailored approach that meets your unique needs.
Manage Digital Certificates like a Boss
14 Certificate Management Best Practices to keep your organization running, secure and fully-compliant.
2. Generate an SSH Key Pair
While strong passwords can make a difference, even stronger methods of logging into private servers are available. Secure shell (SSH) key pairs, in particular, are worth implementing because these systems are far more difficult to hack through brute force.
Before utilizing SSH keys, it’s important to understand why you may want to implement them instead of the standard username and password setup. While passwords are certainly more convenient for everyday users, these same users tend to rely on easily guessed options that leave the entire security infrastructure vulnerable.
SSH key pairs, while not as user-friendly as passwords, are significantly more secure. This enhanced security can be attributed to the encryption utilized by both the server being logged into and the computer being used. At a minimum, an SSH key pair represents the equivalent of a 12-character password. In reality, however, the vast majority of SSH key pairs are even more complex. For this reason, SSH key pairs should be one of the first measures implemented when adopting a proactive server security strategy.
How to Generate an SSH Key and Password
To set up an SSH key, type in the following command:
"ssh-keygen -t rsa"
You can choose where you want to save the key or simply hit enter to save it in the default location, as shown in the example below:
"Enter file in which to save the key (/home/youruser/.ssh/id_rsa):"
When selecting a location, consider the potential for SSH key sprawl, in which individuals and organizations lack proper inventory. This is a huge problem because many maintain dozens or even hundreds of SSH key pairs per server.
While determining where to save keys, weigh the likelihood of physical attacks against hacked servers. When in doubt, opt for a local device to reduce vulnerability in the event of a cyber attack.
Once you’re prompted to choose a password, the process is complete. Given the ease of executing this security essential, there’s no reason to avoid or procrastinate.
3. Update Your Software Regularly
Properly managing your Linux server security includes implementing regular software patches to address emerging vulnerabilities. Unfortunately, many Linux users neglect to put these patches into action. Without prompt updates, software can become exploitable and easy for hackers to use to gain access.
A wide variety of accessible options allow you to update Linux while using Ubuntu. These include command lines and the Ubuntu Update Manager.
To update via command line, use:
“apt-get update:”
This command will list the available packages. It also can provide information on their latest versions. In order to install these packages, you’ll want to use:
“apt-get upgrade:”
With the Ubuntu Update Manager, the process looks a little different. When using versions 18.0.4 or later, the first step involves clicking on the Show Applications icon in the bottom left corner of the desktop. From there, simply search for “Update Manager.”
4. Enable Automatic Updates
This best practice goes hand-in-hand with our last suggestion for greater Linux server security. If you struggle with handling a myriad of necessary security updates, consider implementing an automatic approach. Enabling automatic updates ensures that software security measures remain current, even when you neglect to pursue necessary updates because you’re occupied by other concerns.
A variety of options are available for enabling automatic updates. Your choice will largely depend on software selection. For GNOME users, simply:
- Open the System Menu,
- Select Administration,
- Navigate to Update Manager and choose Settings.
Next, open the Updates tab. There, you’ll find a setting that allows you to install security updates without the need for notification.
Another available option is using the unattended upgrades feature for Debian. This keeps the system updated when you cannot do so yourself but requires some element of monitoring. If you opt for unattended upgrades, begin by installing the package:
“sudo apt-get install unattended-upgrades”
Then enable the package:
“sudo dpkg-reconfigure --priority=low unattended-upgrades”
To monitor via email, install the apt-listchanges package. This can be configured to ensure that you receive prompt email alerts as updates occur. Get started with this command:
“# apt-get install unattended-upgrades apt-listchanges”
5. Avoid Unnecessary Software
New software can be tempting to implement, but not all web services are truly necessary. Each additional program provides yet another opportunity to expose your server to potential problems down the road.
While it’s tempting to add new, exciting software when it’s first available, this approach could lead to considerable security concerns in the long run. Over time, even the most efficient systems can become bogged down and bloated from unused, impractical, or redundant programs. It’s wise to do a system-wide audit of all software at least once a year. By making this simple commitment, you can optimize your server and keep it running at peak efficiency, even as you add new programs.
If your server already contains a high volume of software, use an RPM (Red Hat Package Manager) to review currently downloaded packages. From there, you can get rid of unnecessary software. To install the package, use this command:
“rpm -ivh {rpm-file}”
From there, the command “rpm -ev {package}” can be used to remove installed packages. Likewise, the command “rpm -Uvh {rpm-file}” allows you to upgrade packages.
6. Disable Booting from External Devices
Malicious parties can easily use external devices such as USB thumb drives to gain access to sensitive information. Disabled booting for external devices may reduce the potential for physical attacks, which can be just as damaging as hacking. Without this extra step, many security layers can be circumvented easily.
There are several different ways to disable certain USB ports in Linux. One option is to open the Terminal and enter the following code:
“# chmod 000 /media/”
To restore access to USB, this code will need to be entered:
“# chmod 777 /media/”
You may also disable USB access by editing the blacklist.conf file found in /etc/modprobe.d/blacklist.conf. To do this, enter the following line in the .conf file:
“# sudo echo "blacklist usb-storage" /etc/modprobe.d/blacklist.conf”
7. Close Hidden Open Ports
Open ports may reveal network architecture information while extending attack surfaces. Therefore, ports that aren’t absolutely essential should be closed with haste. The netstat command can be used to determine which ports are listening while also revealing the details of connections that may currently be available.
The below command lines can be utilized to find specific ports:
- All TCP ports — “netstat -at”
- All UDP ports — “netstat -au”
- All listening ports — “netstat -l”
- Information for all ports — “netstat -s”
8. Scan Log Files with Fail2ban
Brute force attacks are shockingly common with Linux servers. However, they often succeed not because the malicious parties are particularly capable or devious, but rather, because of a sheer lack of preventative measures beyond slightly improved password protection.
If you’re looking for a next-level solution for preventing brute force attacks, consider implementing the intrusion prevention software Fail2ban. This system alters firewall rules to ban any address that has attempted to log in a specific number of times. It can be used to spot and address authentication failure patterns. Email alerts provide prompt warnings of attacks to ensure that the server is brought under control as quickly as possible.
Use the following command to install Fail2ban on CentOS 7:
“yum install fail2ban”
With Debian, the installation process involves this command:
“apt-get install fail2ban”
If you would like email support, use the command “yum install sendmail” for CentOS 7 or “apt-get install sendmail-bin sendmail” for Debian.
9. Utilize Backups and Test Them Often
Offsite backups are essential for Linux servers. In the event of an intrusion, these can ensure that critical data remains accessible. They are particularly valuable in the event of a ransomware attack. While they can’t outright prevent ransomware issues, they can ensure that, in the worst-case scenario, the damage is limited by retaining access to essential data.
The application rsync is a popular option for backing up data in Linux. It comes…
Linux Server Security: 10 Linux Hardening & Security Best Practices