Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

9 Useful Tips For Linux Server Security

DZone's Guide to

9 Useful Tips For Linux Server Security

Any serious systems can't ignore server security, especially in public Cloud. No doubt there're tons of tips and tutorials available on the Internet. This article focuses on the fundamentals and general best practices first.

· Performance Zone
Free Resource

Download our Introduction to API Performance Testing and learn why testing your API is just as important as testing your website, and how to start today.

Any serious systems can't ignore server security, especially in public Cloud. No doubt there're tons of tips and tutorials available on the Internet. Let's focus on fundamental and general best practices first.

A List Of Security Improvements I Enforce After OS Provisioning

Here we use Ubuntu 16.04 for instance:

1. Keep Kernel Up-To-Date.

Certainly no blind update for prod envs. But for newly installed servers, it's usually harmless and can guarantee a higher level of security.

One common suggestion is disabling unused services. But I choose to trust my distros provider. Generally speaking, I believe they might make right choices to have what installed and enabled by default.

apt-get -y update

2. Reset Root password.

We need that to access web console of VMs. This happens when ssh doesn't work. e.g. problematic iptables rules block you, OS runs into kernel panic, or machine reboot mysteriously sticks.

root_pwd="DevOpsDennyChangeMe1"
echo "root:$root_pwd" | chpasswd

3. Hardening SSHD.

Only allow ssh by keyfile, thus hackers can't easily break-in by guessing your password. Use another ssh listening port other than 22, which can avoid annoying ssh login attempts.

# Disable ssh by password
sed -i 's/^#PasswordAuthentication yes/PasswordAuthentication no/g' \
      /etc/ssh/sshd_config
sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/g' \
     /etc/ssh/sshd_config
grep PasswordAuthentication /etc/ssh/sshd_config

# Use another ssh port
sshd_port="2702"
sed -i "s/^Port 22/Port $sshd_port/g" /etc/ssh/sshd_config
grep "^Port " /etc/ssh/sshd_config

# Restart sshd to take effect
service ssh restart

4. Restrict Malicious Access By Firewall.

This might be the most important security improvement you shall do.

# Have a clean start with iptables
iptables -F; iptables -X
echo 'y' | ufw reset
echo 'y' | ufw enable
ufw default deny incoming
ufw default deny forward

# Allow traffic of safe ports
ufw allow 22,80,443/tcp

# Allow traffic from certain port
ufw allow 2702/tcp

# Allow traffic from trusted ip
ufw allow from 52.74.151.55

5. Add Timestamp To Command History.

It allows us to review what commands has been issued, and when.

echo export HISTTIMEFORMAT=\"%h %d %H:%M:%S \" >> /root/.bashrc

6. Generate SSH Key Pair. Never, ever share the same ssh key pair across servers!

exec ssh-agent bash

# General new key pair
ssh-keygen

# Load key pair
ssh-add

7. Pay Close Attention to var/log.

Use logwatch to automate the check and analysis. It's a userful parsing perl script that analyzes and generates daily reports on your system’s log activity. Major log files:

  • /var/log/kern.log
  • /var/log/syslog
  • /var/log/ufw.log
  • /var/log/auth.log
  • /var/log/dpkg.log
  • /var/log/aptitude
  • /var/log/boot.log
  • /var/log/cron.log
  • /var/log/mailog
apt-get install -y logwatch

# Full check. Takes several minutes
logwatch --range ALL

# Only check log of Today
logwatch --range Today

8. Run 3rd Security Check Tools.

Not everyone can or will be a security expert. Better try reliable and versatile tools. lynis is quite handy and straightforward. Just a single bash file.

apt-get install -y lynis

# Run lynis to check security issues
lynis -c

9. Proper Backup Unrecoverable Data. Always has plan B. As the last resort, make it's feasible to do a quick system restore in new servers.

Special thanks to this Reddit discussion.

More Reading: Detect Suspicious Linux Processes.

Find scaling and performance issues before your customers do with our Introduction to High-Capacity Load Testing guide.

Topics:
devops ,linux ,security

Published at DZone with permission of Denny Zhang, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

THE DZONE NEWSLETTER

Dev Resources & Solutions Straight to Your Inbox

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

X

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}