11 Things You Can Do to Secure Your Linux Server

Linux is one of the most popular and widely used operating systems in the world, especially for servers. Linux servers power millions of websites, applications, databases, and other services that we use every day.

However, Linux servers are not immune to cyberattacks, and they require proper security measures to protect them from hackers, malware, and other threats.

In this blog post, I'll share some tips on how to strengthen your Linux server security and prevent any malicious things from happening to your server.

1. Update Your System Regularly

One of the most basic yet important steps to strengthen your Linux server is to keep it updated with the latest security patches and bug fixes. This will help you prevent potential vulnerabilities and exploits that can compromise your server. To update your system, you can use the following commands:

• For Debian-based servers (such as Ubuntu), use sudo apt update and sudo apt upgrade.
• For RHEL-based servers (such as CentOS), use sudo dnf update. For your knowledge, dnf upgrade is simply an alias introduced in later versions of RHEL-based distros - so they're identical

You can also enable automatic updates for your system by configuring the unattended-upgrades package on Debian-based servers or the dnf-automatic package on RHEL-based servers.

2. Configure a Firewall

A firewall is a software or hardware device that filters incoming and outgoing network traffic based on predefined rules. It can help you block unwanted or malicious connections and protect your server from network attacks. To configure a firewall on your Linux server, you can use the following tools:

• iptables: This is the default firewall tool for Linux that allows you to create and manage firewall rules using the command line. You can use iptables -L to list the current rules, iptables -A to append a new rule, iptables -D to delete a rule, and iptables -F to flush all rules. You can also use iptables-save and iptables-restore to save and restore your rules across reboots.
• ufw: This is a user-friendly frontend for iptables that simplifies the process of creating and managing firewall rules. You can use sudo ufw status to check the status of the firewall, sudo ufw enable and sudo ufw disable to turn it on and off, and sudo ufw allow and sudo ufw deny to allow and deny specific ports or protocols. You can also use sudo ufw default to set the default policy for incoming and outgoing traffic.
• firewalld: This is another frontend for iptables that is mainly used on RHEL-based servers. It uses the concept of zones and services to define firewall rules. You can use sudo firewall-cmd --state to check the status of the firewall, sudo firewall-cmd --reload to reload the configuration, and sudo firewall-cmd --zone=ZONE --add-service=SERVICE and sudo firewall-cmd --zone=ZONE --remove-service=SERVICE to add and remove services from a zone. You can also use sudo firewall-cmd --get-zones and sudo firewall-cmd --get-services to list the available zones and services.

3. Use Secure Shell (SSH) Keys

SSH is a protocol that allows you to remotely access and manage your Linux server. However, using a password to authenticate your SSH connection can be insecure and vulnerable to brute-force attacks. A better alternative is to use SSH keys, which are pairs of cryptographic keys that can be used to verify your identity without a password. To use SSH keys, you need to generate a public and a private key on your local machine, and then copy the public key to your server. You can use the following commands to do this:

• On your local machine, use ssh-keygen to generate a new key pair. You can specify the name and location of the keys, and optionally set a passphrase for extra security. By default, the keys are stored in ~/.ssh with the names id_rsa (private key) and id_rsa.pub (public key).
• On your server, use ssh-copy-id to copy your public key to the server. You need to provide your username and the server’s IP address or hostname. This will create a file called authorized_keys in ~/.ssh on the server, which contains your public key.
• On your local machine, use ssh to connect to your server without a password. You need to provide your username and the server’s IP address or hostname. If you set a passphrase for your key, you will be prompted to enter it once per session.

You can read up more on this more detailed guide below:

How to Generate an SSH Key Pair and Add it to Your Remote Server on Linux

SSH (Secure Shell) keys provide a secure way to authenticate your identity when connecting to remote servers. They consist of a private key (kept secret) and a public key (shared with remote servers). This guide will walk you through generating an SSH key pair and adding it to your remote

WirekatMarkus

If you also want to make your life a hell of a lot easier - consider this guide to the simple SSH config. It'll make you love SSH and wonder why would anybody use a password based login!

Using SSH keys efficiently - intro to the easy to use SSH config

SSH (Secure Shell) is a widely used protocol for secure remote access to systems and secure data communication. It allows users to connect securely to remote servers and services, like GitHub, using cryptographic keys. When managing multiple remote servers or repositories, each requiring a unique SSH key, configuring SSH to

WirekatMarkus

4. Disable Root Login and Password Authentication

Another way to strengthen your SSH connection is to disable root login and password authentication. This will prevent anyone from logging in as the root user or using a password to access your server. To do this, you need to edit the SSH configuration file on your server, which is located at /etc/ssh/sshd_config. You can use the following commands to do this:

• Use sudo nano /etc/ssh/sshd_config to open the file with a text editor.
• Find the line that says PermitRootLogin yes and change it to PermitRootLogin no.
• Find the line that says PasswordAuthentication yes and change it to PasswordAuthentication no.
• Save and exit the file.
• Use sudo systemctl restart sshd to restart the SSH service.

5. Install and Configure Fail2ban

Fail2ban is a tool that monitors your server logs and automatically bans IP addresses that show malicious behavior, such as repeated failed login attempts. This can help you prevent brute-force attacks and reduce the load on your server. To install and configure fail2ban on your Linux server, you can use the following commands:

• For Debian-based servers, use sudo apt install fail2ban.
• For RHEL-based servers, use sudo dnf install fail2ban.
• Use sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local to create a copy of the default configuration file.
• Use sudo nano /etc/fail2ban/jail.local to edit the file with a text editor.
• Find the section that says [DEFAULT] and adjust the parameters according to your needs. For example, you can change the bantime to specify how long an IP address is banned, the findtime to specify the time window for counting failed attempts, and the maxretry to specify the number of failed attempts before banning an IP address.
• Find the section that says [sshd] and enable it by changing enabled = false to enabled = true. This will activate the fail2ban rule for SSH connections. You can also enable other rules for different services, such as [apache], [nginx], [postfix], etc.
• Save and exit the file.
• Use sudo systemctl restart fail2ban to restart the fail2ban service.
  

For a more detailed guide and/or explanation of Fail2ban's further use, check out this straightforward guide 😉

Protecting your Linux server - Installing fail2ban

Right as soon as your Linux server is available to the internet, it’ll be consistently swarmed by login attempts. Here we explore a tool designed to help tackle this problem. Understanding Fail2ban Fail2ban, a powerful open-source intrusion prevention tool, stands as a sentinel against malicious activities by detecting and mitigating

WirekatMarkus

6. Encrypt Your Data with LUKS

LUKS (Linux Unified Key Setup) is a standard for disk encryption that allows you to protect your data from unauthorized access. It works by creating a secure container on your disk that can only be opened with a passphrase or a key file. To encrypt your data with LUKS on your Linux server, you can use the following commands:

• Use sudo fdisk -l to list the available disks and partitions on your server. Identify the partition that you want to encrypt, such as /dev/sda1.
• Use sudo cryptsetup luksFormat /dev/sda1 to format the partition with LUKS. You will be asked to enter and confirm a passphrase that will be used to unlock the partition. Make sure you remember this passphrase or store it in a safe place.
• Use sudo cryptsetup luksOpen /dev/sda1 cryptdata to open the partition and create a mapping device called cryptdata. You will be asked to enter the passphrase that you set earlier.
• Use sudo mkfs.ext4 /dev/mapper/cryptdata to create a file system on the encrypted partition. You can use a different file system type if you prefer, such as xfs or btrfs.
• Use sudo mkdir /mnt/cryptdata to create a mount point for the encrypted partition.
• Use sudo mount /dev/mapper/cryptdata /mnt/cryptdata to mount the encrypted partition to the mount point.
• Use sudo nano /etc/fstab to edit the file system table with a text editor. Add a line like this to the end of the file:

/dev/mapper/cryptdata /mnt/cryptdata ext4 defaults 0 2

• Save and exit the file.

7. Limit the Number of Login Attempts

Another way to prevent brute force attacks on your Linux server is to limit the number of login attempts for each user or account. This will prevent hackers from trying different combinations of usernames and passwords until they find the correct one. You can limit the number of login attempts by using the pam_tally2 module on Ubuntu or the pam_faillock module on RHEL. For example, you can add the following lines to the /etc/pam.d/login file on Ubuntu:

auth required pam_tally2.so deny=3 unlock_time=600 onerr=fail audit even_deny_root_account silent account required pam_tally2.so

These lines will deny the login after 3 failed attempts, lock the account for 10 minutes, and log the failed attempts. They will also apply to the root account, which is often targeted by hackers.

8. Disable Unused Services and Ports

Another tip to improve your Linux server security is to disable any services and ports that you are not using. This will reduce the attack surface and the potential vulnerabilities of your server. You can use the systemctl command on Ubuntu or the service command on RHEL to manage the services on your server. For example, you can use the following command to stop and disable the Telnet service, which is insecure and should not be used:

sudo systemctl stop telnet
sudo systemctl disable telnet

You can also use the ufw command on Ubuntu or the firewall-cmd command on RHEL to manage the firewall rules on your server. For example, you can use the following command to block all incoming traffic on port 23, which is used by Telnet:

# Using ufw
sudo ufw deny 23

# Using firewalld
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" port port="23" 
protocol="tcp" reject'

9. Enable SELinux or AppArmor

Another way to enhance your Linux server security is to enable SELinux or AppArmor, which are security modules that enforce mandatory access control policies on your server. These policies restrict the actions and resources that each process can access, based on their roles and contexts.

AppArmor vs SELinux - A comparison

Linux is a popular operating system that powers many servers, desktops, and devices. However, like any other system, Linux is not immune to security threats and vulnerabilities. To enhance the security of Linux, there are various security modules that can be integrated into the kernel to enforce access control policies

WirekatMarkus

This can prevent unauthorized or malicious activities on your server, such as privilege escalation, file tampering, or code injection. SELinux is available on RHEL by default, while AppArmor is available on Ubuntu by default. You can check the status of SELinux or AppArmor by using the following commands:

# SELinux
sestatus

# AppArmor
sudo apparmor_status

You can also enable or disable SELinux or AppArmor by editing the /etc/selinux/config file on RHEL or the /etc/default/grub file on Ubuntu. For example, you can change the following line to enable SELinux on RHEL:

SELINUX=enforcing

Or you can change the following line to enable AppArmor on Ubuntu:

GRUB_CMDLINE_LINUX_DEFAULT="apparmor=1"

10. Monitor and Audit Your Server Activity

The last tip to improve your Linux server security is to monitor and audit your server activity regularly. This will help you detect any suspicious or abnormal behavior on your server, such as unauthorized logins, file changes, or network connections. You can use various tools to monitor and audit your server activity, such as:

• ps or top to view the running processes on your server
• netstat or ss to view the network connections on your server
• last or lastb to view the login history on your server
• find or stat to view the file attributes on your server
• auditd or aide to audit the system events and file integrity on your server

You can also configure alerts and notifications for any critical or unusual events on your server, such as failed login attempts, high CPU usage, or file modifications. You can use tools such as logwatch, fail2ban, or monit to automate the alerting and reporting process.

11. Use a VPN

Another tip to improve your Linux server security is to use a VPN (Virtual Private Network) to protect your network.

A VPN creates a secure tunnel between your client machine and a remote server of your choice, and routes all your data through that tunnel. For example, it's quite common for some servers to only be accessed via the local network (LAN), but using a VPN can be a way to connect to this local network remotely, and then access the server.

VPN's are heavily used in large companies. It's also common for home servers owners that do not want to expose their server to the internet. If the server is breached - the whole network is!

There are different VPN protocols and solutions that you can use to set up a self-hosted VPN on your Linux server, such as OpenVPN, WireGuard, OpenConnect, and V2ray. Each of them has its own advantages and disadvantages, depending on your needs and preferences.

WireGuard is often recommended the most, so I'd start with that!

Conclusion

These are some of the tips that can help you strengthen your Linux server security. It's perhaps not a complete list - but it's probable that the biggest security risk is not using common sense and being reckless.

Out of all, I'd say using an SSH key-pair, disabling SSH password login and disabling root user would be absolutely mandatory changes.

Stay safe!