≡ Menu

How to secure your Linux Server

Security is a crucial aspect of maintaining a Linux Dedicated server and an ongoing challenge for administrators. Especially, as malicious attacks are becoming increasingly smarter and more complex in their nature, posing a constant threat. Although many argue that Linux is inherently safer than other operational systems, it is no exception to these hazards and there are a number of ways to improve security.

Create new user
Upon installation, root is the only user by default on a Linux server. It is advisable to create a new user for server access and usage by the administrator.

Disable root login
The use of root is not recommended unless necessary. Where a superuser is needed, sudo is safer to use than su. Root-level commands via sudo require user authentication and are tracked by default in /var/log/secure. Sudo are specified in /etc/sudoers and can also be edited using the ‘visudo’ utility that opens in VI editor.

Use secure shell (SSH)
Secure Shell is a cryptographic network protocol that offers greater security from password breeches than Telnet and rlogi. Such protocols, using plain text, are susceptible to password discovery via brute-forcing and packet analysis. If an administrator chooses not to use SSH, then particular emphasis should be made on using strong passwords for user accounts and the original root password must be changed.

Although SSH allows the system administrator to communicate with a server using encryption, it is still open to the possibility of an attack. To improve security it is worth removing root entirely as a means of SSH access:

  1. Go to, /etc/ssh/sshd_config.
  2. Change, #PermitRootLogin yes to PermitRootLogin no.
  3. Run, service sshd restart.

So as to improve password protection, changes can be made to the age-limit of a password or the number of times it is used. For instance, a password may be set to have a lifespan during which it is valid, before expiring:

chage –M 60 –m 7 –w 7

M = Minimum of days required between password changes
m = Maximum days the password is valid
w = The number of days before warning that the password will expire

Alternatively, the use of old passwords can be limited by using PAM module :

  1. If using RHEL / CentOS / Fedora, open, /etc/pam.d/system-auth OR, If using Ubuntu/Debian/Linux Mint, open, /etc/pam.d/common-password
  2. Under ‘ auth’ add, auth sufficient pam_unix.so likeauth nullok
  3. Under ‘password’ add, password sufficient pam_unix.so nullok use_authtok md5 shadow remember=5

The server’s memory will now be restricted to the last 5 passwords used. If a user attempts to enter any of those 5 passwords, an error message will be prompted.

Set-up Firewall
Firewalls are a first line of defense in preventing unwanted data from accessing a server. By monitoring the flow of incoming and outgoing information from the server, a firewall will check a particular flow of traffic against the configuration of a server’s set of rules so as to determine whether to accept or reject it.

To utilize the Linux kernel firewall, IPTables must be enabled. This application allows the system administrator to configure the rules that will be applied by the Linux firewall when filtering incoming and outgoing packets.

The central IPTables files are:

  1. # /etc/init.d/iptables [Init scripts]
  2. # /etc/sysconfig/iptables [Rulesets]
  3. # /sbin/iptables [Binary]

To start, stop and restart IPTables firewall with init:

  1. # /etc/init.d/iptables start [Start]
  2. # /etc/init.d/iptables stop [Stop]
  3. # /etc/init.d/iptables restart [Restart]

To start IPTables from system boot:

  • #chkconfig –level 345 iptables on

Update system
Updating the server system is vital. Maintain Linux kernel and running software with the latest available updates to aid in cementing security flaws. To get updates in RedHat or CentOS:

  • Run, yum update

Cleanse system
Software clutter creates greater vulnerabilities and hinders performance. In order to reduce the server’s attack surface and improve its over-all performance, idle and/or unnecessary software can be removed. Packages like NFS, Samba, even X Windows desktop (Gnome or KDE) have susceptibilities and are not needed. Runlevel 3 is the standard runlevel for linux-based servers. To check packages running on runlevel3 use the chkconfig command:

  • # /sbin/chkconfig –list |grep ‘3:on’

To remove packages:

  1. List what is installed: yum list installed
  2. List the package name: yum list
  3. Remove the package: yum remove

Netstat network command can also be used to check for any open ports used by programs:

  • # /sbin/chkconfig –list |grep ‘3:on’

As part of a system cleanse, IPv6 can be disabled if it is not being used. Under network configuration add the following:

  1. Go to, /etc/sysconfig/network
  2. Add, NETWORKING_IPV6=no
  3. Add, IPV6INIT=no

Security extension
Use a security extension such as SELinux on RHEL or CentOS when possible. SELinux (Security-Enhanced Linux) is a Manditory Access Control (MAC) provided by Linux kernel. Having MAC enabled, protects the system from malicious applications that may compromise its security. To see if SELinux is running:

  • Run, sestatus.

Warning display
Having a welcome display that shows a warning when accessing the server is useful to discourage malicious activity. Such a message can be created using Message Of The Day (MOTD). For example, when a user enters the system, a message can appear saying “Welcome . All activity is closely monitored and is being recorded.” To create something along these lines:

  • Go to, /etc/motd

Cronjob control
Determining which users can run cronjobs increases control over a system. This can be done using embedded cron files such as /etc/cron.allow and /etc/cron.deny. To permit a user to run cron, add the username to cron.allow and to restrict a user from doing so, add username to cron.deny. Likewise, to permit or deny all, use ALL instead of username. For example, to deny all users from running cron:

  • # echo ALL >>/etc/cron.deny

Monitor activity
Monitoring user activity and collecting related information is always important, especially when dealing with many users. Logs should be reviewed regularly and it is advisable to move these files to a dedicated log server so as to help prevent intruders from easily modifying them. Common Linux default log files and their usage:

  • /var/log/message [All system logs and current activity logs]
  • /var/log/auth.log [Authentication logs]
  • /var/log/kern.log [Kernel logs]
  • /var/log/cron.log [Cronjob logs]
  • /var/log/maillog [Mail server logs]
  • /var/log/boot.log [System boot logs]
  • /var/log/mysqld.log [MySQL database logs]
  • /var/log/secure [Authentication logs]
  • /var/log/yum.log [Yum log]
  • /var/log/utmp [Login records]OR
  • /var/log/wtmp [Login records]

In addition to monitoring user activity and reviewing logs regularly, such information can be stored in order to be revisited for analysis at a later stage if needed. For example, in the instance of a security or performance issue surfacing.

Psacct and acct are useful tools to aid in monitoring activity by running continuously in the system background. They track user activity and the consumption of resources by services such as Apache, MySQL, SSH, FTP and so on. The psacct package is only available for rpm based software such as RHEL, CentOS and Fedora, whereas the acct package is available for software like Ubuntu, Debian and Linux Mint.

To install the psacct package:

  • # yum install psacct

To install the acct package:

  • $ sudo apt-get install acct OR
  • # apt-get install acct

By default psacct service is disabled and needs to be started manually under RHEL/CentOS/Fedora systems. To activate and run psacct, first check status:
1. # /etc/init.d/psacct status

If status shows message ‘Process accounting is disabled’, then to create a /var/account/pacct file and start services:
2. # chkconfig psacct on
3. # /etc/init.d/psacct start

Once service has started, check status again:
4. # /etc/init.d/psacct status

A message should indicate ‘Process accounting is enabled’.

Recovery measures
Securing a server is not just about protecting it from external threats but also being able to salvage and recover from the impact of a successful attack or any form of system failure.

Backup
Backup important files and keep them safely stored away in a safety vault, at a remote site or even offsite, where they will be available in the event that a disaster recovery is necessary.

Disc partitions
Disc partitions offer greater data security if disaster strikes. By having a number of partitions, data can be both separated and grouped. If one partition becomes compromised or corrupted, the risk of data loss is limited to the affected area. Ensure the following partitions exist:

  • /
  • /boot
  • /usr
  • /var
  • /home
  • /tmp
  • /opt

Third party applications should be installed on an independent file system, under /opt.

Read-only /Boot
Linux kernel and its related files are in /boot directory that is set as read-write by default. Changing it to read-only reduces the risk of unauthorized modification of critical boot files. To do this:

  1. Open, /etc/fstab
  2. Add, LABEL=/boot /boot ext2 defaults,ro 1 2

In order to upgrade kernel, these files will need to be reverted to read-write.

Additional measures
In addition to the fundamental ways of securing a Linux server, there are always more measures that can be implemented to ensure the best possible level of security.

Disabling USB ports

Disabling the use of USB ports helps prevent users from attaining valuable data and protects from contamination by compromised USB devices. To ensure that USB detection is not available:

  1. Create, /etc/modprobe.d/no-usb
  2. Add, install usb-storage /bin/true

Disable alternative booting

Using BIOS set-up, configure settings to disable booting from CD/DVD, Floppy Drive and External Devices. Furthermore, enabling password protection for BIOS will help restrict physical access to the system.

Disable Control+Add+Delete

For most Linux systems, CTRL+ALT+DLETE is a short cut for initiating system reboot. As a pre-emptive measure, disabling the command removes any chance of accidentally triggering this key combination. To do this:

  1. Open, /etc/inittab
  2. Find,
  3. # Trap CTRL-ALT-DELETE
  4. #ca::ctrlaltdel:/sbin/shutdown -t3 -r now
  5. Comment it out

Final thought

Securing a Linux server is challenging but with the right approach and dedication, exposure to risks can be minimized. From taking security measures against malicious attacks to being prepared for disaster recovery, there are numerous ways to protect a system but ultimately, it comes down to the administrators and how meticulous they are in doing so.