Linux Server Security: Essential Guide for Hardening Servers
With Linux systems increasingly under threat, this guide outlines essential security practices to harden Linux servers.
Attackers are targeting Linux systems with greater frequency, making it essential for organizations to continually harden IT systems, including servers, to stay ahead.
This guide provides an in-depth overview of the best security practices for strengthening Linux servers, helping you defend your systems, reduce vulnerabilities, and protect sensitive data against evolving threats.
Regular Updates and Patching
Security patches and updates are foundational aspects of Linux server security, yet organizations often apply them inconsistently. Cybercriminals, including APT groups, exploit known and zero-day vulnerabilities to infiltrate systems.
Steps for keeping your Linux servers updated:
Use your distribution’s package manager (e.g., apt, yum, dnf, etc.) to perform regular operating system and package updates. These updates address vulnerabilities in the OS and applications, reducing potential exploit points.
Automate system updates using tools like Yum-Cron or Unattended-Upgrades to streamline patch management.
Monitor vendor security advisories for critical updates.
Use Ksplice or similar tools to apply kernel updates without rebooting, minimizing downtime while maintaining security.
Resources:
Unattended-Upgrades: https://wiki.debian.org/UnattendedUpgrades
Ksplice: https://ksplice.oracle.com/
Firewall Configuration
Firewalls help control traffic and restrict access to critical services. Tools like iptables and nftables offer robust control over traffic rules, while Firewalld and UFW (Uncomplicated Firewall) simplify firewall management with intuitive interfaces. Ensure that only necessary ports are open, and regularly update firewall rules to align with the services running on your server.
Linux firewall tools:
Iptables/nftables: Configure detailed rules based on IP addresses, port numbers, and protocols.
Firewalld: Ideal for real-time updates without service interruptions. Firewalld simplifies the management of zones and services and offers an intuitive UI for the simple management of firewall rules.
UFW: As an easy-to-use frontend for iptables. UFW enables the quick creation and management of firewall rules using simple commands.
Figure 1. You can use UFW easily from the command line.
Resources:
Firewalld: https://firewalld.org/
SSH Hardening
Secure Shell (SSH) is essential for remote management, but improper configuration can leave it vulnerable to attacks.
Recommended SSH hardening practices:
Disable root login: Prevent root access via SSH by modifying the /etc/ssh/sshd_config file. Instead, employ a user account with sudo privileges.
Enforce key-based authentication: Key-based authentication is more secure than passwords, as it protects against brute-force and dictionary attacks. Open-source tools like Fail2Ban can monitor for repeated failed login attempts and block offending IP addresses.
Change the default SSH port: Attackers will target the default SSH port 22. Shifting to a nonstandard port can reduce the risk of attacks.
Restrict SSH Access: SSH access should be limited to specific users or groups by editing the AllowUsers or AllowGroups sections in the SSH configuration file.
Figure 2. You can manage SSH configurations in the ssh_config file, as shown in the Nano editor.
User Management and Privileges
You should always adhere to the principle of least privilege, ensuring users only have the access necessary for their roles. In addition, organizations should implement privileged access workstations (PAWs).
Linux user management best practices:
Limit sudo access: Audit the /etc/sudoers file regularly to ensure only authorized users can execute privileged commands. Use the sudo -l command to view the commands a sudo user can run.
Create groups for access control: Group users according to their roles and assign permissions based on groups rather than individuals. Doing so makes permission management easier and more consistent.
Disable unused accounts: Review user accounts and disable or delete those no longer in use. Ensure you set the shell to /usr/sbin/nologin in the /etc/passwd file for system accounts that should not have login capabilities.
Implement strong password policies: Encourage the use of password managers (not used enough, in my opinion) and multi-factor authentication (MFA) to strengthen authentication security.
Intrusion Detection and Monitoring
Organizations need robust intrusion detection and monitoring capabilities to identify potential threats early. Tools like AIDE, OSSEC, and Auditd can improve Linux server security by identifying unauthorized changes and suspicious activities. For a comprehensive security strategy, integrate these tools with centralized logging and, if possible, a security information and event management (SIEM) system for thorough log analysis and threat detection.
File detection monitoring and log analysis are critical for protecting systems. Modern SIEM tools often support the Linux Syslog standard, making them compatible with Linux environments. SIEM tools can improve system visibility and centralize log data, enabling effective threat hunting and incident response.
To maintain a strong security posture:
Monitor Linux servers for normal and abnormal activity to detect indicators of compromise (IoC).
Use a SIEM tool to aggregate logs and facilitate automated threat detection.
Combine SIEM data with extended detection and response (XDR), antivirus for vanilla threats, and proactive threat hunting to create a comprehensive defense strategy.
Recommended open-source intrusion detection and monitoring tools for Linux:
AIDE (Advanced Detection and Monitoring): A tool that monitors files by comparing current file/folder states against a baseline database, highlighting unauthorized modifications.
OSSEC: An open-source HIDS (host-based intrusion detection system) that monitors logs, detects rootkits, and provides real-time alerts for suspicious activities or IoCs.
Auditd: Collects logs from various system activities, including file accesses, command executions, and system calls. It can track critical system events and flag unusual behavior.
Logwatch: A log analysis tool that parses logs and generates regular reports, helping spot patterns of suspicious activity and IoCs.
Ensure all monitoring tools are configured correctly and integrated with centralized logging and your SIEM system.
Resources:
OSSEC: https://www.ossec.net/
Data Encryption
Encrypting data at rest and in transit is critical for protecting sensitive information. Even if attackers gain access to your server, encryption can prevent them from reading the data.
Recommended data encryption practices:
Use SSL/TLS for data in transit: Secure network communications with SSL/TLS. For web servers, ensure all traffic is encrypted by obtaining SSL certificates from trusted certificate authorities or using free options like Let’s Encrypt.
Encrypt data at rest: Use tools like Linux Unified Key Setup (LUKS) or dm-crypt to encrypt disks or specific partitions.
Configure SSH encryption: As previously mentioned, configure SSH to use robust algorithms to protect communication with your server.
ITPro Today Linux Resources
My ITPro Today contributor page provides links to my other Linux articles
Disclaimer
This article refers to open-source code repositories and gists on GitHub. Please review the following author disclaimer:
The C code is valuable for red teaming and security operations.
Any use of this code is entirely your responsibility.
This code intends to assist security professionals engaged in authorized red team activities and security research.
The code is free and open source.
About the Author
You May Also Like