Securing your Linux Server in 8 Steps

Before I get going with too many tutorials, it might be a good idea to just step back and talk about the very first thing you should be doing from the start: securing your server!

Luckily this doesn't need to take a long time - we can secure things pretty quickly. Let's get started!

STEP 1 - Update your server

Depending on your Linux distribution, your install ISO/DVD could be months or even years old! Running updates on your server immediately will help get any vulnerable packages updated. We can do this in two lines:

sudo apt-get update

sudo apt-get upgrade

STEP 2 - Disable root access via SSH

If you've ever watched your SSH logs after starting up a server, you'll notice one thing very quickly: a lot of people are trying to access your server. The other thing you'll notice is 95% of them are trying to access it via the root user.

Let's disable the root login by editing the sshd_config file.

sudo nano /etc/ssh/sshd_config

Find the PermitRootLogin line and change it to "no":
PermitRootLogin no

STEP 3 - Change your SSH port

After Step 2, you'll notice your logs still are full of login attempts. Even though they can't get in as the root user, they'll still keep trying. Let's change the OpenSSH server to use a different port. Open the sshd_config file once more and edit the "Port" line to use an atypical number. For example:
Port 5901

Restart your SSH server in order to pickup the changes from Steps 2 and 3

sudo service ssh restart

STEP 3.5 - Use SSH Key-based Logins

While this is a great to do on public-facing production servers, it's really not necessary to need to be done on internal or development servers. If attackers can't log in as root or even figure out what port SSH is on, you're already avoiding 99.99% of attacks. If you're interested in setting up key-based logins, check out this article from Ubuntu.

STEP 4 - Enable your firewall

Most Linux distributions come with iptables by default. Iptables is a very powerful firewall but has quite a steep learning curve for those of us coming from a Windows Server background (don't hate!). While I plan on creating an iptables tutorial in the future, a much easier frontend for iptables is UFW.

sudo apt-get install ufw

UFW's context is very simple. The command is simply "ufw allow" followed by a port number. For example, this would open up traffic for an http server:

ufw allow 80

For popular protocols, you can use the protocol name to do the same thing:

ufw allow http

Make sure to allow the custom port number you gave your SSH server, otherwise you'll lock yourself out! After you have all the rules added, just enable the firewall:

ufw enable

If you ever need to see what rules are currently set, just run:

ufw status

STEP 5 - Check for open ports

For some reason, I always seem to end up with services running that I have no idea how they ended up on my system. Maybe another package listed them as a dependency. Maybe it just came with the default install. Regardless, if a service is listening on a port, it leaves the door open for possible exploit.

We can see what ports currently have services listening on them by running a quick command:

sudo netstat -tulpn

Anything listening on may be a problem. To fix, make sure your firewall is not allowing traffic to those ports through. Even better, uninstall the offending package by doing an apt-get remove <package>

STEP 6 - Install Fail2Ban

Fail2Ban is a program that monitors the authentication logs of various programs. When too many attempts are detected, it blocks the source IP address. First, we'll need to install it:

sudo apt-get install fail2ban

To configure, open up the configuration file in a text editor, find the services you want to have it watch (for example, SSH), and then restart the service.

sudo nano /etc/fail2ban/jail.conf

[ssh] #service name

enabled  = true #set this to true to enable
port     = 5901 #change this to the port you set in step 3
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 3 #set this to how many attempts are allowed

sudo service fail2ban restart

STEP 7 - Disable responding to pings

As lots of bots find your server by pinging, turning off pings is one way to help hide it (though this really only helps servers that you aren't driving the public to). To prevent ping responses:

sudo nano /etc/sysctl.conf

Insert the following into the file:
net.ipv4.icmp_echo_ignore_all = 1

Save the file and reload the service:

sudo sysctl -p

STEP 8 - Read your logs

This shouldn't come as any surprise but actually reading the logs can help give you a better idea of what threats you are facing. If you're getting a lot of invalid attempts coming in from IPs in a particular country, maybe download a geoip firewall tool to block a country. Things like that will help you adapt to threats as they come up.

Wrap Up

If you've done the above steps, then you are off to a good start. Some of you will say "Chris, this is hardly enough and dangerous to run a server if this is all you do." Well you're right - these guidelines are really meant as a starting point. There are bunches of other things we can do, however a lot of the securing process is dependent on the server role and location (internal vs external facing). While this article may go a bit overboard, I would definitely recommend looking over some of the other things you can do to secure your server.

Got any other tips you think are mandatory? Let me know in the comments!

Posted on
Tagged in Ubuntu , Security
Chris Reinking

comments powered by Disqus