Securing a Linux server is paramount for maintaining data integrity, protecting sensitive information, and preventing unauthorized access. In a production environment, where the server is exposed to the internet and potential threats, implementing robust security measures is critical. In this article, we will explore essential Linux hardening practices and provide practical examples to help you secure your Linux server for production usage.
- Keep Software Up-to-Date:
Regularly updating the Linux operating system and installed software is fundamental to staying protected against known vulnerabilities and exploits.
Update the package list and upgrade installed packages on an Ubuntu/Debian system:
sudo apt update sudo apt upgrade
- Configure a Firewall:
A firewall acts as a barrier between your server and the internet, controlling incoming and outgoing traffic based on predefined rules.
Install and enable
ufw (Uncomplicated Firewall) on Ubuntu/Debian:
sudo apt install ufw sudo ufw enable
Allow necessary services like SSH, HTTP, and HTTPS:
sudo ufw allow OpenSSH sudo ufw allow 80/tcp sudo ufw allow 443/tcp
Secure Shell (SSH) is a common target for attackers. Take measures to enhance SSH security.
Edit the SSH configuration file
/etc/ssh/sshd_config to allow key-based authentication:
Reload the SSH service for changes to take effect:
sudo systemctl reload sshd
- Implement Strong Password Policies:
Enforce strong password policies to protect user accounts from brute-force attacks.
pam_pwquality to configure password policies on Ubuntu/Debian:
sudo apt install libpam-pwquality
/etc/security/pwquality.conf file with desired settings. For instance:
minlen = 12 minclass = 4
Edit the PAM configuration file
password requisite pam_pwquality.so retry=3
- Restrict User Privileges:
Limit user privileges to minimize potential damage from malicious activities.
Add users to the
sudo group for administrative access:
sudo usermod -aG sudo username
- Enable SELinux/AppArmor:
Security-Enhanced Linux (SELinux) or AppArmor adds an extra layer of protection by confining processes within defined policies.
Install SELinux on CentOS/RHEL:
sudo yum install selinux-policy selinux-policy-targeted sudo setenforce 1
- Monitor Logs and Intrusion Detection:
Regularly monitor system logs for suspicious activities and implement intrusion detection tools to alert you of potential security breaches.
Install and configure
fail2ban to block malicious IP addresses:
sudo apt install fail2ban
jail.local configuration file
[sshd] enabled = true
- Disable Unnecessary Services:
Disable unused services and daemons to reduce the attack surface of your server.
Disable Apache on Ubuntu/Debian:
sudo systemctl stop apache2 sudo systemctl disable apache2
Linux hardening is a continuous process that requires vigilance and adaptation to new threats. By following the practices outlined in this guide, such as keeping software updated, configuring a firewall, securing SSH access, implementing strong password policies, restricting user privileges, enabling SELinux/AppArmor, monitoring logs, and disabling unnecessary services, you can significantly improve the security posture of your Linux server in a production environment. Remember to perform regular security audits, stay informed about security best practices, and continuously refine your security measures to stay ahead of potential threats.