Linux server hardening is the process of securing a Linux server by reducing its attack surface and mitigating security risks. The goal is to protect the system from unauthorized access, exploitation, and other security threats. Here's a comprehensive guide to Linux server hardening:
1. Regular Updates and Patching
- Update packages regularly: Ensure the system and software are up-to-date with the latest security patches.
- Commands:
- For Debian/Ubuntu: `sudo apt update && sudo apt upgrade`
- For RHEL/CentOS: `sudo yum update` or `sudo dnf update`
- Automatic updates: Configure unattended upgrades for automatic security patching.
- Debian/Ubuntu: `sudo apt install unattended-upgrades`
2. Disable Unused Services
- Check running services: Use `netstat`, `ss`, or `systemctl` to list active services.
- Commands:
- `sudo systemctl list-unit-files --type=service`
- `sudo netstat -tuln`
- Stop and disable unnecessary services:
- `sudo systemctl stop <service>`
- `sudo systemctl disable <service>`
3. Firewall Configuration
- Use firewalls: Set up a firewall like `iptables`, `nftables`, or `ufw` to restrict network traffic.
- `ufw` (for Ubuntu):
- Enable: `sudo ufw enable`
- Allow specific port: `sudo ufw allow <port>`
- Deny all incoming traffic and allow only necessary ones: `sudo ufw default deny incoming`
- `iptables`/`nftables` for advanced users.
4. SSH Hardening
- Disable root login:
- Edit `/etc/ssh/sshd_config` and set `PermitRootLogin no`
- Change default SSH port: Use a non-standard port to avoid automated attacks.
- `Port 2222` (example)
- Use SSH key-based authentication: Disable password authentication and enable public key authentication.
- Set `PasswordAuthentication no` in `sshd_config`
- Restrict SSH access: Limit SSH to specific IP addresses or networks.
- Use `AllowUsers` or `AllowGroups` in `sshd_config`
5. Intrusion Detection and Monitoring
- Install intrusion detection tools like `AIDE`, `OSSEC`, or `Tripwire`.
- Example: `sudo apt install aide`
- Initialize: `sudo aideinit`
- Log monitoring: Use tools like `Logwatch` or `GoAccess` to monitor logs.
- Logwatch: `sudo apt install logwatch`
- GoAccess: `sudo apt install goaccess`
6. File and Directory Permissions
- Set correct file permissions: Ensure only authorized users can access sensitive files.
- Use `chmod` to modify permissions, e.g., `chmod 600 /etc/ssh/sshd_config`
- Use access control lists (ACL) for granular permissions:
- `setfacl -m u:user:r /path/to/file`
7. Disable Unnecessary Network Ports
- Check open ports:
- `sudo netstat -tuln` or `sudo ss -tuln`
- Use `firewalld`, `iptables`, or `ufw` to block unnecessary ports.
- Disable network services that aren't needed (like FTP, Telnet).
8. SELinux or AppArmor
- Enable SELinux (for CentOS/RHEL) or AppArmor (for Ubuntu)** to add an additional layer of security by restricting what processes can do.
- Check SELinux status: `sestatus`
- Enforce SELinux: `sudo setenforce 1`
- For AppArmor: `sudo systemctl enable apparmor`
9. Secure Boot Configuration
- Set a password on the bootloader (GRUB) to prevent unauthorized changes.
- Edit `/etc/grub.d/40_custom` to add the password:
```bash
set superusers="admin"
password_pbkdf2 admin [hash]
```
- Update GRUB: `sudo update-grub`
10. Audit Logs
- Enable auditing with `auditd` to track important system events.
- Install: `sudo apt install auditd`
- Start the service: `sudo systemctl start auditd`
- Use `ausearch` or `auditctl` to query audit logs.
11. Security Tools
- Fail2Ban: Protect against brute force attacks by blocking IPs after a certain number of failed login attempts.
- Install: `sudo apt install fail2ban`
- Configure jail: `/etc/fail2ban/jail.conf`
- Lynis: A security auditing tool for Linux.
- Install: `sudo apt install lynis`
- Run: `sudo lynis audit system`
12. Limit User Privileges
- Use `sudo` instead of logging in as root. Restrict `sudo` privileges using `/etc/sudoers` or `sudo visudo`.
- Avoid adding users to privileged groups unless necessary.
13. Backup Regularly
- Use automated backup tools like `rsync`, `borg`, or cloud-based solutions to back up important files regularly.
- Test backups for data integrity.
14. Encryption
- Encrypt sensitive data: Use `LUKS` for disk encryption or tools like `gpg` for file encryption.
- Encrypt network traffic: Use VPNs, SSH tunnels, or tools like `stunnel`.
15. Disable IPv6 if Not Needed
- If you don't need IPv6, disable it to reduce your attack surface.
- Edit `/etc/sysctl.conf` and add:
```bash
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
```
16. Use Centralized Authentication
- If you have multiple servers, consider using centralized authentication methods like LDAP, FreeIPA, or Kerberos to simplify user management and enhance security.
17. Enforce Password Policies
- Use `pam_pwquality` to enforce password complexity and expiration policies.
- Configure in `/etc/security/pwquality.conf`
By following these steps, you'll significantly reduce the risk of vulnerabilities and strengthen your Linux server's security posture. Keep monitoring and revising your security measures as new threats emerge.