How To Secure Linux Servers
Just because you don’t have anything of value on your server, doesn’t mean that malicious actors won’t target it. You may be thinking that since your server isn’t even running a website, let alone store customer data, you don’t need to take security seriously.
Nothing could be farther from the truth. Cybercriminals today prefer going after the low hanging fruit. They constantly scan for servers with potentially weak security. Once they identify such a target, they can usually execute a brute-force attack to infiltrate it.
As the owner of a public-facing server, the onus of security rests on your shoulders. Most of our servers are unmanaged, which means that securing the server is your responsibility. In the following guide, we will share tips and insights on how you can start securing your server today.
What is server security?
Server security includes the processes and tools used to protect a server from unauthorised access. Severs are prime targets for attackers because they lie at the heart of an organizational network. They also often contain sensitive data, like PII, application logs, or source code.
If you’ve hosted a website, it’s running on a server. If you’ve purchased some storage space from a cloud provider, it’s running on a server. If you’re about to build your company’s infrastructure online, you’ll probably need a lot of servers, and subsequently proper cloud server security.
The point is, most service delivery on the internet happens through servers, which makes it imperative that we secure them. This is especially true for Linux servers, because people often assume that they are inherently secure.
While it’s true that Linux offers much more ways to secure servers than its counterparts, the security isn’t built in. Administrators must explicitly perform security measures to secure Linux servers. The absence of security often indicates to an attacker that the server administrator is possibly inexperienced and hence, an easy target.
Why would anyone want to hack into my server anyway?
Did you know that billions of cyberattack requests originate each day? Take a look at this live threat attack map. What you need to understand is that hackers don’t sit on their computers with their morning coffee deciding who to target for the day, they wouldn’t be very successful then.
Instead, they create millions of bots that constantly automatically scan all public IP addresses on the internet, every second of every day. In fact, any new device that starts up with a public IP on the internet is scanned for weaknesses within 30 to 60 SECONDS of it going live. Yes, that was not a typo, it’s a scary fact.
That means before you’ve even logged into your server for the first time, there have already been thousands of break-in attempts on it. We often see in excess of 10,000 failed login attempts PER DAY on some of our client machines before they get locked down.
Cybercriminals target all types of servers. Enterprise servers, shared hosting servers, AWS instances, and even your personal server with no meaningful data on it. They randomly send out requests across the internet, hoping for any form of response.
Usually, if a server responds, it indicates weak security. This is the attacker’s cue to launch a brute-force attack, i.e. make thousands of attempts to guess the server’s username-password combo. Once they gain entry, they use the server as a staging point to launch their campaigns.
These may be junk-mail/spam floods or Denial of Service (DoS) attacks. Running botnets or Malware responders, or setting up Phishing sites. They could even set up bitcoin mining applications that run in the background, and consume all your server’s resources.
So, not only will any sensitive data be exposed forever, your server will also become an anonymous staging point for criminal activity, which would be virtually impossible to trace back to the original attackers.
Why you should take cyber security seriously
Are you taking cyber security seriously? Let’s look at some more reasons why it should always be your top-most priority:
- Prevent financial loss, which may arise due to stolen intellectual property, service disruption, and any fines you may have to pay to regulatory bodies.
- Prevent reputation loss, which your business will endure if it’s breached. Your customers will be hesitant to place their trust in you.
- Prevent downtime, which is an inevitable outcome after a successful cyberattack.
- Prevent sensitive data exposure.
- Prevent your websites from slowing down. This may happen if adversaries hijack your CPU and RAM to run malicious applications, which are often resource intensive.
- Establish yourself as trustworthy by implementing security measures and marketing your enhanced security posture.
How to secure a Linux server?
One of the advantages of using Linux is that it offers so many easy-to-use features to secure a server. Let’s look at how do you go about securing a server:
Use SSH keys
SSH, or secure shell, is a protocol used to authenticate and communicate with servers. There are multiple ways to use SSH to log in to a server. The easiest method is using password-based authentication, but it’s not considered secure.
A much safer alternative is using SSH key pairs. An SSH key pair consists of cryptographically secure keys, which ensure that only authorized clients, with the right keys, get to access the server. Each pair consists of a public key, which is configured at the server, and a private key, which is secretively stored by the client.
To create a SSH pair, follow these steps:
- Log in to your Linux server and type
ssh-keygen
. - Press Enter when asked to specify the directory.
- If you want to protect the key with a passphrase, specify it in the next step. Otherwise hit Enter.
That’s it! This should create public and private key files in the user home directory (/home/~/.ssh
). For root the default folder is /root/.ssh/id_rsa
.
The files will typically be called id_rsa.pub
and id_rsa
. The .pub
file is the public key. This can be copied into ~/.ssh/authorized_keys
to allow any holder of both keys to access the server, WITHOUT a password. The advantage of this is that removing the key also removes access.
Disable password authentication
It’s recommended to disable password authentication on your server, and always use SSH keys to log in. Here’s how to do so:
- Open the file
/etc/ssh/sshd_config
in your favourite editor. - Find the line in the file
#PasswordAuthentication no
, then remove the#
from the beginning, and changeyes
tono
- Save the file and then depending on your Linux flavour, run the appropriate command to restart the SSH service:
- For CentOS 7 and 8:
sudo systemctl restart sshd
- For Debian 11:
sudo systemctl restart ssh
- For Ubuntu 20:
sudo systemctl restart ssh
- For CentOS 7 and 8:
Set up hosts.allow and hosts.deny
The /etc/hosts.allow
and /etc/hosts.deny
files give users the ability to define rules that only allow access to trusted clients. Once you create the files and add entries to them, the network daemon will consult them every time it gets a new request.
As the name indicates, allowed clients should be defined in the /etc/hosts.allow
file, and if there are any blacklisted clients, they should be defined in the /etc/hosts.deny
file. As a standard practice, you should reject all access by default, and only allow approved, known hosts. Here’s how to configure this:
- Create and open the
/etc/hosts.deny
file and put the following line inside it:ALL: ALL
- Create and open the
/etc/hosts.allow
and specify a list of known hosts. For example:ALL: LOCAL @test_netgroup
The above rule will only allow access from ALL hosts inside the local domain, and ALL members of the test_netgroup
netgroup.
Ensure only necessary ports are open
Once you have all your software installed and running, make sure you have researched which ports each application runs on. Run the command netstat -punta
to see which ports and applications are running.
Ensure that each open port is actually needed by the system or your application.
Ignore any ports running on the IP address 127.0.0.1, as this is an internal IP. Focus on ports running on IP 0.0.0.0 (Any IP) or the PUBLIC IP of your server. Shut down any-and-all applications that are not absolutely necessary.
Install fail2ban and make sure it’s active for SSH
The Fail2Ban SSH Module checks your log files for failed login attempts (for SSH). After a predefined number of failed login attempts, it blocks the IP address of the client trying to log in.
However, you should only install this if you do NOT have cPanel installed. cPanel uses CSF/LFD (Login Failure Daemon) to essentially do the same as fail2ban. In Ubuntu, fail2ban is usually activated by default for SSH. On CentOS, you usually have to activate it.
However, if for some reason fail2ban isn’t installed/enabled on your system, follow these steps to do so:
On CentOS 7/8:
sudo yum install epel-release
sudo yum install fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
On Ubuntu 20 and Debian 11:
sudo apt update
sudo apt install fail2ban
Ensure public directories have bare-minimum permissions
Permissions are often misunderstood and overrated as a security measure. Setting the correct permissions can keep a rogue application in check, or minimise the damage caused by a compromised account.
Set User
and Group
permissions on files AND directories, with no global permissions. If global permissions can’t be avoided, only use read-only.
Limit who can use sudo
sudo
gives a user the ability to execute commands on other accounts, including root
. Ensure that only authorised accounts have the permission to use sudo
. To do this, you will need to create a sudousers
group, and add all the required users to it:
- Create a new group:
sudo groupadd sudousers
- Add all the relevant users to the group:
sudo usermod -a -G sudousers myuser1
sudo usermod -a -G sudousers myuser2
Do this for all the users that requiresudo
rights. - Before we make changes to the
sudoers
file, let’s create a backup:sudo cp --archive /etc/sudoers /etc/sudoers-bak
- Open to edit the
sudoers
file:sudo visudo
- Add the following line (if not already there):
%sudousers ALL=(ALL:ALL) ALL
Install security updates automatically
It’s imperative to install critical security updates on your server, as soon as they are released. Most-if-not-all security updates are patches for known vulnerabilities and bugs, which can be exploited by malicious actors.
Ideally, you should be able to automatically install security updates from the official vendors. It may not be prudent to install ALL updates, as some may break the operating system. However, critical security updates shouldn’t be avoided or delayed at any cost.
Debian and Ubuntu both have built-in features that support automatic security update installation. We recommend enabling it. For CentOS, you can use the package DNF Automatic to set up automatic updates.
Linux security tools you should know of
Let’s finish this section off by looking at some security tools for Linux, across different categories:
Anti-virus / Anti-malware
Our favourite antivirus / anti-malware software for Linux is Sourcefire’s ClamAV. This is a free, open-source package designed to detect trojans, viruses, malware and other malicious threats. Included in the software are a multi-threaded scanning daemon, command line utilities for on-demand file scanning, and an intelligent tool for automatic signature updates.
Intrusion Detection Software (IDS)
Snort is a free, open-source tool that helps in the detection of intruders and also highlights malicious attacks against the system. In effect, Snort is merely a packet filter. But the true value of this tool lies in its signature-based detection of attacks, by analysing packets that Wireshark or tcpdump are incapable of analysing.
Canarytokens provide an early warning system, by mimicking devices, files or URLs that are attractive to attackers snooping around your system, and when engaged with you are automatically alerted.
Web server vulnerability testing
NIKTO is an open-source web server scanner that tests web servers for potentially dangerous CGI files. It also performs version-specific analysis, such as identifying outdated frameworks. One must note that every test or check report doesn’t necessarily point to a security problem, so keep an eye out for false positives.
Filesystem integrity and security
Chkrootkit is a free tool designed to check locally for signs of a rootkit infection on your Linux machine. The free software is a very popular choice, but Rootkit Hunter (rkhunter) is another, like-minded alternative.
Both these programs check your disk for any known malware and insecure setups. They can also optionally run on a schedule to warn you about any changes to specified directories or files. Another good program to watch your files for changes is Tripwire.
Firewalls and security
Last but not least, a good firewall can do a lot. If you do not want to learn iptables, the de-facto standard Linux firewall, you can manipulate it through various simplified front-ends. These include firewalld (CentOs 7 and later), CSF and UFW (more common on Debian variants such as Ubuntu).
Conclusion
We hope that by showing you how to secure a Linux server, we’ve made the internet a little more secure. These basic security tips help you lay a secure foundation, but it’s only a start. Server security is not a set-and-forget configuration, it takes constant work and updating.
Cybercriminals and their millions of automated bots don’t sleep. It’s up to you to advance and maintain your server security 24/7.
If you don’t have that kind of time, energy, or skills, then a managed server would would be the solution for you.
Stay informed on the latest security threats and news from reputable sites like The Hacker News and ZDNet. You can subscribe to their security newsletters or simply follow them on your preferred social media platform to get alerts and keep your systems SAFE.
Happy Hosting 🙂
FAQs
What is cyber security?
Cybersecurity deals with the processes, tools, and frameworks used to protect systems, applications, networks, and infrastructures from malicious attacks. These attacks can be phishing attacks, ransomware attacks, malware attacks, or denial of service attacks.
There are three main aspects of cybersecurity:
- People: All users of a system must be aware of potential risks, threats and vulnerabilities.
- Processes: Organizations must have well-defined processes and frameworks that dictate how to secure systems and data.
- Technology: Of course, cybersecurity can’t be implemented without the necessary tooling. Some important tools are: identity management systems, intrusion detection systems, firewalls, and incident recovery systems.
Secure server meaning
The definition of secure servers is web servers that make use of the SSL protocol to encrypt data, and ensure secure online communication and transactions. Since servers are susceptible to different kinds of interceptive and disruptive cyberattacks, it’s recommended to use secure servers, wherever possible.
Secure servers can be used for different purposes; for hosting a website, for running different applications, and even as proxies. If you store sensitive data, like PII, it’s imperative that you use a secure server.
How to secure Centos 7 server
- Use SSH keys to log in to the server. SSH keys ensure that only the rightful owners of secretly kept private keys get to access a server.
- Disable password authentication altogether.
- Limit people who can access sudo.
- Install some reputable open-source security tools to further enhance your footprint. Some good options are Snort, rkhunter, and NIKTO.
- Ensure that public directories have bare-minimum permissions.
- While defining firewall rules, ensure that only the required ports are open, and only the required IPs are allowed to communicate.
How to secure web server
There are many ways to secure a web server. Here are a few:
- Use SSL to encrypt data and transactions.
- Remove any unnecessary services or applications.
- Ensure that you regularly patch and install your server. Never miss out on any critical security upgrades.
- Ensure that you are using secure development practices to protect against attacks like SQL injections, brute-force attacks, and cross-site scripting etc.
- Use SSH keys to protect access to the web server. Disable password authentication altogether.
- Install a firewall, and create granular access control rules.
- Perform incremental, periodic backups.
What does a hacker do?
A hacker, in the cybersecurity world, is someone looking to obtain unauthorized access to a machine, or a network. A hacker usually knows different techniques to execute cyberattacks on a system, like phishing, social engineering, denial of service, and dictionary attacks.
Majority of the hackers are motivated by money, however, there are others who take down systems to express their political and ideological stances. Depending on their experience and aspirations, hackers may target something as small as a personal blog, or as huge as a government organization.
Once a hacker has successfully infiltrated a system, they may steal, modify, or corrupt sensitive information. They do this by installing malicious applications, without the owner’s knowledge.