How to Secure Your Linux Server
It’s important for anyone running a Linux server, or any type of server for that matter, secure. Especially if it communicates with the outside world. Servers are like your houses in the digital realm. They have to be kept secure from intruders. So you have a Linux server, here’s how to secure it.
- Keep Your Server Clean and Lean
In other words, keep it simple, but secure. Install the apps and run only the services that you need. Additional apps, introduce vulnerabilities as well as unpatched services that can be exploited by external malicious actors. Keeping the server clean and lean also speeds up its performance. Also, depending on the Linux distro, a number of extra services will be run by default. Keep an eye out for those services. Check if they’re really important and if they are, make sure they’re updated.
A simple netstat –npl command in the terminal will show you all the running services and the ports they use. That’s another thing. These services might be using some ports you want to keep closed. Disable unwanted services with the following command.
Systemctl disable service_name
- Do not Log in as Root
It’s no secret that logging in as Root user gives you unrestricted access to everything in your Linux setup. And for many Linux users, it’s the easiest way to use Linux which is why most newbies log in as Root. Malicious attackers know this too. When users log in as Root, any running apps and services with vulnerabilities also give attackers unlimited access to everything else. The best practice for Linux users, is to create a user with enough sudo access to perform most tasks and only switch to Root when needed.
In Ubuntu for example, you can add a new user with sudo powers by typing in the following at the terminal:
qpasswd –a usercansudo sudo
Afterwards, log out of the system and login as the new user then disable the Root user by editing the sshd_conf file.
Look for this commented item: #PermitRootLogin no
Remove the comment, save the file and restart the ssh service using the following command:
systemctl restart sshd
- Keep the Server to Yourself and others you Trust
Restrict access to your server to just you and others you implicitly trust. In the previous item, create as many users as you can with level access and disable root. The fewer the better though.
- Port Change
When logging in remotely, the default port for ssh is 22 which is what most people, including attackers would do to get into a Linux server. This port can be changed and by changing this port, eavesdroppers, attackers and bots will be left guessing how to log in to your system. It’s simple but effective. To change the ssh port, we go back to the sshd_conf file. You can issue the following commands:
sudo nano /etc/ssh/sshd_conf
Find the commented port line:
Uncomment it and change the port number to something else. Feel free to change 22 to something between 1024 and 32,767 but make sure that no other service uses your chosen number. Then save the file. Restart the ssh service.
systemctl restart sshd
You can check if it works by logging in through ssh with this command:
ssh –p1027 192.168.10.11
- Always Keep Your Server Patched and Updated
You’ve probably read plenty of articles regarding vulnerabilities that no basic user could probably think of but continuously explored by determined hackers out for a quick buck. No server is secure, not even Linux and the best defense for this, apart from a good firewall and anti-malware programs, is to keep your operating system and its packages updated. Always be on the lookout for core or kernel updates.