🛡 ️Secure Linux Server

16 min readNov 12, 2024

Introduction

Securing a Linux server goes beyond installation and setup. Every server is vulnerable to attacks, from brute-force login attempts to malware and misconfigurations. This guide offers essential steps to strengthen your Linux server’s security, complete with detailed steps and the reasons behind them. Let’s make your Linux server as resilient as possible!

1. Disable Root Login

Why?

The root user has unlimited access, which makes it a target for attackers. Disabling root login prevents attackers from attempting brute-force attacks directly on this powerful account. Instead, a user with limited permissions is used, reducing the risk.

How to Do It

Open the SSH configuration file:

sudo nano /etc/ssh/sshd_config

Find the line:

PermitRootLogin yes

Change it to:

PermitRootLogin no

Save and close the file.

Restart the SSH service to apply changes:

sudo systemctl restart sshd

2. Use Key-Based SSH Authentication

Why?

Password-based logins can be weak points in server security. SSH key pairs are much harder to crack than passwords, adding a strong layer of security.

How to Do It

Generate an SSH key on your local machine:

ssh-keygen -t rsa -b 4096

This creates a public-private key pair for secure login.

Copy your public key to the server:

ssh-copy-id username@server_ip

To disable password-based login, open /etc/ssh/sshd_config on your server:

sudo nano /etc/ssh/sshd_config

Set PasswordAuthentication no and restart SSH:

sudo systemctl restart sshd

3. Enforce Strong Password Policies

Why?

Strong password policies prevent weak, easily guessed passwords, reducing the likelihood of brute-force attacks.

How to Do It

Open the password policy configuration file:

sudo nano /etc/security/pwquality.conf

Set policies like minimum length and complexity:

minlen = 12 minclass = 3

minlen requires at least 12 characters.
minclass requires multiple character types (uppercase, lowercase, digits, etc.).

4. Keep the System Updated

Why?

Updates contain patches for known vulnerabilities. Failing to update leaves your server exposed to known attacks.

How to Do It

Run the update command:

sudo apt update && sudo apt upgrade -y   # Debian/Ubuntu 
sudo yum update -y                       # CentOS/RHEL

Enable automatic updates (on Ubuntu):

sudo apt install unattended-upgrades

5. Configure a Firewall

Why?

A firewall limits access to specific services and blocks unauthorized traffic, reducing the risk of intrusion.

How to Do It

For Ubuntu: Install and configure ufw:

sudo apt install ufw
sudo ufw allow 22    # Allow SSH
sudo ufw allow 80    # Allow HTTP
sudo ufw allow 443   # Allow HTTPS
sudo ufw enable

This allows only SSH, HTTP, and HTTPS traffic while blocking other ports.

6. Install and Configure Intrusion Detection (Fail2Ban)

Why?

Fail2Ban protects your server from brute-force attacks by blocking IPs with too many failed login attempts.

How to Do It

Install Fail2Ban:

sudo apt install fail2ban

Configure Fail2Ban by editing /etc/fail2ban/jail.conf:

sudo nano /etc/fail2ban/jail.conf

Enable SSH monitoring with:

[sshd] 
enabled = true 
maxretry = 5 
bantime = 3600

Blocks IPs after 5 failed attempts for one hour.

7. Disable Unnecessary Services

Why?

Running fewer services means fewer potential entry points for attackers, improving overall security.

How to Do It

List all active services:

sudo systemctl list-unit-files --type=service --state=enabled

Disable unneeded services:

sudo systemctl disable service_name

8. Set Proper File Permissions

Why?

Sensitive files like SSH and log files should have strict permissions to prevent unauthorized access or modification.

How to Do It

Restrict access to important files:

sudo chmod 600 /etc/ssh/sshd_config 
sudo chmod 640 /var/log/auth.log

9. Enable Logging and Monitoring

Why?

Logging provides a record of system events, helping you detect unusual activities and analyze incidents.

How to Do It

Use rsyslog to manage logs, or consider a centralized logging solution like ELK (Elasticsearch, Logstash, Kibana) for easier monitoring.

10. Implement Auditing with `auditd`

Why?

Auditing monitors critical files and actions, alerting you to unauthorized changes or suspicious activity.

How to Do It

Install and configure auditd:

sudo apt install auditd

Add rules in /etc/audit/audit.rules to track important files:

-w /etc/passwd -p wa -k passwd_changes

Restart auditd to apply:

sudo systemctl restart auditd

11. Secure SSH Configuration

Why?

Configuring SSH settings hardens your server against attacks by limiting login options.

How to Do It

Open /etc/ssh/sshd_config:

sudo nano /etc/ssh/sshd_config

Adjust settings:

Port 2222                  # Change the default SSH port
PasswordAuthentication no   # Disable password login
Protocol 2                  # Use SSH protocol 2 only

Restart SSH:

sudo systemctl restart sshd

12. Harden Kernel Parameters

Why?

Kernel hardening secures network settings and mitigates certain attacks by restricting network behaviors.

How to Do It

Open /etc/sysctl.conf and add settings:

net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0

Apply changes:

sudo sysctl -p

13. Schedule Regular Backups

Why?

Backups ensure data is recoverable in case of a cyberattack, accidental deletion, or system failure.

How to Do It

Use rsync or tar for backups:

rsync -av /important_data /backup_location

14. Set Resource Limits

Why?

Resource limits help prevent denial-of-service (DoS) attacks by limiting user resource consumption.

How to Do It

Edit /etc/security/limits.conf:

sudo nano /etc/security/limits.conf

Set limits:

* soft nproc 4096 
* hard nproc 8192

15. Use Security Scanning Tools

Why?

Security scanners identify misconfigurations and vulnerabilities, helping you fix issues before attackers exploit them.

How to Do It

Install Lynis:

sudo apt install lynis

Run a system scan:

sudo lynis audit system

16. Protect Against Malware

Why?

Linux can still be vulnerable to malware, especially in environments with internet access or file sharing.

How to Do It

Install ClamAV:

sudo apt install clamav

Update and scan:

sudo freshclam 
sudo clamscan -r /directory_to_scan

17. Enable Multi-Factor Authentication (MFA)

Why?

MFA adds a second layer of verification, making it more difficult for attackers to gain access, even with a password.

How to Do It

Install Google Authenticator:

sudo apt install libpam-google-authenticator

Set up MFA:

google-authenticator

Enable MFA in PAM configuration:

sudo nano /etc/pam.d/sshd

Add:

auth required pam_google_authenticator.so

18. Implement Network Segmentation

Why?

Network segmentation limits traffic between different parts of your infrastructure, reducing the impact if an attacker gains access. By isolating sensitive services on private subnets or VLANs, you limit exposure and protect data.

How to Do It

On AWS or other cloud platforms, use Virtual Private Clouds (VPCs) and subnets.
With Firewalls, configure rules to separate traffic between different services.
On Linux: Configure iptables to create network segmentation by defining strict rules for each service or IP address range that’s allowed access.

Example:

sudo iptables -A INPUT -p tcp -s trusted_ip --dport 22 -j ACCEPT

19. Restrict `sudo` Access

Why?

Limiting sudo access minimizes the risk of privilege escalation. Only trusted users should have sudo privileges, as any commands they execute can affect the entire system.

How to Do It

Edit the sudoers file:

sudo visudo

Define specific permissions for each user or user group:

username ALL=(ALL) NOPASSWD: /path/to/specific_command

Regularly audit the sudoers file to ensure only necessary permissions are granted.

20. Enforce AppArmor or SELinux for Mandatory Access Control

Why?

AppArmor and SELinux are mandatory access control systems that add fine-grained permissions, confining processes to a limited set of resources and actions. This limits the impact if a process is compromised.

How to Do It

For AppArmor (Ubuntu/Debian):

Check if AppArmor is enabled:

sudo apparmor_status

Configure specific profiles for services in /etc/apparmor.d/.

For SELinux (CentOS/RHEL):

Enable SELinux:

udo setenforce 1

Use semanage to define policies:

sudo semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"

21. Use Port Knocking for SSH Access

Why?

Port knocking helps hide the SSH port by requiring a sequence of port “knocks” to open the SSH port, making it harder for attackers to detect your SSH service.

How to Do It

Install knockd on your server:

sudo apt install knockd

Configure port knocking in /etc/knockd.conf:

[openSSH]
sequence = 7000,8000,9000
seq_timeout = 5
command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

Start knockd:

sudo systemctl start knockd

Now, only after knocking on ports 7000, 8000, and 9000 in that order will port 22 open for SSH.

22. Limit Open Ports to Reduce Attack Surface

Why?

Open ports represent entry points for potential attackers. Limiting them to necessary services reduces the risk of unauthorized access.

How to Do It

Use netstat or ss to view open ports:

sudo ss -tuln

Close unnecessary ports by disabling or firewalling services:

sudo systemctl stop service_name
sudo systemctl disable service_name

For example, if only SSH and HTTP/HTTPS are needed, ensure only ports 22, 80, and 443 are open.

23. Use File Integrity Monitoring (FIM)

Why?

File Integrity Monitoring (FIM) detects unauthorized changes to critical system files, helping identify potential compromises or malicious modifications.

How to Do It

Install an FIM tool like AIDE (Advanced Intrusion Detection Environment):

sudo apt install aide

Initialize the AIDE database:

sudo aideinit

Set up a cron job to run regular AIDE checks:

sudo crontab -e

Add:

0 3 * * * /usr/bin/aide --check

24. Implement Rate Limiting

Why?

Rate limiting protects against denial-of-service (DoS) attacks by limiting the number of requests or logins from a single IP address.

How to Do It

Use iptables to limit SSH connections:

sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP

This restricts SSH connections to a maximum of 3 attempts per minute.

Alternatively, configure rate limits with Fail2Ban by adjusting the findtime and maxretry options in /etc/fail2ban/jail.conf.

25. Encrypt Sensitive Data

Why?

Encryption protects data in case of a security breach by making it unreadable to unauthorized users. This applies to data stored on disk and transmitted over the network.

How to Do It

Data at Rest: Use encryption tools like ecryptfs or LUKS to encrypt sensitive files and partitions.

sudo apt install ecryptfs-utils sudo ecryptfs-setup-private

Data in Transit: Ensure all data transfers use encrypted channels (e.g., HTTPS for web traffic, SFTP for file transfers).

26. Set Up DNS Security Extensions (DNSSEC)

Why?

DNSSEC protects your DNS records from tampering by adding verification, preventing attackers from redirecting traffic to malicious sites.

How to Do It

With BIND: Enable DNSSEC in the named.conf file by adding:

dnssec-enable yes; dnssec-validation auto;

On Cloud Providers: Many DNS providers (like AWS Route 53) offer DNSSEC as an option in their configuration settings.

27. Use a Host-Based Intrusion Detection System (HIDS)

Why?

A HIDS monitors your server for suspicious activity, alerting you to potential intrusions in real time.

How to Do It

Install a HIDS like OSSEC:

sudo apt install ossec-hids

Configure alert thresholds and actions to receive notifications for any detected malicious activity.

28. Regularly Rotate Encryption Keys and Credentials

Why?

Regularly rotating keys, passwords, and certificates reduces the likelihood of old, compromised credentials remaining in use.

How to Do It

Use a Credential Management System to handle key rotation, like AWS KMS for AWS resources.
Rotate SSH keys, API keys, and passwords on a regular basis by generating new ones and removing old ones.

29. Apply Principle of Least Privilege (PoLP)

Why?

The Principle of Least Privilege ensures users and processes only have the permissions they absolutely need, reducing the potential impact of compromised accounts.

How to Do It

Assign specific permissions to each user in /etc/sudoers rather than granting full sudo access.
For database users, grant access only to the specific tables or operations needed.
Example for MySQL:

GRANT SELECT, INSERT ON database.* TO 'user'@'host';

30. Monitor for Configuration Drift

Why?

Configuration drift, where server configurations deviate from the original secure state, can introduce vulnerabilities over time. Automated configuration checks can keep you aware of unauthorized changes.

How to Do It

Use a configuration management tool like Ansible, Chef, or Puppet to define and enforce a secure baseline configuration.
Regularly audit configurations with tools like Lynis or custom scripts.

31. Set Up a Web Application Firewall (WAF)

Why?

A Web Application Firewall (WAF) protects against common web-based attacks, such as SQL injection, cross-site scripting (XSS), and request forgery. This is essential if your Linux server hosts web applications.

How to Do It

Use a WAF like ModSecurity to protect web applications:

sudo apt install libapache2-mod-security2  # For Apache
sudo apt install modsecurity-crs           # Install Core Rule Set (CRS) rules

Enable ModSecurity by adding these lines in your web server’s configuration file:

SecRuleEngine On

Regularly update your WAF rules to cover the latest threats.

32. Implement Application Sandboxing

Why?

Application sandboxing isolates applications from each other, minimizing the risk that a vulnerability in one application affects the entire server.

How to Do It

Use Firejail or AppArmor for application sandboxing:

sudo apt install firejail

To sandbox a program, use Firejail:

firejail program_name

Configure profiles for each application to restrict access to files and directories they don’t need.

33. Configure Two-Factor Authentication (2FA) for SSH with Duo

Why?

Adding two-factor authentication (2FA) provides a second layer of security, making it much harder for unauthorized users to access the server.

How to Do It

Install Duo Security’s PAM module for 2FA:

sudo apt install libpam-duo

Configure /etc/duo/pam_duo.conf to set up the Duo parameters.
Update /etc/pam.d/sshd to enable Duo:

auth required pam_duo.so

Test logging in with SSH to verify 2FA is working.

34. Conduct Regular Vulnerability Scans

Why?

Vulnerability scans help you identify and address security issues in the server and software before attackers can exploit them.

How to Do It

Use OpenVAS or Nessus to conduct scans:

For OpenVAS:

sudo apt install openvas

Follow instructions to set up and run scans.

Install Filebeat and Auditbeat:

sudo apt install filebeat auditbeat

Configure auditbeat.yml to monitor critical files and log all activities.

Integrate with an ELK stack (Elasticsearch, Logstash, Kibana) for real-time alerts and monitoring.

38. Set Up Remote Logging

Why?

Remote logging ensures you have a copy of logs even if your server is compromised, allowing you to analyze incidents without relying on potentially tampered local logs.

How to Do It

Configure rsyslog to forward logs to a remote server:

sudo nano /etc/rsyslog.conf

Add:

*.* @remote_log_server:514

Restart rsyslog:

sudo systemctl restart rsyslog

39. Perform Regular Penetration Testing

Why?

Penetration testing simulates attacks on your server to uncover weaknesses, providing insights into areas that need reinforcement.

How to Do It

Use tools like Metasploit, Nmap, or Nikto to perform tests.

sudo apt install nmap nikto

Work with a qualified penetration tester for in-depth assessments.

Act on findings to mitigate vulnerabilities.

40. Implement Access Control Lists (ACLs) for Fine-Grained Permissions

Why?

ACLs provide more flexibility than traditional permissions, allowing you to specify access control at a more granular level for different users and groups.

How to Do It

Enable ACLs if not already enabled by default.
Use setfacl to define permissions on files:

sudo setfacl -m u:username:rwx /path/to/file

Use getfacl to review ACLs:

getfacl /path/to/file

41. Use Bastion Hosts for Secure Server Access

Why?

A bastion host is a secure server used to access other servers, adding a layer of control and logging for access to sensitive servers.

How to Do It

Set up a separate bastion server with strict security controls and access monitoring.
Require all SSH traffic to production servers to go through the bastion host.
Configure MFA and detailed logging on the bastion for secure access tracking.

42. Harden Database Access

Why?

Databases often store sensitive information and are common attack targets. Securing database access reduces the risk of data breaches.

How to Do It

Restrict database access to specific IPs using configuration settings in MySQL, PostgreSQL, or other databases.
Use encryption for data at rest and in transit.
Regularly update database passwords and apply the least privilege principle to user roles.

43. Regularly Review Logs and Analyze Suspicious Activities

Why?

Regular log reviews help detect suspicious activities early, giving you the chance to respond to security incidents proactively.

How to Do It

Set up tools like Splunk or Graylog for log analysis and visualization.
Create automated alerts for specific events, such as repeated failed login attempts or unusual file access patterns.
Review critical logs regularly (auth.log, syslog, and application-specific logs).

44. Encrypt Disk Partitions

Why?

Encrypting disk partitions protects data in case of hardware theft or unauthorized physical access.

How to Do It

Use LUKS (Linux Unified Key Setup) to encrypt partitions:

sudo cryptsetup luksFormat /dev/sdx

Create a passphrase and follow prompts to complete encryption.

Mount the encrypted partition using cryptsetup:

sudo cryptsetup luksOpen /dev/sdx encrypted_partition

45. Implement Zero-Trust Architecture Principles

Why?

Zero-trust principles mandate strict verification for every request, reducing the risk of insider threats and unauthorized access.

How to Do It

Set up multi-factor authentication and apply least privilege principles across all services.
Configure role-based access control (RBAC) on all applications.
Use a policy engine (such as Open Policy Agent) to define fine-grained access policies for each service.

46. Apply a Honeypot System for Detection

Why?

Honeypots detect and track attackers by luring them to a vulnerable “fake” system, allowing you to study attack patterns without risking production systems.

How to Do It

Use tools like Cowrie or Dionaea to set up a honeypot.

sudo apt install cowrie

Configure the honeypot on a separate network or subnet to capture attack data.
Monitor honeypot activity to gain insights into attack methods.

47. Implement Server Hardening with CIS Benchmarks

Why?

The Center for Internet Security (CIS) provides industry-standard benchmarks to harden server configurations, ensuring compliance with best practices.

How to Do It

Download the appropriate CIS benchmark for your server’s OS.
Use tools like CIS-CAT or Lynis to automate benchmarking and scan for non-compliant settings.

sudo apt install lynis 
sudo lynis audit system

Download the Grsecurity patches and apply them to the Linux kernel source.
Recompile and install the patched kernel on your server.
Configure Grsecurity settings to enforce strict access controls and mitigate memory-based exploits.

Note: Grsecurity is available for commercial use and may require a subscription for access.

55. Enable Memory Protection with ExecShield

Why?

ExecShield protects against buffer overflow and memory corruption attacks by marking memory segments as non-executable.

How to Do It

If using CentOS, enable ExecShield by adding the following to /etc/sysctl.conf:

kernel.exec-shield=1

Enable other related settings like Address Space Layout Randomization (ASLR) to make exploitation harder:

kernel.randomize_va_space=2

56. Set Up Security Information and Event Management (SIEM)

Why?

A SIEM system aggregates and analyzes log data from across your infrastructure, providing centralized insight into security incidents and supporting compliance.

How to Do It

Use tools like Splunk, AlienVault, or ELK Stack for SIEM.
Configure the SIEM system to collect logs from servers, applications, and network devices.
Set up alerting rules for high-severity incidents and review logs regularly to detect unusual patterns.

57. Restrict Access with Role-Based Access Control (RBAC) for Applications

Why?

RBAC enforces least privilege by assigning access based on job roles, minimizing the permissions each user or process has to only what’s necessary.

How to Do It

Define roles and associated permissions within applications (e.g., using IAM for AWS resources).
Review role assignments regularly to ensure users and services have appropriate permissions.
Document role definitions and permissions for auditing.

58. Create a Data Retention Policy

Why?

Data retention policies define how long data is stored, helping to reduce storage costs and minimizing the risk of data leaks by removing unnecessary data.

How to Do It

Set up automated data deletion schedules using cron jobs or cloud lifecycle policies.
Define retention periods based on regulatory requirements and business needs.
Ensure sensitive data is securely deleted to prevent recovery.

59. Set Up Honeytokens to Detect Unauthorized Access

Why?

Honeytokens are decoy data entries designed to detect unauthorized access or unusual activity. They act like digital “tripwires” and help identify insider threats or data breaches.

How to Do It

Insert a fake record in your database that would only be accessed by unauthorized users.
Set up monitoring to alert you when the honeytoken is accessed or modified.
Investigate any alert to determine if unauthorized access has occurred.

Conclusion

Securing a Linux server is a continuous process that demands diligence and vigilance. Implementing these steps goes a long way in protecting your server from the vast majority of attacks. Remember, layering security measures — like firewalls, encryption, access control, and regular audits — helps create a robust defense against emerging threats. By staying proactive and regularly reviewing your server’s security posture, you’ll help ensure that your Linux environment remains secure and resilient.

These steps will give you a strong foundation for Linux server security and can be adapted to evolving threats and specific environments.

🛡 ️Secure Linux Server

Introduction

1. Disable Root Login

Why?

How to Do It

2. Use Key-Based SSH Authentication

Why?

How to Do It

3. Enforce Strong Password Policies

Why?

How to Do It

4. Keep the System Updated

Why?

How to Do It

5. Configure a Firewall

Why?

How to Do It

6. Install and Configure Intrusion Detection (Fail2Ban)

Why?

How to Do It

7. Disable Unnecessary Services

Why?

How to Do It

8. Set Proper File Permissions

Why?

How to Do It

9. Enable Logging and Monitoring

Why?

How to Do It

10. Implement Auditing with auditd

Why?

How to Do It

11. Secure SSH Configuration

Why?

How to Do It

12. Harden Kernel Parameters

Why?

How to Do It

13. Schedule Regular Backups

Why?

How to Do It

14. Set Resource Limits

Why?

How to Do It

15. Use Security Scanning Tools

Why?

How to Do It

16. Protect Against Malware

Why?

How to Do It

17. Enable Multi-Factor Authentication (MFA)

Why?

How to Do It

18. Implement Network Segmentation

Why?

How to Do It

19. Restrict sudo Access

Why?

How to Do It

20. Enforce AppArmor or SELinux for Mandatory Access Control

Why?

How to Do It

21. Use Port Knocking for SSH Access

Why?

How to Do It

22. Limit Open Ports to Reduce Attack Surface

Why?

How to Do It

23. Use File Integrity Monitoring (FIM)

Why?

How to Do It

24. Implement Rate Limiting

Why?

How to Do It

25. Encrypt Sensitive Data

Why?

How to Do It

26. Set Up DNS Security Extensions (DNSSEC)

Why?

How to Do It

10. Implement Auditing with `auditd`

19. Restrict `sudo` Access