Sunucu Yönetimi

Linux Server Basic Security Hardening Guide (Ubuntu/CentOS): Step-by-Step Protection

 · 

Linux Server Basic Security Hardening Guide (Ubuntu/CentOS): Step-by-Step Protection

Why is Basic Security Hardening (Hardening) Important on Linux Servers?

In today's digital world, the security of your servers forms the foundation of your business continuity and data integrity. Linux-based servers, in particular, are an indispensable part of corporate infrastructures due to their flexibility and robust structure. However, this power can also harbor potential security vulnerabilities if not configured correctly. This is where basic security hardening comes into play. Taking proactive steps to protect your servers against potential cyber attacks, unauthorized access, and data breaches is vital.

Before You Start: Preparation and Best Practices

Before embarking on security hardening procedures, it is strongly recommended that you consider the following steps:

  • Perform Backups: Take a full backup of your server before making any changes. This allows you to quickly revert in case of unexpected issues.
  • Use a Test Environment: Testing security steps in a test environment before applying them to critical production servers will prevent potential outages.
  • Documentation: Document every change you make, along with its date and reason.

Step 1: Keep Updated and Manage Patches

Software updates contain patches that close known security vulnerabilities. Keeping your server updated is the most fundamental security step.

For Ubuntu/Debian Based Systems:

sudo apt update
sudo apt upgrade -y
sudo apt dist-upgrade -y
sudo apt autoremove -y

For CentOS/RHEL Based Systems:

sudo yum update -y
sudo yum upgrade -y
sudo yum autoremove -y

Configuring automatic updates can make this process more manageable, but manually checking for critical updates is always a good practice.

Step 2: Harden SSH Security

SSH (Secure Shell) is the most common protocol used for remote access to Linux servers. Ensuring SSH security is key to preventing unauthorized access.

1. Change the Default SSH Port

Move the default port 22 to a different port (e.g., 2222) to avoid common scans.

sudo nano /etc/ssh/sshd_config

Find and change the following line:

#Port 22
Port 2222

2. Use Key-Based Authentication Instead of Passwords

Using SSH key pairs instead of password-based authentication is much more secure.

sudo nano /etc/ssh/sshd_config

Check and set the following lines:

PasswordAuthentication no
PubkeyAuthentication yes

3. Disable Direct Root Access

Preventing the root user from directly accessing via SSH reduces the attack surface on your system.

sudo nano /etc/ssh/sshd_config

Find and change the following line:

PermitRootLogin no

After making changes, restart the SSH service:

sudo systemctl restart sshd

Important: After changing SSH settings, open a new session with the new port and key to verify access. Make sure the new settings are working before closing your current session!

Step 3: Implement Strong Password Policies

Enforcing users to use strong and complex passwords provides protection against brute-force attacks.

  • Set minimum password length and complexity (uppercase/lowercase letters, numbers, special characters).
  • Implement password aging policies.
  • Improve password quality with the pam_pwquality module (Ubuntu/CentOS).
sudo apt install libpam-pwquality # Ubuntu
sudo yum install pam_pwquality # CentOS

You can then tighten password policies by editing the /etc/pam.d/common-password (Ubuntu) or /etc/pam.d/system-auth (CentOS) file.

Step 4: User and Group Management

Ensure that only necessary users and groups exist on your system.

  • Delete or disable unnecessary user accounts.
  • Grant privileges to each user based on the Principle of Least Privilege.
  • Assign administrative privileges to specific users using the sudo group, avoiding direct use of the root user.
sudo adduser new_user
sudo usermod -aG sudo new_user

Step 5: Firewall Configuration

A firewall controls incoming and outgoing network traffic to your server, preventing unwanted access.

For Ubuntu with UFW (Uncomplicated Firewall):

sudo ufw enable
sudo ufw allow ssh # or your custom port like 2222
sudo ufw allow http
sudo ufw allow https
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw status verbose

For CentOS with firewalld:

sudo systemctl enable firewalld
sudo systemctl start firewalld
sudo firewall-cmd --permanent --add-service=ssh # or --add-port=2222/tcp
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload
sudo firewall-cmd --list-all

Step 6: Disable Unnecessary Services

Disabling services that are not running and not needed on your server significantly reduces the attack surface.

sudo systemctl list-units --type=service --state=running
sudo systemctl disable <service_name>
sudo systemctl stop <service_name>

Before disabling any service, always check if it is necessary for your system or if it has dependencies on other services.

Step 7: Log Management and Monitoring

Regularly monitoring and analyzing system logs allows you to detect potential security incidents early.

  • Regularly check log files in the /var/log directory (auth.log, syslog, messages, etc.).
  • Consider sending logs to a central server (SIEM) using tools like rsyslog or journalctl.
  • Tools like Fail2Ban can automatically block attacker IPs by monitoring failed login attempts.
sudo apt install fail2ban # Ubuntu
sudo yum install fail2ban # CentOS
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Step 8: Antivirus and Rootkit Scanners

While Linux systems do not face as widespread virus threats as Windows, it is important to provide protection against malware and rootkits.

  • ClamAV: Can scan for known viruses.
  • chkrootkit / rkhunter: Helps detect the presence of rootkits on the system.
sudo apt install clamav chkrootkit rkhunter # Ubuntu
sudo yum install clamav chkrootkit rkhunter # CentOS

Run these tools regularly to scan your system.

Step 9: Enable SELinux (CentOS) or AppArmor (Ubuntu)

These security mechanisms provide an additional layer of protection by restricting applications' and users' access to system resources.

  • SELinux (Security-Enhanced Linux): Found by default on CentOS/RHEL systems. It is generally recommended to run it in Enforcing mode.
  • AppArmor: Found by default on Ubuntu systems. Security is provided by defining profiles on an application basis.

Proper configuration of these tools can be complex, but the security benefits they provide are undeniable.

Step 10: Regular Backup Strategies

Even the best security measures do not provide 100% protection. Regular and secure backups are critical to recover your data in the event of a disaster.

  • Back up your data at regular intervals.
  • Store backups in a secure, preferably separate location (cloud storage, a separate server).
  • Periodically test the restorability of backups.

Conclusion: Security is a Continuous Journey

Security hardening on Linux servers is not a one-time task; it is an ongoing process. As cyber threats evolve, your security measures must also remain current. By implementing the steps outlined above, you can significantly enhance your servers' security posture and make them more resilient against potential attacks. Remember, a proactive security approach is always more effective and less costly than being reactive.

← Blog Listesine Dön