Sunucu Yönetimi

Basic Security Hardening Guide for Linux Servers: A Step-by-Step Approach for Ubuntu and CentOS

 · 

Basic Security Hardening Guide for Linux Servers: A Step-by-Step Approach for Ubuntu and CentOS

Basic Security Hardening Guide for Linux Servers: A Step-by-Step Approach for Ubuntu and CentOS

In today's digital world, cybersecurity threats are increasing and becoming more complex every day. Our servers, especially those exposed to the internet, are constantly subjected to attack attempts. Therefore, taking proactive steps to maximize the security of your Linux servers is vitally important. In this guide, we will detail the basic security hardening steps you can apply to your Ubuntu and CentOS-based Linux servers.

Why Is Linux Server Security So Critical?

Linux is the preferred operating system for the vast majority of servers worldwide due to its reliability and flexibility. However, its popularity also makes it an attractive target for cyber attackers. A server breach can lead to serious problems such as data loss, service outages, reputational damage, and legal consequences. Basic security hardening practices are the first and most important step in minimizing these risks.

Basic Security Hardening Steps

1. Keep the System Updated

Software updates include patches that close known security vulnerabilities. Keeping your system and all installed packages up to date significantly reduces potential attack vectors.

  • For Ubuntu/Debian based systems:
    sudo apt update
sudo apt upgrade -y
sudo apt dist-upgrade -y
sudo apt autoremove -y
  • For CentOS/RHEL based systems:
    sudo yum update -y
sudo yum autoremove -y

2. Harden SSH Security

SSH (Secure Shell) is the fundamental protocol used to provide secure remote access to your server. Ensuring the security of SSH connections is critically important.

  • Change the Default SSH Port: Changing the default port 22 reduces automated bot attacks.
  • Disable Password-Based Login (Use Key-Based Authentication): SSH key pairs are much more secure than passwords.
  • Prevent Direct Root Login: Log in with a normal user with sudo privileges instead of the root user.
  • Specify Allowed Users: Only allow specific users to connect via SSH.

Edit the SSH configuration file (/etc/ssh/sshd_config):

sudo nano /etc/ssh/sshd_config

Find and modify the following lines:

# Use a different port instead of Port 22, e.g., 2222
Port 2222

# Prevent direct root login
PermitRootLogin no

# Disable password login, enable key-based authentication
PasswordAuthentication no
PubkeyAuthentication yes

# Allow only specific users (optional)
AllowUsers your_username

After saving the changes, restart the SSH service:

  • Ubuntu/Debian:
    sudo systemctl restart sshd
  • CentOS/RHEL:
    sudo systemctl restart sshd

Important: Do not close your current SSH session until you are sure you can connect via the new port!

3. Configure the Firewall

A firewall controls incoming and outgoing network traffic to your server, blocking unwanted connections.

  • UFW (Uncomplicated Firewall) for Ubuntu:
sudo ufw enable
sudo ufw allow 2222/tcp  # Open your new SSH port
sudo ufw allow http      # Allow HTTP (80) traffic
sudo ufw allow https     # Allow HTTPS (443) traffic
sudo ufw status verbose
  • Firewalld for CentOS:
sudo systemctl enable --now firewalld
sudo firewall-cmd --add-port=2222/tcp --permanent # Open your new SSH port
sudo firewall-cmd --add-service=http --permanent # Allow HTTP (80) traffic
sudo firewall-cmd --add-service=https --permanent # Allow HTTPS (443) traffic
sudo firewall-cmd --reload
sudo firewall-cmd --list-all

4. User and Privilege Management

Properly managing user accounts and their privileges on the server is a fundamental step for security.

  • Strong Password Policies: Enforce long, complex passwords for all users. Implement password aging policies.
  • Principle of Least Privilege: Grant users only the minimum privileges they need to perform their tasks. Avoid performing daily operations with the root account.
  • Delete Unnecessary Users: Delete or disable unused or default accounts (e.g., test accounts).

To create a new user and grant sudo privileges:

sudo adduser newuser
sudo usermod -aG sudo newuser # Ubuntu/Debian
sudo usermod -aG wheel newuser # CentOS/RHEL

5. Disable Unnecessary Services

Every service running on your server that is not needed is a potential security vulnerability. Run only the services you require.

To list running services:

sudo systemctl list-units --type=service --state=running

To disable an unnecessary service:

sudo systemctl disable service_name
sudo systemctl stop service_name

6. Log Management and Monitoring

System logs are critical for detecting security events and troubleshooting. Regularly review logs or use a centralized log management solution.

  • Important Log Files:
    /var/log/auth.log   # Authentication attempts (Ubuntu)
/var/log/secure     # Authentication attempts (CentOS)
/var/log/syslog     # General system messages (Ubuntu)
/var/log/messages   # General system messages (CentOS)
  • Tools like Fail2ban can automatically block SSH brute-force attacks.

7. Enable SELinux (CentOS) or AppArmor (Ubuntu)

These security modules provide an additional layer of protection by restricting applications' access to system resources.

  • SELinux for CentOS: Usually enabled by default. Check its status:
sestatus
  • AppArmor for Ubuntu: Usually enabled by default. Check its status:
sudo apparmor_status

8. File Permissions and Ownerships

Properly configuring file and directory permissions prevents unauthorized access. Pay special attention to web server root directories and sensitive configuration files.

  • For web server files, 644 (files) and 755 (directories) are generally a good starting point.
  • Set ownership of sensitive files to root and ensure only the root user has write permissions.
sudo chmod 644 /path/to/file.txt
sudo chmod 755 /path/to/directory
sudo chown root:root /path/to/sensitive_file

9. Malware Scanners (Optional)

Having a malware scanner like ClamAV on your server can help detect potential threats.

# For Ubuntu
sudo apt install clamav clamav-daemon
sudo freshclam
sudo systemctl start clamav-freshclam
sudo systemctl enable clamav-freshclam

# For CentOS (you may need to enable EPEL repository)
sudo yum install epel-release
sudo yum install clamav clamd
sudo freshclam
sudo systemctl start clamd@scan
sudo systemctl enable clamd@scan

Conclusion

Security hardening on your Linux servers is not a one-time process. It is an ongoing effort that requires continuous updates and monitoring with a proactive approach. By implementing the steps outlined in this guide, you can significantly enhance the basic security posture of your servers and make them more resilient against potential cyber threats. Remember, security is a culture and should be applied at every layer of your systems.

← Blog Listesine Dön