Linux Server Hardening Guide (Ubuntu/CentOS): A Step-by-Step Approach

 · 

Linux Server Hardening Guide (Ubuntu/CentOS): A Step-by-Step Approach

Introduction: Why is Linux Server Security So Important?

In today's digital world, the security of your servers is vital for business continuity and data integrity. While Linux-based servers stand out for their flexibility and performance, they can become vulnerable to cyberattacks if not properly configured. In this blog post, as Gökhan Güngör, I will guide you through the fundamental security hardening steps for your Linux servers running on Ubuntu and CentOS operating systems. Our goal is to make your servers more resilient against potential threats.

1. Initial Setup and Basic Security Configurations

1.1 Strong Passwords and SSH Key-Based Authentication

  • Strong Password Policy: Set long, complex passwords (uppercase/lowercase letters, numbers, special characters) for users and encourage regular password changes.
  • SSH Key-Based Authentication: Prefer key-based authentication over password-based SSH access. This is significantly more secure against brute-force attacks.
# Generate an SSH key pair (on your local machine)
ssh-keygen -t rsa -b 4096

# Copy the public key to the server (Ubuntu/CentOS)
ssh-copy-id username@server_ip_address

1.2 SSH Service Hardening

Enhance security by editing the SSH configuration:

  • Change Default SSH Port: Use a port other than the well-known port 22.
  • Disable Root Login: Prevent the root user from logging in directly via SSH.
  • Disable Password Authentication (If Using Keys): After enabling key-based authentication, disable password login.
# Edit the /etc/ssh/sshd_config file
sudo vi /etc/ssh/sshd_config

# Lines to change:
Port 2222 # A different port number
PermitRootLogin no
PasswordAuthentication no

# Restart the SSH service after changes
sudo systemctl restart sshd # Ubuntu/CentOS 7+
sudo service ssh restart # CentOS 6/Ubuntu 14.04-

2. User and Authorization Management

2.1 Root Usage and Sudo Privileges

  • Minimize Root Usage: Use a standard user with sudo privileges for daily operations instead of the root user.
  • Properly Configure Sudo Privileges: Grant sudo privileges only to users who genuinely need them and restrict which commands they can run.
# Create a new user (Ubuntu)
sudo adduser new_user
sudo usermod -aG sudo new_user

# Create a new user (CentOS)
sudo adduser new_user
sudo passwd new_user
sudo usermod -aG wheel new_user # The wheel group provides sudo privileges

2.2 Auditing User Accounts and Groups

Regularly check and delete unnecessary or old user accounts.

# List users on the system
cat /etc/passwd

# List groups on the system
cat /etc/group

3. Network Security: Firewall

3.1 Using UFW (Ubuntu) or Firewalld (CentOS)

Enable your server's firewall to allow access only to necessary ports.

  • UFW (Uncomplicated Firewall) for Ubuntu:
# Enable UFW
sudo ufw enable

# Deny incoming traffic by default, allow outgoing
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow necessary ports (e.g., new SSH port, HTTP/S)
sudo ufw allow 2222/tcp # New port for SSH
sudo ufw allow http
sudo ufw allow https

# Check UFW status
sudo ufw status verbose
  • Firewalld for CentOS:
# Enable and start Firewalld
sudo systemctl enable firewalld
sudo systemctl start firewalld

# Allow necessary services/ports
sudo firewall-cmd --permanent --add-port=2222/tcp # New port for SSH
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https

# Reload Firewalld to apply changes
sudo firewall-cmd --reload

# Check Firewalld status
sudo firewall-cmd --list-all

4. Software Updates and Patch Management

Regularly updating the operating system and all installed software is critical for patching known security vulnerabilities.

# Update for Ubuntu
sudo apt update && sudo apt upgrade -y
sudo apt dist-upgrade -y
sudo apt autoremove -y

# Update for CentOS
sudo yum update -y # or dnf update -y

5. System Monitoring and Log Management

  • Monitor Log Files: Regularly review system logs (auth.log, syslog, secure, etc.) in the /var/log directory.
  • Centralized Log Management: For large infrastructures, consider centralized log management solutions like ELK Stack (Elasticsearch, Logstash, Kibana) or Splunk.
  • Security Information and Event Management (SIEM): Utilize SIEM solutions to detect potential attacks.

6. Additional Security Tools and Tips

6.1 Automatic Security Updates

  • Ubuntu: Use the `unattended-upgrades` package.
sudo apt install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades
  • CentOS: Use the `yum-cron` or `dnf-automatic` package.
sudo yum install yum-cron
sudo systemctl enable yum-cron
sudo systemctl start yum-cron

6.2 Fail2ban Installation

Provides automatic protection against brute-force attacks. It blocks IP addresses after a certain number of failed login attempts.

# Ubuntu
sudo apt install fail2ban

# CentOS
sudo yum install epel-release
sudo yum install fail2ban

# Start and enable the service
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

# Create your own configuration (e.g., /etc/fail2ban/jail.local)
# [sshd]
# enabled = true
# port = 2222 # Your new SSH port
# maxretry = 3
# bantime = 1h

6.3 Rootkit Detection (Chkrootkit/Rkhunter)

Check your system for rootkits or malicious software.

# Chkrootkit installation (Ubuntu/CentOS)
sudo apt install chkrootkit # Ubuntu
sudo yum install chkrootkit # CentOS
sudo chkrootkit

# Rkhunter installation (Ubuntu/CentOS)
sudo apt install rkhunter # Ubuntu
sudo yum install rkhunter # CentOS
sudo rkhunter --update
sudo rkhunter --check

6.4 Using SELinux (CentOS) / AppArmor (Ubuntu)

These mandatory access control systems provide an additional layer of security by restricting applications' and users' access to system resources. They are often enabled by default, and proper configuration is important.

6.5 File and Directory Permissions

Apply correct permissions for critical system files and directories. Generally, 644 (files) and 755 (directories) are secure starting points.

# Example: Setting permissions for a file
sudo chmod 644 /path/to/file.txt

# Example: Setting permissions for a directory
sudo chmod 755 /path/to/directory

Conclusion: Security as a Continuous Process

Linux server hardening is an ongoing process rather than a one-time task. By implementing the fundamental steps outlined in this guide, you can significantly enhance your servers' security posture. However, remember that as cyber threats continuously evolve, regularly updating, monitoring your systems, and reviewing your security policies are critically important. A secure infrastructure is the foundation of a robust business.

← Blog Listesine Dön