🛡 ️Secure Linux Server

jay75chauhan.medium.com/️secure-linux-server-1bbbaaa465d6

jay75chauhan 12 de novembro de 2024

jay75chauhan

Introduction
Securing a Linux server goes beyond installation and setup. Every server is vulnerable to
attacks, from brute-force login attempts to malware and misconfigurations. This guide
offers essential steps to strengthen your Linux server’s security, complete with detailed
steps and the reasons behind them. Let’s make your Linux server as resilient as possible!

1. Disable Root Login

Why?
The root user has unlimited access, which makes it a target for attackers. Disabling root
login prevents attackers from attempting brute-force attacks directly on this powerful
account. Instead, a user with limited permissions is used, reducing the risk.

How to Do It
Open the SSH configuration file:

1/23
sudo nano /etc/ssh/sshd_config

Find the line:

PermitRootLogin

Change it to:

PermitRootLogin

Save and close the file.

Restart the SSH service to apply changes:

sudo systemctl restart sshd

2. Use Key-Based SSH Authentication

Why?
Password-based logins can be weak points in server security. SSH key pairs are much
harder to crack than passwords, adding a strong layer of security.

How to Do It
Generate an SSH key on your local machine:

ssh-keygen -t rsa -

This creates a public-private key pair for secure login.

Copy your public key to the server:

sshid username_ip

To disable password-based login, open /etc/ssh/sshd_config on your server:

sudo nano /etc/ssh/sshd_config

Set PasswordAuthentication no and restart SSH:

sudo systemctl restart sshd

3. Enforce Strong Password Policies

Why?
Strong password policies prevent weak, easily guessed passwords, reducing the
likelihood of brute-force attacks.

2/23
How to Do It
Open the password policy configuration file:

sudo nano /etc/security/pwquality.conf

Set policies like minimum length and complexity:

= minclass =

minlen requires at least 12 characters.

4. Keep the System Updated

Why?
Updates contain patches for known vulnerabilities. Failing to update leaves your server
exposed to known attacks.

How to Do It
Run the update command:

sudo apt update && sudo apt upgrade -y sudo yum update -y

Enable automatic updates (on Ubuntu):

sudo apt install unattended-upgrades

5. Configure a Firewall

Why?
A firewall limits access to specific services and blocks unauthorized traffic, reducing the
risk of intrusion.

How to Do It
For Ubuntu: Install and configure ufw:

sudo apt install ufwsudo ufw allow 22 sudo ufw allow 80 sudo ufw allow 443
sudo ufw

This allows only SSH, HTTP, and HTTPS traffic while blocking other ports.

6. Install and Configure Intrusion Detection (Fail2Ban)

3/23
Why?
Fail2Ban protects your server from brute-force attacks by blocking IPs with too many
failed login attempts.

How to Do It
Install Fail2Ban:

sudo apt install fail2ban

Configure Fail2Ban by editing /etc/fail2ban/jail.conf:

sudo nano /etc/fail2ban/jail.conf

Enable SSH monitoring with:

= = =

Blocks IPs after 5 failed attempts for one hour.

7. Disable Unnecessary Services

Why?
Running fewer services means fewer potential entry points for attackers, improving
overall security.

How to Do It
1. List all active services:

sudo systemctl list-unit-files --=service --state=enabled

Disable unneeded services:

sudo systemctl service_name

8. Set Proper File Permissions

Why?
Sensitive files like SSH and log files should have strict permissions to prevent
unauthorized access or modification.

How to Do It
Restrict access to important files:

4/23
sudo 600 /etc/ssh/sshd_config sudo 640 /var/log/auth.log

9. Enable Logging and Monitoring

Why?
Logging provides a record of system events, helping you detect unusual activities and
analyze incidents.

How to Do It
1. Use rsyslog to manage logs, or consider a centralized logging solution like ELK
(Elasticsearch, Logstash, Kibana) for easier monitoring.

10. Implement Auditing with auditd

Why?
Auditing monitors critical files and actions, alerting you to unauthorized changes or
suspicious activity.

How to Do It
Install and configure auditd:

sudo apt install auditd

Add rules in /etc/audit/audit.rules to track important files:

-w /etc/passwd -p wa -k passwd_changes

Restart auditd to apply:

sudo systemctl restart auditd

11. Secure SSH Configuration

Why?
Configuring SSH settings hardens your server against attacks by limiting login options.

How to Do It
1. Open /etc/ssh/sshd_config:

sudo nano /etc/ssh/sshd_config

Adjust settings:

5/23
Restart SSH:

sudo systemctl restart sshd

12. Harden Kernel Parameters

Why?
Kernel hardening secures network settings and mitigates certain attacks by restricting
network behaviors.

How to Do It
Open /etc/sysctl.conf and add settings:

= = =

Apply changes:

sudo sysctl -

13. Schedule Regular Backups

Why?
Backups ensure data is recoverable in case of a cyberattack, accidental deletion, or
system failure.

How to Do It
1. Use rsync or tar for backups:

rsync -av /important_data /backup_location

14. Set Resource Limits

Why?
Resource limits help prevent denial-of-service (DoS) attacks by limiting user resource
consumption.

How to Do It
Edit /etc/security/limits.conf:

sudo nano /etc/security/limits.conf

6/23
Set limits:

* soft 4096 * hard 8192

15. Use Security Scanning Tools

Why?
Security scanners identify misconfigurations and vulnerabilities, helping you fix issues
before attackers exploit them.

How to Do It
Install Lynis:

sudo apt install lynis

Run a system scan:

sudo lynis audit

16. Protect Against Malware

Why?
Linux can still be vulnerable to malware, especially in environments with internet access
or file sharing.

How to Do It
Install ClamAV:

sudo apt install clamav

Update and scan:

sudo freshclam sudo clamscan -r /directory_to_scan

17. Enable Multi-Factor Authentication (MFA)

Why?
MFA adds a second layer of verification, making it more difficult for attackers to gain
access, even with a password.

How to Do It
Install Google Authenticator:

7/23
sudo apt install libpam-google-authenticator

Set up MFA:

google-authenticator

Enable MFA in PAM configuration:

sudo nano /etc/pam.d/sshd

Add:

auth pam_google_authenticator.so

18. Implement Network Segmentation

Why?
Network segmentation limits traffic between different parts of your infrastructure, reducing
the impact if an attacker gains access. By isolating sensitive services on private subnets
or VLANs, you limit exposure and protect data.

How to Do It
1. or other cloud platforms, use Virtual Private Clouds (VPCs) and subnets.
2. , configure rules to separate traffic between different services.
3. : Configure iptables to create network segmentation by defining strict rules for
each service or IP address range that’s allowed access.

Example:

sudo iptables - - tcp -s trusted_ip -j ACCEPT

19. Restrict sudo Access

Why?
Limiting sudo access minimizes the risk of privilege escalation. Only trusted users should
have sudo privileges, as any commands they execute can affect the entire system.

How to Do It
Edit the sudoers file:

sudo visudo

Define specific permissions for each user or user group:

username =() : to/specific_command

8/23
Regularly audit the sudoers file to ensure only necessary permissions are granted.

20. Enforce AppArmor or SELinux for Mandatory Access Control

Why?
AppArmor and SELinux are mandatory access control systems that add fine-grained
permissions, confining processes to a limited set of resources and actions. This limits the
impact if a process is compromised.

How to Do It
For AppArmor (Ubuntu/Debian):

Check if AppArmor is enabled:

sudo apparmor_status

Configure specific profiles for services in /etc/apparmor.d/.

For SELinux (CentOS/RHEL):

Enable SELinux:

udo setenforce

Use semanage to define policies:

sudo semanage fcontext -a -t

21. Use Port Knocking for SSH Access

Why?
Port knocking helps hide the SSH port by requiring a sequence of port “knocks” to open
the SSH port, making it harder for attackers to detect your SSH service.

How to Do It
Install knockd on your server:

sudo apt install knockd

Configure port knocking in /etc/knockd.conf:

= ,, = = /sbin/iptables -A INPUT -s %IP% -p tcp --dport -j ACCEPT

Start knockd:

sudo systemctl knockd

9/23
Now, only after knocking on ports 7000, 8000, and 9000 in that order will port 22 open for
SSH.

22. Limit Open Ports to Reduce Attack Surface

Why?
Open ports represent entry points for potential attackers. Limiting them to necessary
services reduces the risk of unauthorized access.

How to Do It
Use netstat or ss to view open ports:

sudo ss -tuln

Close unnecessary ports by disabling or firewalling services:

sudo systemctl stop service_namesudo systemctl service_name

For example, if only SSH and HTTP/HTTPS are needed, ensure only ports 22, 80, and
443 are open.

23. Use File Integrity Monitoring (FIM)

Why?
File Integrity Monitoring (FIM) detects unauthorized changes to critical system files,
helping identify potential compromises or malicious modifications.

How to Do It
Install an FIM tool like AIDE (Advanced Intrusion Detection Environment):

sudo apt install aide

Initialize the AIDE database:

sudo aideinit

Set up a cron job to run regular AIDE checks:

sudo crontab -e

Add:

* * * bin/aide --check

24. Implement Rate Limiting

10/23
Why?
Rate limiting protects against denial-of-service (DoS) attacks by limiting the number of
requests or logins from a single IP address.

How to Do It
Use iptables to limit SSH connections:

sudo iptables - - tcp -m state NEW -m recent sudo iptables - - tcp -m state
NEW -m recent -j DROP

This restricts SSH connections to a maximum of 3 attempts per minute.

Alternatively, configure rate limits with Fail2Ban by adjusting the findtime and maxretry
options in /etc/fail2ban/jail.conf.

25. Encrypt Sensitive Data

Why?
Encryption protects data in case of a security breach by making it unreadable to
unauthorized users. This applies to data stored on disk and transmitted over the network.

How to Do It
Data at Rest: Use encryption tools like ecryptfs or LUKS to encrypt sensitive files and
partitions.

sudo apt install ecryptfs-utils sudo ecryptfs-setup-

Data in Transit: Ensure all data transfers use encrypted channels (e.g., HTTPS for web
traffic, SFTP for file transfers).

26. Set Up DNS Security Extensions (DNSSEC)

Why?
DNSSEC protects your DNS records from tampering by adding verification, preventing
attackers from redirecting traffic to malicious sites.

How to Do It
With BIND: Enable DNSSEC in the named.conf file by adding:

dnssec-enable ; dnssec-validation auto;

11/23
On Cloud Providers: Many DNS providers (like AWS Route 53) offer DNSSEC as an
option in their configuration settings.

27. Use a Host-Based Intrusion Detection System (HIDS)

Why?
A HIDS monitors your server for suspicious activity, alerting you to potential intrusions in
real time.

How to Do It
Install a HIDS like OSSEC:

sudo apt install ossec-hids

Configure alert thresholds and actions to receive notifications for any detected malicious
activity.

28. Regularly Rotate Encryption Keys and Credentials

Why?
Regularly rotating keys, passwords, and certificates reduces the likelihood of old,
compromised credentials remaining in use.

How to Do It
1. Use a to handle key rotation, like AWS KMS for AWS resources.
2. Rotate SSH keys, API keys, and passwords on a regular basis by generating new
ones and removing old ones.

29. Apply Principle of Least Privilege (PoLP)

Why?
The Principle of Least Privilege ensures users and processes only have the permissions
they absolutely need, reducing the potential impact of compromised accounts.

How to Do It
1. Assign specific permissions to each user in /etc/sudoers rather than granting full
sudo access.
2. For database users, grant access only to the specific tables or operations needed.
3. Example for MySQL:

12/23
 , database. @;

30. Monitor for Configuration Drift

Why?
Configuration drift, where server configurations deviate from the original secure state, can
introduce vulnerabilities over time. Automated configuration checks can keep you aware
of unauthorized changes.

How to Do It
1. Use a configuration management tool like , , or to define and enforce a secure
baseline configuration.
2. Regularly audit configurations with tools like or custom scripts.

31. Set Up a Web Application Firewall (WAF)

Why?
A Web Application Firewall (WAF) protects against common web-based attacks, such as
SQL injection, cross-site scripting (XSS), and request forgery. This is essential if your
Linux server hosts web applications.

How to Do It
Use a WAF like ModSecurity to protect web applications:

sudo apt install libapache2-mod-security2 sudo apt install modsecurity-crs

Enable ModSecurity by adding these lines in your web server’s configuration file:

SecRuleEngine

Regularly update your WAF rules to cover the latest threats.

32. Implement Application Sandboxing

Why?
Application sandboxing isolates applications from each other, minimizing the risk that a
vulnerability in one application affects the entire server.

How to Do It
1. Use or for application sandboxing:

13/23
sudo apt install firejail

To sandbox a program, use Firejail:

firejail program_name

Configure profiles for each application to restrict access to files and directories they don’t
need.

33. Configure Two-Factor Authentication (2FA) for SSH with Duo

Why?
Adding two-factor authentication (2FA) provides a second layer of security, making it
much harder for unauthorized users to access the server.

How to Do It
Install Duo Security’s PAM module for 2FA:

sudo apt install libpam-duo

1. Configure /etc/duo/pam_duo.conf to set up the Duo parameters.

auth pam_duo.so

Test logging in with SSH to verify 2FA is working.

34. Conduct Regular Vulnerability Scans

Why?
Vulnerability scans help you identify and address security issues in the server and
software before attackers can exploit them.

How to Do It
1. Use or to conduct scans:

For OpenVAS:

sudo apt install openvas

Follow instructions to set up and run scans.

Schedule scans weekly or monthly and address any vulnerabilities found.

35. Implement Data Loss Prevention (DLP) Measures

14/23
Why?
Data Loss Prevention (DLP) protects sensitive information from unauthorized access and
prevents accidental or intentional leaks.

How to Do It
1. Use file integrity monitoring tools like to track changes to sensitive data.
2. Encrypt all sensitive data using or .
3. Set permissions on sensitive files and ensure they are not accessible by non-
authorized users.

36. Use Immutable Backups and Snapshots

Why?
Immutable backups prevent modification or deletion, ensuring that you have a reliable
recovery point if data is compromised.

How to Do It
1. Use cloud backup solutions with immutable backup options (e.g., AWS Backup).
2. Set up regular snapshots of data and server configurations on cloud platforms like
AWS or using for local snapshots.

37. Configure Advanced Auditing with Auditbeat and Filebeat

Why?
Auditbeat and Filebeat (Elastic’s Beats suite) provide advanced logging and auditing
features, allowing for in-depth monitoring of file integrity, login attempts, and more.

How to Do It
Install Filebeat and Auditbeat:

sudo apt install filebeat auditbeat

Configure auditbeat.yml to monitor critical files and log all activities.

Integrate with an ELK stack (Elasticsearch, Logstash, Kibana) for real-time alerts and
monitoring.

38. Set Up Remote Logging

Why?

15/23
Remote logging ensures you have a copy of logs even if your server is compromised,
allowing you to analyze incidents without relying on potentially tampered local logs.

How to Do It
Configure rsyslog to forward logs to a remote server:

sudo nano /etc/rsyslog.conf

Add:

*.* _log_:

Restart rsyslog:

sudo systemctl restart rsyslog

39. Perform Regular Penetration Testing

Why?
Penetration testing simulates attacks on your server to uncover weaknesses, providing
insights into areas that need reinforcement.

How to Do It
Use tools like Metasploit, Nmap, or Nikto to perform tests.

sudo apt install nmap nikto

Work with a qualified penetration tester for in-depth assessments.

Act on findings to mitigate vulnerabilities.

40. Implement Access Control Lists (ACLs) for Fine-Grained

Why?
ACLs provide more flexibility than traditional permissions, allowing you to specify access
control at a more granular level for different users and groups.

How to Do It
1. Enable ACLs if not already enabled by default.
2. Use setfacl to define permissions on files:

sudo setfacl -m u:username:rwx /path/to/file

16/23
Use getfacl to review ACLs:

getfacl /path/to/file

41. Use Bastion Hosts for Secure Server Access

Why?
A bastion host is a secure server used to access other servers, adding a layer of control
and logging for access to sensitive servers.

How to Do It
1. Set up a separate bastion server with strict security controls and access monitoring.
2. Require all SSH traffic to production servers to go through the bastion host.
3. Configure MFA and detailed logging on the bastion for secure access tracking.

42. Harden Database Access

Why?
Databases often store sensitive information and are common attack targets. Securing
database access reduces the risk of data breaches.

How to Do It
1. Restrict database access to specific IPs using configuration settings in MySQL,
PostgreSQL, or other databases.
2. Use encryption for data at rest and in transit.
3. Regularly update database passwords and apply the least privilege principle to user
roles.

43. Regularly Review Logs and Analyze Suspicious Activities

Why?
Regular log reviews help detect suspicious activities early, giving you the chance to
respond to security incidents proactively.

How to Do It
1. Set up tools like or for log analysis and visualization.
2. Create automated alerts for specific events, such as repeated failed login attempts
or unusual file access patterns.
3. Review critical logs regularly (auth.log, syslog, and application-specific logs).

17/23
44. Encrypt Disk Partitions

Why?
Encrypting disk partitions protects data in case of hardware theft or unauthorized physical
access.

How to Do It
Use LUKS (Linux Unified Key Setup) to encrypt partitions:

sudo cryptsetup luksFormat /dev/sdx

Create a passphrase and follow prompts to complete encryption.

Mount the encrypted partition using cryptsetup:

sudo cryptsetup luksOpen /dev/sdx encrypted_partition

45. Implement Zero-Trust Architecture Principles

Why?
Zero-trust principles mandate strict verification for every request, reducing the risk of
insider threats and unauthorized access.

How to Do It
1. Set up multi-factor authentication and apply least privilege principles across all
services.
2. Configure role-based access control (RBAC) on all applications.
3. Use a policy engine (such as Open Policy Agent) to define fine-grained access
policies for each service.

46. Apply a Honeypot System for Detection

Why?
Honeypots detect and track attackers by luring them to a vulnerable “fake” system,
allowing you to study attack patterns without risking production systems.

How to Do It
Use tools like Cowrie or Dionaea to set up a honeypot.

sudo apt install cowrie

18/23
 1. Configure the honeypot on a separate network or subnet to capture attack data.
2. Monitor honeypot activity to gain insights into attack methods.

47. Implement Server Hardening with CIS Benchmarks

Why?
The Center for Internet Security (CIS) provides industry-standard benchmarks to harden
server configurations, ensuring compliance with best practices.

How to Do It
1. Download the appropriate CIS benchmark for your server’s OS.
2. Use tools like or to automate benchmarking and scan for non-compliant settings.

sudo apt install lynis sudo lynis audit

Address non-compliance issues by following CIS recommendations.

48. Use Just-In-Time (JIT) Access Controls

Why?
Just-In-Time (JIT) access reduces risk by granting temporary access to users or
applications only when needed, and only for a limited duration.

How to Do It
1. Use tools like AWS Identity and Access Management (IAM) to enforce JIT policies.
2. Configure automated workflows to allow temporary SSH keys to be issued and
automatically revoked after the access window closes.
3. Track JIT access requests and review them periodically for anomalies.

49. Implement Endpoint Detection and Response (EDR) Tools

Why?
Endpoint Detection and Response (EDR) tools provide advanced threat detection by
monitoring server behavior, logging unusual activities, and providing incident response
capabilities.

How to Do It
1. Use EDR solutions like or .
2. Configure EDR policies to detect specific threat behaviors and isolate infected
endpoints if necessary.

19/23
 3. Regularly review and update EDR policies based on observed activity and emerging
threats.

50. Use Hardware Security Modules (HSMs) for Key Management

Why?
Hardware Security Modules (HSMs) are tamper-resistant devices that securely manage
encryption keys, adding an extra layer of physical security for sensitive cryptographic
operations.

How to Do It
1. Deploy an HSM for applications that handle sensitive data (e.g., financial
transactions).
2. Configure applications to use the HSM for cryptographic operations, such as TLS
key storage and encryption.
3. Regularly rotate and audit keys stored in the HSM to maintain security.

51. Apply Immutable Infrastructure Principles

Why?
Immutable infrastructure ensures that any changes or updates are made by replacing the
entire system with a fresh version. This prevents configuration drift and limits the risk of
unnoticed changes.

How to Do It
1. Use containers or for creating immutable images.
2. For critical updates, deploy new instances rather than updating the existing ones.
3. Automate deployments with infrastructure-as-code tools like to ensure consistency.

52. Conduct Regular Compliance Audits

Why?
Compliance audits help verify that your server adheres to industry regulations (e.g.,
GDPR, HIPAA), which may require encryption, logging, or specific access controls.

How to Do It
1. Use tools like or to automate compliance checks.
2. Set up regular auditing to review changes, permission violations, and access logs.
3. Address any compliance issues promptly and document changes for audit records.

20/23
53. Create a Disaster Recovery Plan (DRP)

Why?
A Disaster Recovery Plan (DRP) enables quick recovery and continuity of services in
case of data loss, security incidents, or hardware failure.

How to Do It
1. Identify critical data, applications, and infrastructure needed for recovery.
2. Set up automated backups to an offsite location, preferably encrypted.
3. Regularly test the DRP by simulating disasters and ensuring all recovery steps are
effective.

54. Harden the Kernel with Grsecurity

Why?
Grsecurity is a set of kernel patches that provide enhanced security features, including
exploit mitigation and access control, hardening the kernel against many classes of
attacks.

How to Do It
1. Download the Grsecurity patches and apply them to the Linux kernel source.
2. Recompile and install the patched kernel on your server.
3. Configure Grsecurity settings to enforce strict access controls and mitigate memory-
based exploits.

Note: Grsecurity is available for commercial use and may require a subscription for
access.

55. Enable Memory Protection with ExecShield

Why?
ExecShield protects against buffer overflow and memory corruption attacks by marking
memory segments as non-executable.

How to Do It
If using CentOS, enable ExecShield by adding the following to /etc/sysctl.conf:

21/23
Enable other related settings like Address Space Layout Randomization (ASLR) to make
exploitation harder:

56. Set Up Security Information and Event Management (SIEM)

Why?
A SIEM system aggregates and analyzes log data from across your infrastructure,
providing centralized insight into security incidents and supporting compliance.

How to Do It
1. Use tools like , , or for SIEM.
2. Configure the SIEM system to collect logs from servers, applications, and network
devices.
3. Set up alerting rules for high-severity incidents and review logs regularly to detect
unusual patterns.

57. Restrict Access with Role-Based Access Control (RBAC) for

Why?
RBAC enforces least privilege by assigning access based on job roles, minimizing the
permissions each user or process has to only what’s necessary.

How to Do It
1. Define roles and associated permissions within applications (e.g., using IAM for
AWS resources).
2. Review role assignments regularly to ensure users and services have appropriate
permissions.
3. Document role definitions and permissions for auditing.

58. Create a Data Retention Policy

Why?
Data retention policies define how long data is stored, helping to reduce storage costs
and minimizing the risk of data leaks by removing unnecessary data.

How to Do It

22/23
 1. Set up automated data deletion schedules using cron jobs or cloud lifecycle
policies.
2. Define retention periods based on regulatory requirements and business needs.
3. Ensure sensitive data is securely deleted to prevent recovery.

59. Set Up Honeytokens to Detect Unauthorized Access

Why?
Honeytokens are decoy data entries designed to detect unauthorized access or unusual
activity. They act like digital “tripwires” and help identify insider threats or data breaches.

How to Do It
1. Insert a fake record in your database that would only be accessed by unauthorized
users.
2. Set up monitoring to alert you when the honeytoken is accessed or modified.
3. Investigate any alert to determine if unauthorized access has occurred.

Conclusion
Securing a Linux server is a continuous process that demands diligence and vigilance.
Implementing these steps goes a long way in protecting your server from the vast
majority of attacks. Remember, layering security measures — like firewalls, encryption,
access control, and regular audits — helps create a robust defense against emerging
threats. By staying proactive and regularly reviewing your server’s security posture, you’ll
help ensure that your Linux environment remains secure and resilient.

These steps will give you a strong foundation for Linux server security and can be
adapted to evolving threats and specific environments.

23/23