Linux server hardening is the process and action of increasing server security to make it a more secure operating environment. Most default installations of many different applications are very insecure in the default configuration.
Who needs Linux server hardening?
Server hardening is needed by anyone concerned that their standard server installation isn’t secure and definitely anyone that has a server located directly on the internet, where it is a VPS or physical server.
Operating system hardening
We start at the base, which is of course, the operating system. We then move onto hardening specific software installations. Below is a list of some of the main functions we perform with regards to hardening a Linux operating system.
- Fail2ban – an intrusion prevention program used to stop the bad guys from trying multiple passwords on a system ( brute force attempt ) to log on. Fail2Ban works in conjunction with the firewall rules and the secure log by logging and banning the IP address of the assailant. Protocols it can protect are ssh, ftp, http and more.
- Rootkit hunter- program intended to scan scans for rootkits, backdoors and possible local exploits.
- Chkrootkit – program intended to help find rootkits on a system.
- LSM or Linux socket monitor- is a monitoring tool which tracks changes to ports and sockets (both network and inter-process) by comparing snapshots taken. It alerts you when new sockets are created which is often linked to undesirable activity on your Linux system.
- Port knocking is a method to open an external port which is normally closed by requiring connection attempts to a series of predefined closed ports. Think of it as a secret knock to open the door. Once the correct sequence of knocks is heard, the person on the other side of the door will open for you. This is a very good security implementation for ssh and other remote entry protocols.
- Purge/Remove unnecessary software and packages
- Remove unused processes.
- Remove ipv6 if not used and any software listening on those ipv4 addresses.
- Logwatch – program that helps with simple log management by analyzing and reporting a daily summary of activities taking place on your server.
- Firewall installation and configuration
- Check and correct Openssh configuration, including certificate directory permissions, ssh root login removal, ssh v2 only implementation, changing the default ssh port, implemement allow_user and allow groups, implement ssh warning banners.
- O.S patching and updating – making sure the operating system is on the latest and most secure version.
- Install and schedule ClamAV- Antivirus solution for Linux.
- Secure tmp directories with nodev, nosuid, and noexec Options
- Delete unused operating system users and confirm unused shells for legitimate users
- Remove SUID/GUID from binaries – many programs in linux need elevated priveleges fo specific reasons, an example would be to be able to create sockets. We search and remove SUID and GUID from binaries not in use.
- We check default file creation modes and check on Password controls
- Remove usb storage devices ( not applicable to VPS servers )
- Implement parameters to harden the kernel networking stack, things like “Ignore icmp and broadcast requests, Randomize space to stop executing code into memory, disable ip spoofing” etc
Click here for Apache web server hardening