Linux is generally considered a safe and secure operating system that is less vulnerable to attacks. However, with an exponential increase in sophisticated cyberattacks, it’s prudent to take the appropriate essential steps to secure your Linux server. Let’s have a look at some of the measures you need to implement to secure your system from attackers.

Disable remote root login 

During the initial server setup of a Linux server, remote root login is highly unrecommended and for a good reason. If someone grabs a hold of the root user’s password, they can log in and tamper with your system. If it’s a hacker, they can steal files, upload malware or even render your system unusable. Best practice recommends the creation of a new regular user whose credentials will be used to log in instead of the root user. The new user will then be granted superuser or user privileges and once the user logs in, they can switch to root or superuser and proceed with administrative tasks.

To create a new user execute the command:

# adduser user  (For Debian/Ubuntu)

OR 

# useradd user ( For RHEL/CentOS)

To assign sudo or  superuser or root privileges run 

# usermod -aG sudo user (For Debian/Ubuntu)

OR

# echo ‘user ALL=(ALL) ALL’ >> /etc/sudoers

Now we will disable remote root login via SSH. To accomplish this, open the configuration file below

 /etc/ssh/sshd_config

Scroll and uncomment the line below to block SSH root logins

#PermitRootLogin no

Next, close the file and restart SSH service

# systemctl restart ssh

Change the default SSH port

The SSH port is one of the most preyed upon ports by hackers who incessantly keep tried to brute force the connection. To add an extra layer of protection and make it harder for hackers to gain entry consider changing the default SSH port.

Open the configuration file below

/etc/ssh/sshd_config file

Be sure to replace default Port 22 with a different port number say 1520

Once done, save and exit the configuration file

Finally, restart SSH service

# systemctl restart ssh

Now to login define the port

$ ssh username@IP -p 1520

Ensure only the necessary services are running on the server

Best Linux security practices demand that only the crucial services are running and non-essential ones or those currently not in use be turned off. The same also applies to ports. Unused ports should also be closed. 

To check open ports, use the netstat command as shown

$ netstat  -pnltu

Sample output

How To Secure A Linux Server And How To Run It Smoothly 1

Secure your BIOS 

By securing your BIOS, you ensure that nobody can boot from a flash or optical drive. Thus, nobody can overwrite your Linux system files and tamper with your data. After installing Linux, you should access your BIOS and disable the boot option from any external drives. Also, adding a BIOS password will prevent any unauthorized user from accessing your BIOS. A point to note is that a BIOS password is not recoverable, therefore save it in a secure place.

READ  [Solved] This Title Isn't Available In Your Location - Amazon Prime Video

Passwordless SSH login

To make your life easier, you don’t always have to log in to your server using a password when connecting via SSH. You can configure a passwordless SSH login such that during login, you will only provide the username and IP address and that’s it and BOOM ! You will gain entry.

This can be achieved by the generation of SSH keys

# ssh-keygen 

How To Secure A Linux Server And How To Run It Smoothly 2

This generates both public and private SSH keys which are stored in /root/.ssh/ directory

The Public key is identified by id_rsa.pub

The private key is denoted by  id_rs

The Private  SSH key remains on the system connecting to the server while the public key is sent and saved on the Linux server system. During subsequent login, the Linux server checks to see if the Public key matches with the private key and grants access without requiring a password.

Disable USB Mount

Most hackers use USB-based malware which activates when an infected flash drive is inserted to your Linux server. So to avoid these kinds of malware, you should disable the automatic USB mount on your system. The only throwback to using this method is that you will have to manually open the files in any USB drive you insert to your system. It can be a bit slower to access content stored in flash drives, but your security will be enhanced.

To disable USB mount, use the following commands on a text editor.

install usb-storage /bin/true

Next, save in the following location as a .conf file

/etc/modprobe.d/

Finally, restart your machine for the changes to take effect.

Enable SELinux (For RHEL, CentOS & Fedora users)

SElu=inux, short for Security-Enhanced Linux is a kernel security module that provides added protection to your Linux server. It grants the user total administrative control over daemons and their connections. By default, it comes enabled on CentOS. 

As a good practice, it always advised to have SELinux up and running. To check the current status of SELinux, execute the command:

$ getenforce

You can manage SELinux from the /etc/selinux/config   file where you can either enable or disable it.

Conclusion

In this guide, you have learned the basic steps that you can take to secure your Linux server. These will protect the server from unauthorized access and breaches which can be prevented. We hope that you found this article informative and that you will now take the requisite measures to fortify your server’s security.

LEAVE A REPLY

Please enter your comment!
Please enter your name here