Linux Server Hardening is a set of rules and regulations which is implemented to improve the security on the server. Server hardening is the process of boosting the server’s security by using the variable, effective means.
In today’s world Data is the most important thing. To secure the data on the server from various types of cyber-attacks. We need to implement server hardening on the server.
Linux Server Hardening consist of various points:
- System Update
- Change SSH port
- Disable Root User
- SSH enable Key based Authentication
- Add Swap Partition
- Network Settings Tweaks
- Disable IRQ Balance
- Secure /tmp and /var/tmp
- Secure shared memory
- OpenSSL version check
- Enable UFW firewall
Read Also: How to Change Hostname on Linux
The System must be updated regularly before performing any task. It will prevent people to use known vulnerabilities to enter the server.
Note:- upgrade command will upgrade all the packages, it may cause misconfigurations on the server.
sudo apt-get update sudo apt-get upgrade sudo apt-get autoremove sudo apt-get autoclean
Change SSH port
To hack the server Hacker always target the default SSH port (22).
- Edit file “/etc/ssh/sshd_config” file.
- Search for the “Port” word in the file. If the line is commented then uncomment it and mention the new port number. After changing the port the line should look like this. You can choose any port above 1023.
Disable Root User
From a security point of view, it is safe to disable the root user. Always remember that removing the root account is not a good idea. Simply disable the Root user.
- To disable direct root access first create a new user with below command
- Set password for ubuntu user with below command
save the password for the login next time
- Allow this user as sudo, so it can have all sudo privileges. To do that just follow the below
- Add this line at the last line of file.
ubuntu ALL=(ALL) NOPASSWD:ALL
- Now disable the root user by editing the “/etc/ssh/sshd_config” change value to NO
save and exit the file.
- Now restart the ssh service.
systemctl restart sshd
SSH enable Key based Authentication
To enable the Key-based authentication we need to install OpenSSH client to generate private and public keys.
- To install OpenSSH client on the server.
sudo apt-get -y install openssh-client
- Run below command to generate public key and private key both with ubuntu user which you have created above.
After executing the above command it will create a directory in the user’s home directory named as
.ssh such as
/home/ubuntu/.ssh which contain private and public keys.
- Now run below command to create authorized_keys
sudo cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
sudo chmod 600 ~/.ssh/authorized_keys
- Now read the file content of id_rsa with below command
sudo cat ~/.ssh/id_rsa
Copy the content of this file and paste it into a file and save it to your system. Something like ubuntu_server.pem.
- Now remove the above two keys from the server.
rm -f ~/.ssh/id_rsa*
- Now you can log in on server without password by below command.
ssh ubuntu@server_ip -i /path/to/directory/ubuntu_server.pem
Add Swap Partition
Most of the Linux Operating servers are not configured with Swap memory. Swap memory is used when the system is running from the shortage of RAM at that time RAM shifts the pending tasks to the swap memory. Normally Swap memory is double the size of the RAM up to 4 GB on the server.
To create the Swap Memory use the following commands.
- Before creating swap memory check if Swap file already exists.
sudo swapon -s
- Now Allocate the Swap memory.
sudo fallocate -l 4G /swapfile
If the above command does not work then use this command.
sudo dd if=/dev/zero of=/swapfile bs=1G count=4
- Secure the Swap memory.
sudo chown root:root /swapfile sudo chmod 0600 /swapfile
- Prepare the Swap memory file by creating a Linux swap area.
sudo mkswap /swapfile
- Activate the Swap memory file.
sudo swapon /swapfile
- Confirm the Swap partition successfully created or not.
sudo swapon -s
- To make the Swap permanent edit the “/etc/fstab” file.
Add the content at the end of the file.
/swapfile none swap sw 0 0
- Set the Swappiness in the file to 0, for the better performance of the swap partition by the help of following commands.
echo 0 | sudo tee /proc/sys/vm/swappiness echo vm.swappiness = 0 | sudo tee -a /etc/sysctl.conf
Network Settings Tweaks
Network Settings Tweaks consists of the following points.
- Limit network-transmitted configuration for IPv4
- Limit network-transmitted configuration for IPv6
- Turn on exec shield protection
- Prevent against the common ‘syn flood attack’
- Turn on source IP address verification
- Prevents a cracker from using a spoofing attack against the IP address of the server.
- Logs several types of suspicious packets, such as spoofed packets, source-routed packets, and redirects.
Edit the “/etc/sysctl.conf” file which is used to configure kernel parameters at runtime. Linux will read and applies the configuration from this file.
sudo vim /etc/sysctl.conf
# IP Spoofing protection net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.all.rp_filter = 1 # Block SYN attacks net.ipv4.tcp_syncookies = 1 # Controls IP packet forwarding net.ipv4.ip_forward = 0 # Ignore ICMP redirects net.ipv4.conf.all.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 # Ignore send redirects net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 # Disable source packet routing net.ipv4.conf.all.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0 # Log Martians net.ipv4.conf.all.log_martians = 1 # Block SYN attacks net.ipv4.tcp_max_syn_backlog = 2048 net.ipv4.tcp_synack_retries = 2 net.ipv4.tcp_syn_retries = 5 # Log Martians net.ipv4.icmp_ignore_bogus_error_responses = 1 # Ignore ICMP broadcast requests net.ipv4.icmp_echo_ignore_broadcasts = 1 # Ignore Directed pings net.ipv4.icmp_echo_ignore_all = 1 kernel.exec-shield = 1 kernel.randomize_va_space = 1 # disable IPv6 if required (IPv6 might caus issues with the Internet connection being slow) net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1 # Accept Redirects? No, this is not router net.ipv4.conf.all.secure_redirects = 0 # Log packets with impossible addresses to kernel log? yes net.ipv4.conf.default.secure_redirects = 0
Apply these settings
sudo sysctl -p
Disable IRQ Balance
Edit the “/etc/default/irqbalance” file.
Add the following data at the end of the file.
Temporary storage directories such as /var/tmp and /tmp are very useful in Linux to handle the temporary data, but it also gives the ability to the hacker to provide storage space for malicious executables.
- Allocate the space for the tmpdisk. Normally we create the swapdisk of 1 GB, but you can create as per your choose.
sudo fallocate -l 1G /tmpdisk sudo mkfs.ext4 /tmpdisk sudo chmod 0600 /tmpdisk
- Mount the new /tmp partition.
sudo mount -o loop,noexec,nosuid,rw /tmpdisk /tmp sudo chmod 1777 /tmp
- To make the /tmp partition permanent edit the “/etc/fstab” file.
- Add the following data at the end of the file.
/tmpdisk /tmp ext4 loop,nosuid,noexec,rw 0 0
- Remount the /tmp partition.
sudo mount -o remount /tmp
- Secure the /var/tmp.
sudo mv /var/tmp /var/tmpold sudo ln -s /tmp /var/tmp sudo cp -prf /var/tmpold/* /tmp/ sudo rm -rf /var/tmpold/
Secure Shared Memory
Shared memory plays an important role in Server hardening. Secure shared memory can also be used in attacks against any running service such as apache2 or httpd.
Edit the “/etc/fstab” file.
Add the following data at the end of the file.
tmpfs /run/shm tmpfs ro,noexec,nosuid 0 0
OpenSSL version check
To check the OpenSSL version follow the below command.
openssl version -v
Enable UFW firewall
- Enable the firewall on server but before that check the status of firewall with below command
sudo ufw status
- If it’s inactive than activate the firewall.
sudo ufw enable
- If you changed the SSH default port (22) to the other port then you need to allow the port from the Firewall. Replace 4355 with your changed SSH port.
sudo ufw allow 4355/tcp
- Now allow other ports those are required like 80, 443.
sudo ufw allow 80/tcp sudo ufw allow 443/tcp
In this tutorial, we have learned how to perform Linux Server hardening to implement security on the server to protect from hackers. If you guys have any queries related to server hardening to this tutorial, let me know in the comments.