Categories

Linux Server Hardening: Best Practices

Posted by By Adam 2 years Ago
Linux server hardening tips

Linux Server Hardening is a set of rules and regulations which is implemented to improve the security on the server. Server hardening is the process of boosting the server’s security by using the variable, effective means.

In today’s world Data is the most important thing. To secure the data on the server from various types of cyber-attacks. We need to implement server hardening on the server.

Linux Server Hardening consist of various points:

  • System Update
  • Change SSH port
  • Disable Root User
  • SSH enable Key based Authentication
  • Add Swap Partition
  • Network Settings Tweaks
  • Disable IRQ Balance
  • Secure /tmp and /var/tmp
  • Secure shared memory
  • OpenSSL version check
  • Enable UFW firewall

Read Also: How to Change Hostname on Linux

System Updates

The System must be updated regularly before performing any task. It will prevent people to use known vulnerabilities to enter the server.

Note:- upgrade command will upgrade all the packages, it may cause misconfigurations on the server.

sudo apt-get update
sudo apt-get upgrade
sudo apt-get autoremove
sudo apt-get autoclean

Change SSH port

To hack the server Hacker always target the default SSH port (22).

  • Edit file “/etc/ssh/sshd_config” file.
vim /etc/ssh/sshd_config
  • Search for the “Port” word in the file. If the line is commented then uncomment it and mention the new port number. After changing the port the line should look like this. You can choose any port above 1023.
Port 4355

Disable Root User

From a security point of view, it is safe to disable the root user. Always remember that removing the root account is not a good idea. Simply disable the Root user.

  • To disable direct root access first create a new user with below command
adduser ubuntu
  • Set password for ubuntu user with below command
passwd ubuntu

save the password  for the login next time

  • Allow this user as sudo, so it can have all sudo privileges. To do that just follow the below
visudo
  • Add this line at the last line of file.
ubuntu ALL=(ALL) NOPASSWD:ALL
  • Now disable the root user by editing the “/etc/ssh/sshd_config” change value to NO

PermitRootLogin NO

save and exit the file.

  • Now restart the ssh service.
systemctl restart sshd

SSH enable Key based Authentication

To enable the Key-based authentication we need to install OpenSSH client to generate private and public keys.

  • To install OpenSSH client on the server.
sudo apt-get -y install openssh-client
  • Run below command to generate public key and private key both with ubuntu user which you have created above.
sudo ssh-keygen

After executing the above command it will create a directory in the user’s home directory named as .ssh  such as /home/ubuntu/.ssh which contain private and public keys.

  1. id_rsa
  2. id_rsa.pub
  • Now run below command to create authorized_keys
sudo cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
sudo chmod 600 ~/.ssh/authorized_keys
  • Now read the file content of id_rsa with below command
sudo cat ~/.ssh/id_rsa

Copy the content of this file and paste it into a file and save it to your system. Something like ubuntu_server.pem.

  • Now remove the above two keys from the server.
rm -f ~/.ssh/id_rsa*
  • Now you can log in on server without password by below command.
ssh ubuntu@server_ip -i /path/to/directory/ubuntu_server.pem

Add Swap Partition

Most of the Linux Operating servers are not configured with Swap memory. Swap memory is used when the system is running from the shortage of RAM at that time RAM shifts the pending tasks to the swap memory. Normally Swap memory is double the size of the RAM up to 4 GB on the server.

To create the Swap Memory use the following commands.

  • Before creating swap memory check if Swap file already exists.
sudo swapon -s
  • Now Allocate the Swap memory.
sudo fallocate -l 4G /swapfile

If the above command does not work then use this command.

sudo dd if=/dev/zero of=/swapfile bs=1G count=4
  • Secure the Swap memory.
sudo chown root:root /swapfile
sudo chmod 0600 /swapfile
  • Prepare the Swap memory file by creating a Linux swap area.
sudo mkswap /swapfile
  • Activate the Swap memory file.
sudo swapon /swapfile
  • Confirm the Swap partition successfully created or not.
sudo swapon -s
  • To make the Swap permanent edit the “/etc/fstab” file.
vim /etc/fstab

Add the content at the end of the file.

/swapfile	none	swap	sw	0 0
  • Set the Swappiness in the file to 0, for the better performance of the swap partition by  the help of following commands.
echo 0 | sudo tee /proc/sys/vm/swappiness
echo vm.swappiness = 0 | sudo tee -a /etc/sysctl.conf

Network Settings Tweaks

Network Settings Tweaks consists of the following points.

  • Limit network-transmitted configuration for IPv4
  • Limit network-transmitted configuration for IPv6
  • Turn on exec shield protection
  • Prevent against the common ‘syn flood attack’
  • Turn on source IP address verification
  • Prevents a cracker from using a spoofing attack against the IP address of the server.
  • Logs several types of suspicious packets, such as spoofed packets, source-routed packets, and redirects.

Edit the “/etc/sysctl.conf” file which is used to configure kernel parameters at runtime. Linux will read and applies the configuration from this file.

sudo vim /etc/sysctl.conf
# IP Spoofing protection
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1

# Block SYN attacks
net.ipv4.tcp_syncookies = 1

# Controls IP packet forwarding
net.ipv4.ip_forward = 0

# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

# Ignore send redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0

# Log Martians
net.ipv4.conf.all.log_martians = 1

# Block SYN attacks
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5

# Log Martians
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Ignore Directed pings
net.ipv4.icmp_echo_ignore_all = 1
kernel.exec-shield = 1
kernel.randomize_va_space = 1

# disable IPv6 if required (IPv6 might caus issues with the Internet connection being slow)
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

# Accept Redirects? No, this is not router
net.ipv4.conf.all.secure_redirects = 0

# Log packets with impossible addresses to kernel log? yes
net.ipv4.conf.default.secure_redirects = 0

Apply these settings

sudo sysctl -p

Disable IRQ Balance

Edit the “/etc/default/irqbalance” file.

vim /etc/default/irqbalance

Add the following data at the end of the file.

ENABLED="0"

Secure /tmp and /var/tmp

Temporary storage directories such as /var/tmp and /tmp are very useful in Linux to handle the temporary data, but it also gives the ability to the hacker to provide storage space for malicious executables.

  • Allocate the space for the tmpdisk. Normally we create the swapdisk of 1 GB, but you can create as per your choose.
sudo fallocate -l 1G /tmpdisk
sudo mkfs.ext4 /tmpdisk
sudo chmod 0600 /tmpdisk
  • Mount the new /tmp partition.
sudo mount -o loop,noexec,nosuid,rw /tmpdisk /tmp
sudo chmod 1777 /tmp
  • To make the /tmp partition permanent edit the “/etc/fstab” file.
vim /etc/fstab
  • Add the following data at the end of the file.
/tmpdisk	/tmp	ext4	loop,nosuid,noexec,rw	0 0
  • Remount the /tmp partition.
sudo mount -o remount /tmp
  • Secure the /var/tmp.
sudo mv /var/tmp /var/tmpold
sudo ln -s /tmp /var/tmp
sudo cp -prf /var/tmpold/* /tmp/
sudo rm -rf /var/tmpold/

Secure Shared Memory

Shared memory plays an important role in Server hardening. Secure shared memory can also be used in attacks against any running service such as apache2 or httpd.

Edit the “/etc/fstab” file.

vim /etc/fstab

Add the following data at the end of the file.

tmpfs	/run/shm	tmpfs	ro,noexec,nosuid	0 0

OpenSSL version check

To check the OpenSSL version follow the below command.

openssl version -v

Enable UFW firewall

  • Enable the firewall on server but before that check the status of firewall with below command
sudo ufw status
  • If it’s inactive than activate the firewall.
sudo ufw enable
  • If you changed the SSH default port (22) to the other port then you need to allow the port from the Firewall. Replace 4355 with your changed SSH port.
sudo ufw allow 4355/tcp
  • Now allow other ports those are required like 80, 443.
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

Conclusion

In this tutorial, we have learned how to perform Linux Server hardening to implement security on the server to protect from hackers. If you guys have any queries related to server hardening to this tutorial, let me know in the comments.