Your First 5 Steps in Linux Server Hardening

By Keren Pollack, on July 15th, 2021

When installing a new Linux server, you should be aware that its level of security is very low by default, to allow as much functionality as possible. Therefore, performing basic hardening actions before the server is installed in production is crucial.

 

This blog post will cover 5 basic hardening actions that should be performed in any kind of Linux server, regardless of its role. Note that these actions are basic practices to minimize the attack surface. To achieve an adequate security posture, you should develop a specific hardening policy for the server according to its role, environment, version, etc.

 

Here are 5 fundamental hardening steps you should perform on your Linux server:

  1. Create a new sudo user
  2. Set up a Firewall
  3. Install and configure Fail2ban firewall
  4. Configure SSH
  5. Enable SELinux
  6. Automate Linux hardening

 

 

Step 1: Create a new sudo user

In Linux systems root user has the highest privileges in the system. This is required for installing and configuring the server. This user must not be used to perform regular server operations to reduce the chance for intruders to leverage its access and privileges.

Therefore, a new user must be created with the relevant privileges to perform regular server operations. This sudo user will have limited administrator rights.

The command:

# adduser tom

(refer Tom as your user name)

You will be asked for a password. Enter a unique and long password. The new user will need to get root-level privileges to perform administrative tasks, therefore it should be placed in the sudoer’s group:

# usermod -aG sudo tom

Windows Passwords Setting Guide

Step 2: Set up a basic firewall

Linux servers usually come with a firewall installed on them, but you will need to activate it. Ubuntu servers use ufw firewall which can be activated through this command:

# ufw enable

 

Step 3: Install and configure Fail2ban firewall

Fail2ban firewall is useful for blocking illegitimate incoming network traffic to the server. Fail2ban is a log-parsing application that monitors system logs for symptoms of an automated attack on your Linode.

When malicious activity is spotted, by using the defined parameters, Fail2ban adds a new rule to iptables to block the IP address of the attacker, either for a set amount of time or permanently. Fail2ban can also alert you through email that an attack is occurring. This is a third-party firewall and needs to be installed separately. After installation it can be configured to block different kinds of unwanted HTTP, SSH, FTP traffic by making appropriate configurations in the file /etc/fail2ban/jail.local

# nano /etc/fail2ban/jail.local

 

Step 4: Configure SSH

SSH is the service that faces most of the outside attacks. Securing it is a top priority. Linux servers arrive from the manufacturer with SH services. There’s plenty here you can configure for increasing security, but these are what we recommend you to start from:

  1. SSH default port is Port 22. Port 22 is known to have several vulnerabilities, so you better change the default configurations.
  2. Make sure that the Root account is inaccessible using SSH.:

PermitRootLogn no

  1. Password authentication must be replaced with key-based authentication. All this can be configured from /etc/ssh/sshd_config
  2. Allow some specific users:

AllowUsers [Username]

 

This is just the tip of the ice when configuring SSH, and there is much more you can do. For example, some companies add banners to deter attackers and discourage them from continuing further.

Here are some additional options that you need to make sure exist in the “sshd_config” file:

Protocol2

IgnoreRhosts to yes

HostbasedAuthentication no

PermitEmptyPasswords no

X11Forwarding no

MaxAuthTries 5

Ciphers aes128-ctr,aes192-ctr,aes256-ctr

ClientAliveInterval 900

ClientAliveCountMax 0

UsePAM yes

 

Finally, set the permissions on the sshd_config file so that only root users can change its contents:

#chown root:root /etc/ssh/sshd_config

#chmod 600 /etc/ssh/sshd_config

For further instructions, consider checking SSH manual to understand all the configurations in this file.

Leaving TLS 1.2 and moving to TLS 1.3

Step 5: Enable SELinux

Security-Enhanced Linux (SELinux) is a Kernel security mechanism for supporting access control security policy. The SELinux has three configuration modes:

  • Disabled: Turned-off
  • Permissive: Prints warnings
  • Enforcing: Policy is enforced

Using a text editor, open the config file:

#nano /etc/selinux/config

Make sure that the policy is enforced:

SELINUX=enforcing

 

Automate Linux Hardening:

Any hardening activity should be tested for its impact before being implemented. This testing procedure is time-consuming and complex, especially in an enterprise environment where dependencies are almost endless.

 

Hardening automation takes this time-consuming task of hardening and reduces it from 5 hours to 5 minutes per server. Hardening automation will also ensure you won’t suffer from downtime while hardening.

 

When dealing with 3 figures and above server size infrastructure, using manual hardening tools is not realistic. The resources that must be invested while still taking the risk of production outages push many organizations to neglect the task of hardening. With regulations being stricter about hardening requirements and the fact that hardening can prevent the highest number of attack techniques (according to a report by MITRE ATT&CK), hardening automation tools are a must for every hardening project.

5 reasons why system hardening should be your top priority this year