When installing a new Linux server, you should be aware that its level of security is very low by default, to allow as much functionality as possible. Therefore, performing basic hardening actions before the server is installed in production is crucial.
This blog post will cover 5 basic hardening actions that should be performed in any kind of Linux server, regardless of its role. Note that these actions are basic practices to minimize the attack surface. To achieve an adequate security posture, you should develop a specific hardening policy for the server according to its role, environment, version, etc.
Here are 5 fundamental hardening steps you should perform on your Linux server:
- Create a new sudo user
- Set up a Firewall
- Install and configure Fail2ban firewall
- Configure SSH
- Enable SELinux
- Automate Linux hardening
Step 1: Create a new sudo user
In Linux systems root user has the highest privileges in the system. This is required for installing and configuring the server. This user must not be used to perform regular server operations to reduce the chance for intruders to leverage its access and privileges.
Therefore, a new user must be created with the relevant privileges to perform regular server operations. This sudo user will have limited administrator rights.
# adduser tom
(refer Tom as your user name)
You will be asked for a password. Enter a unique and long password. The new user will need to get root-level privileges to perform administrative tasks, therefore it should be placed in the sudoer’s group:
# usermod -aG sudo tom
Step 2: Set up a basic firewall
Linux servers usually come with a firewall installed on them, but you will need to activate it. Ubuntu servers use ufw firewall which can be activated through this command:
# ufw enable
Step 3: Install and configure Fail2ban firewall
Fail2ban firewall is useful for blocking illegitimate incoming network traffic to the server. Fail2ban is a log-parsing application that monitors system logs for symptoms of an automated attack on your Linode.
When malicious activity is spotted, by using the defined parameters, Fail2ban adds a new rule to iptables to block the IP address of the attacker, either for a set amount of time or permanently. Fail2ban can also alert you through email that an attack is occurring. This is a third-party firewall and needs to be installed separately. After installation it can be configured to block different kinds of unwanted HTTP, SSH, FTP traffic by making appropriate configurations in the file /etc/fail2ban/jail.local
# nano /etc/fail2ban/jail.local
Step 4: Configure SSH
SSH is the service that faces most of the outside attacks. Securing it is a top priority. Linux servers arrive from the manufacturer with SH services. There’s plenty here you can configure for increasing security, but these are what we recommend you to start from:
- SSH default port is Port 22. Port 22 is known to have several vulnerabilities, so you better change the default configurations.
- Make sure that the Root account is inaccessible using SSH.:
- Password authentication must be replaced with key-based authentication. All this can be configured from /etc/ssh/sshd_config
- Allow some specific users:
This is just the tip of the ice when configuring SSH, and there is much more you can do. For example, some companies add banners to deter attackers and discourage them from continuing further.
Here are some additional options that you need to make sure exist in the “sshd_config” file:
IgnoreRhosts to yes
Finally, set the permissions on the sshd_config file so that only root users can change its contents:
#chown root:root /etc/ssh/sshd_config
#chmod 600 /etc/ssh/sshd_config
For further instructions, consider checking SSH manual to understand all the configurations in this file.
Step 5: Enable SELinux
Security-Enhanced Linux (SELinux) is a Kernel security mechanism for supporting access control security policy. The SELinux has three configuration modes:
- Disabled: Turned-off
- Permissive: Prints warnings
- Enforcing: Policy is enforced
Using a text editor, open the config file:
Make sure that the policy is enforced:
Automate Linux Hardening:
Any hardening activity should be tested for its impact before being implemented. This testing procedure is time-consuming and complex, especially in an enterprise environment where dependencies are almost endless.
Hardening automation takes this time-consuming task of hardening and reduces it from 5 hours to 5 minutes per server. Hardening automation will also ensure you won’t suffer from downtime while hardening.
When dealing with 3 figures and above server size infrastructure, using manual hardening tools is not realistic. The resources that must be invested while still taking the risk of production outages push many organizations to neglect the task of hardening. With regulations being stricter about hardening requirements and the fact that hardening can prevent the highest number of attack techniques (according to a report by MITRE ATT&CK), hardening automation tools are a must for every hardening project.