Linux Server Security - Best Practices

Linux Server Security – Best Practices

Linux server security is on sufficient level from the moment you install the OS, and that’s great to know because hackers never sleep! They’re kind of like digital vandals, taking pleasure and sometimes money too as they inflict misery on random strangers all over the planet. Anyone who looks after their own server appreciates the fact that Linux is highly secure right out of the box. Naturally, it isn’t completely watertight, but it does do a better job than most other operating systems of keeping you safe. Still, there are plenty of ways that you can improve it further still, so here are some practical ways in which you can keep the evil hordes from the gates. It will probably help if you’ve tinkered under the hood of a web server before, but don’t think that you have to be a tech guru or anything.

Alter the SSH port

The SSH port is usually 22, and that’s where hackers will expect to find it. To enhance Linux server security, change it to something else (after checking that your chosen port number isn’t already in use by some other service) and you’ll be making it harder for the bad guys to inject malware into your server. To make the change, just go to /etc/ssh/sshd_config and enter the appropriate number.

Turn off root logins to improve Linux server security

Linux servers the world over allow the use of “root” as a username. Knowing this, hackers will frequently attempt to subvert web host security to discover your password, then slither their way inside. It’s because of this reason that you should not sign in as the root user, and you really ought to remove it as an option. Doing so causes one more level of difficulty for hackers and stops them from being able to get past your security with just a lucky guess. It’s an easy win if you do!

So, all it takes is for you to create a separate username, then use the “sudo” special access command to execute root level commands. Sudo is great because you can give it to any users who you’d like to have the ability to use admin commands, but you don’t want o compromise security by giving them root access.

So, you’ll be deactivating the root account, but before you do that, check that you’ve created and authorized your new user. Next, go to /etc/ssh/sshd_config in nano or vi, then locate the “PermitRootLogin” parameter. Change the default setting of “yes” to “no” and then save your changes.

Deactivate network ports when not in use

Leave a network port open and you might as well put out the welcome mat for hackers. To maintain web host security you can use the “netstat” command to inform you which network ports are currently open and which services are making use of them. This should close off another avenue of attack for hackers.

You also might want to set up “iptables” to deactivate open ports or use the “chkconfig” command to shut down services you won’t be needing. Firewalls like CSF let you automate the iptables rules, so you could just do that.

Update Software for better Linux Server Security

YUM (Yellowdog Updater Modified) is the main tool for managing and updating Red Hat Enterprise Linux versions 5 and later. RPM is Red Hat Package Manager. Both can be used to keep your Linux server security and software components up to date. Just use apt-get (Ubuntu/ Debian) or manager (CentOS/RHEL) to upgrade to the latest versions of your software components.

If you want to, you can automate Linux server security updates using cronjob. This will mean that they get installed as soon as they become available.

You should update any panels like Plesk or cPanel, too, but they can usually be set up to do this automatically.

Never put off applying security patches to your websrver. Think of doing that as like leaving your front door open all day. The longer it’s open, the more likely you are to have someone bad come along and steal your furniture.

Get rid of any unwanted modules and packages

Your Linux distro probably came with a ton of things that you’ll never actually use, so consider weeding out the things that you don’t need. Anything you do leave in is only another potential entry point for uninvited guests to take advantage of, so only hold on to services that you can’t do without. With all the bloatware gone, your server will suddenly work like new again!

Turn off IPv6 to boost Linux server security

IPv6 is better than IPv4, but you probably aren’t getting much out of it because neither is anyone else. Hackers get something from it, because they use it to send malicious traffic, so shutting down IPv6 will close the door in their faces. Go to edit /etc/sysconfig/ network and change the settings to read NETWORKING_ IPV6=no and IPV6INIT=no. Simple as that.

GnuPG encryption for web host security

When data is on the move across your network, hackers will frequently attempt to compromise Linux server security by intercepting it, so always make sure that anything going to and from your server is encrypted with passwords, certificates and keys. One way to do this is with an encryption tool like GnuPG. It uses a system of keys to ensure that nobody can snoop on your info when it’s in transit.

Enhance Web Host Security with a better password policy

Passwords are always a security problem because humans are. People often can’t be bothered to come up with a lot of different passwords, so they use the same ones in different places or combinations that are easy to remember, like “password” or “abcde”. Basically, a gift to hackers.

Make it a requirement that any password must contain both upper and lower case, be a mix  of numbers, letters and symbols and you’ll be way safer. You could enable password ageing to make users discard previous passwords at fixed intervals. Also think about banning old passwords, so once one has been used it’s gone. The “faillog” command lets you put a limit on the amount of failed login attempts permitted and lock user accounts. This is ideal for preventing brute force attacks.

Set up a firewall

A firewall is a must have for web host security, because it’s your first line of defense against attackers, and you are spoiled for choice. NetFilter is built into the Linux kernel. Combined with iptables, you can use it to resist DDos attacks.

TCPWrapper is a host-based access control list (ACL) system that filters network access for different programs. It has host name verification, standardized logging and protection from spoofing. Firewalls like CSF and APF are also widely used, and they also come with plugins for popular panels like cPanel and Plesk.

Try disk partitions for better Web host security

If you partition your disks then you’ll be separating OS files from user files, tmp files and programs. Try disabling SUID/SGID access (nosuid) along with binaries (noexec) on the operating system partition

Change/boot to read-only

All files which relate to the kernel on a Linux server are held in the “/boot” directory but the standard level of access for the directory is “read-write”, but it’s very good idea to change it to “read-only”. This stops anyone modifying your extremely important boot files.

Fixing this is easily done. Just edit the /etc/fstab file and add LABEL=/boot /boot ext2 defaults, rows 1 2 to the bottom. It is completely reversible, so you can make future changes to the kernel by changing it back to “read-write” mode, then once you are done you can change it back to “read only” again.

Use SFTP, not FTP

File transfer protocol (FTP) isn’t safe anymore, even if you encrypt your connection. FTP and FTPS won’t keep you safe from packet sniffing, which is where your network traffic gets logged by someone else. Only the credentials are encrypted, which isn’t much use to anyone.

SFTP is “FTP over SSH” (also called “secure FTP”), and it encrypts all the data, credentials and files included.

Install antimalware/antivirus software

Your firewall may be good, but even the best won’t be perfect. Sooner or later some nasty software will slip through, so you need to prepare for that. Anti-malware software is another mandatory inclusion in your arsenal.  It may cost you more money, but an unwelcome intrusion is likely to cost you a lot more, so the best advice is to pony up for it.

It’s true that there are free anti-malware programs out there, but as you might expect you get what you pay for. Paid software means better programmers and greater safety. If your budget won’t stretch that far then consider using ClamAV and Maldet. These are open-source applications that do a good job of scouring your server for potential threats.

Activate CMS auto-updates

CMSs are quite complex, so hackers are always trying to exploit security loopholes with them. Joomla, Drupal and WordPress, are all hugely popular platforms, so the developers are constantly working hard to bring out new security fixes. This means that updates are important and should be applied straight away. The best way to ensure that this happens is to activate auto-updates, so you won’t even have to think about it. Your host isn’t responsible for the content of your website, so it’s down to you to ensure that you update it regularly. And it wouldn’t hurt to back it up once in a while either, because you never know…

Backup regularly

Backing up your server should be second nature, because you have so much to lose. One of the laws of the universe dictates that if something can go wrong then it will go wrong, and usually when it’s most inconvenient. You simply can’t leave it to chance, and you also can’t leave it to your hosting provider to do the backing up for you.

Consider using cloud backups and hardcopies of your own. This naturally means more expense, either in virtual rented space or extra hard drives of your own, but it’s money well spent. We can guarantee that you won’t be thinking about cost when you lose everything and turn to your backup to restore it.

Stop anonymous FTP uploads

Plesk as well as cPanel automatically disallow anonymous FTP, but some setups have it pre-enabled. If you let anyone upload incognito using FTP then you open yourself up to a considerable security risk, because this means that anybody can pollute your Linux server with anything that they want to, such as malware or other unwanted and potentially dangerous materials, so don’t be tempted. You can switch off anonymous uploads by editing your server’s FTP configuration settings.

Get a rootkit scanner

Root kits are one of the most destructive pieces of malware out there. They function at operating system (OS) level, which means that they fly under the radar of the usual security measures. Root kits can open up access to your server and you won’t even know that it’s happening. But on the plus side, “chrootkit”, is an open source tool which can detect if a root kit has found its way in. Even if it finds one though, root kits can be exceptionally tenacious enemies, so you may need to completely reinstall the operating system in order to get rid of any that you find.

Use a strong password

We’ve know we’ve said it before, but we are saying it again. Passwords are your first line of defense, so make sure they are strong. Many people don’t really know what a good password looks like. It needs to be complex, sure, but it also needs to be the right length. Even if you do try to make it difficult to guess by using upper and lower-case letters, some numbers, and the general sprinkling of special characters, what will really make it strong is making it as long as possible.

Your users need to understand this, and at the admin level you can secure Plesk Onyx by enforcing the use of strong passwords which expire after a fixed period. They might not like having to come up with more difficult to remember passwords, but you need to make them understand that it will save them a lot of heartache if they do.

Everyone should adhere to best practices when setting passwords, but what exactly are ‘best practices’? Well, they include using passwords that are as long as you can feasibly manage, and avoiding words that appear in the dictionary (for example, something like “blue grapes”). You should steer clear of number replacements that are easy to guess (something like – “h0wdy”), and you should also avoid references to popular culture (such as “TARDIS”). The passwords you choose should increase Web Host Security by being obscure and not easy to work out, and you shouldn’t ever use a password in more than once place. You will also be helping your security efforts if you make sure to give your root (Linux) or RDP (Windows) login its own unique password.

Change your password regularly and use a different one for every website. Don’t write passwords down, and don’t share them. Not with anybody. Ever!

Summary

That’s a lot of tips, but web servers need to be kept safe because the world is full of thieves and vandals, millions of them in fact. These despicable mouth-breathers are hard at work all the time, always looking to exploit any chink in the armor of a website. They’ll expend considerable efforts on looking for any weakness or vulnerability which they can exploit, and if you give them the slimmest opportunity to disrupt your business then they will happily take advantage of it. Since there’s such a huge army of them, you need to make sure that your castle has extremely strong defenses.

About

Elvis Plesky
Our fun and curious team mascot's always plugged into the latest trends. He's here to share his knowledge and help you solve your tech problems.

    Leave a Comment

    Start typing and press Enter to search