Linux Server Security – Best Practices for 2020
Linux server security is on sufficient level from the moment you install the OS. And that’s great to know because… hackers never sleep! They’re kind of like digital vandals. Taking pleasure – and sometimes money too – as they inflict misery on random strangers all over the planet.
Anyone who looks after their own server appreciates the fact that Linux is highly secure right out the box. Naturally, it isn’t completely watertight. But it does do a better job of keeping you safe than most other operating systems.
Still, there are plenty of ways you can improve it further. So here are some practical ways how you can keep the evil hordes from the gates. It will probably help if you’ve tinkered under the hood of a web server before. But don’t think that you have to be a tech guru or anything like that.
Deactivate network ports when not in use
Leave a network port open and you might as well put out the welcome mat for hackers. To maintain web host security you can use the “netstat” command to inform you which network ports are currently open. And also which services are making use of them. This should close off another avenue of attack for hackers.
You also might want to set up “iptables” to deactivate open ports. Or simply use the “chkconfig” command to shut down services you won’t need. Firewalls like CSF let you automate the iptables rules, so you could just do that. If you use Plesk platform as your hosting management software – please pay attention to this article about Plesk ports.
Alter the SSH port
The SSH port is usually 22, and that’s where hackers will expect to find it. To enhance Linux server security, change it to some other port number you’re not already using for another service. This way, you’ll be making it harder for the bad guys to inject malware into your server. To make the change, just go to /etc/ssh/sshd_config and enter the appropriate number.
Update Software for better Linux Server Security
YUM (Yellowdog Updater Modified) is the main tool for managing and updating Red Hat Enterprise Linux versions 5 and later. RPM is Red Hat Package Manager. You can use both to keep your Linux server security and software components up to date. Just use apt-get (Ubuntu/ Debian) or manager (CentOS/RHEL) to upgrade to the latest versions of your software components.
If you want to, you can automate Linux server security updates using cronjob. This will mean that they install as soon as they become available. You should update any panels like Plesk or cPanel, too – but these panels usually do so automatically.
Never put off applying security patches to your websrver. Think of doing that as like leaving your front door open all day. The longer it’s open, the more likely you are to have someone bad come along and steal your furniture.
Get rid of any unwanted modules and packages
Your Linux distro probably came with a ton of things that you’ll never actually use. So consider weeding out the things that you don’t need. Anything you do leave in is only another potential entry point that uninvited guests can take advantage of. So only hold on to services that you can’t do without. With all the bloatware gone, your server will suddenly work like new again!
Turn off IPv6 to boost Linux server security
IPv6 is better than IPv4, but you probably aren’t getting much out of it – because neither is anyone else. Hackers get something from it though – because they use it to send malicious traffic. So shutting down IPv6 will close the door in their faces. Go to edit /etc/sysconfig/ network and change the settings to read NETWORKING_ IPV6=no and IPV6INIT=no. Simple as that.
Turn off root logins to improve Linux server security
Linux servers the world over allow the use of “root” as a username. Knowing this, hackers will often try subverting web host security to discover your password before slithering inside. It’s because of this that you should not sign in as the root user. In fact, you really ought to remove it as an option, creating one more level of difficulty for hackers. And thus, stopping them from being able to get past your security with just a lucky guess.
So, all it takes is for you to create a separate username. Then use the “sudo” special access command to execute root level commands. Sudo is great because you can give it to any users you want to have admin commands, but not root access. Because you don’t want to compromise security by giving them both.
So you deactivate the root account, but before, check you’ve created and authorized your new user. Next, go to /etc/ssh/sshd_config in nano or vi, then locate the “PermitRootLogin” parameter. Change the default setting of “yes” to “no” and then save your changes.
GnuPG encryption for web host security
When data is on the move across your network, hackers will frequently attempt to compromise Linux server security by intercepting it. Always make sure anything going to and from your server has password encryption, certificates and keys. One way to do this is with an encryption tool like GnuPG. It uses a system of keys to ensure nobody can snoop on your info when in transit.
Change/boot to read-only
All files related to the kernel on a Linux server are in the “/boot” directory. The standard access level for the directory is “read-write”, but it’s a good idea to change it to “read-only”. This stops anyone from modifying your extremely important boot files.
Just edit the /etc/fstab file and add LABEL=/boot /boot ext2 defaults, rows 1 2 to the bottom. It is completely reversible, so you can make future changes to the kernel by changing it back to “read-write” mode. Then, once you’re done, you can revert back to “read only”.
A better password policy enhances Web Host Security
Passwords are always a security problem because humans are. People can’t be bothered to come up with a lot of different passwords – or maybe they can’t. So what happens? They use the same ones in different places. Or worse yet – combinations that are easy to remember, like “password” or “abcde”. Basically, a gift to hackers.
Make it a requirement for passwords to contain a mix of upper AND lower case letters, numbers, and symbols. You can enable password ageing to make users discard previous passwords at fixed intervals. Also think about banning old passwords, so once people use one, it’s gone forever. The “faillog” command lets you put a limit on the amount of failed login attempts allowed and lock user accounts. This is ideal to prevent brute force attacks.
So just use a strong password all the time
Passwords are your first line of defense, so make sure they’re strong. Many people don’t really know what a good password looks like. That it needs to be complex, but also long enough to make it the strongest it can be.
At admin level, you can help users by securing Plesk Obsidian and enforcing the use of strong passwords which expire after a fixed period. Users may not like it, but you need to make them understand that it saves them a lot of possible heartache.
So what are the ‘best practices’ when setting up passwords?
- Use passwords that are as long as you can manage
- Avoid words that appear in the dictionary (like “blue grapes”)
- Steer clear of number replacements that are easy to guess (like “h3ll0”)
- Don’t reference pop culture (such as “TARDIS”)
- Never use a password in more than once place
- Change your password regularly and use a different one for every website
- Don’t write passwords down, and don’t share them. Not with anybody. Ever!
The passwords you choose should increase Web Host Security by being obscure and not easy to work out. You’ll also help your security efforts if you give your root (Linux) or RDP (Windows) login its own unique password.
Linux security security needs a firewall
A firewall is a must have for web host security, because it’s your first line of defense against attackers, and you are spoiled for choice. NetFilter is built into the Linux kernel. Combined with iptables, you can use it to resist DDos attacks.
TCPWrapper is a host-based access control list (ACL) system that filters network access for different programs. It has host name verification, standardized logging and protection from spoofing. Firewalls like CSF and APF are also widely used, and they also come with plugins for popular panels like cPanel and Plesk.
Stop anonymous FTP uploads
Plesk as well as cPanel automatically disallow anonymous FTP, but some setups have it pre-enabled. If you let anyone upload incognito using FTP then you open yourself up to a considerable security risk. Because this means anybody can pollute your Linux server with whatever they want to. Such as malware or other unwanted and potentially dangerous materials, so don’t be tempted. You can switch off anonymous uploads by editing your server’s FTP configuration settings.
Try disk partitions for better Web host security
If you partition your disks then you’ll be separating OS files from user files, tmp files and programs. Try disabling SUID/SGID access (nosuid) along with binaries (noexec) on the operating system partition
Use SFTP, not FTP
File transfer protocol (FTP) isn’t safe anymore, even if you encrypt your connection. FTP and FTPS won’t keep you safe from packet sniffing, which is where your network traffic gets logged by someone else. Only the credentials are encrypted, which isn’t much use to anyone.
SFTP is “FTP over SSH” (also called “secure FTP”), and it encrypts all the data, credentials and files included.
Install antimalware/antivirus software
Your firewall may be good, but even the best won’t be perfect. Sooner or later some nasty software will slip through, so you need to prepare for that. Anti-malware software is another mandatory inclusion in your arsenal. It may cost you more money, but an unwelcome intrusion is likely to cost you a lot more. So our advice is to invest in it.
It’s true that there are free anti-malware programs out there, but you get what you pay for. Paid software means better programmers and greater safety. If your budget doesn’t stretch that far – consider using ClamAV and Maldet. These are open-source applications that do a good job of scouring your server for potential threats.
Get a rootkit scanner
Root kits are one of the most destructive pieces of malware out there. They function at operating system (OS) level, which means that they fly under the radar of the usual security measures. Root kits can open up access to your server and you won’t even know that it’s happening. But on the plus side, “chrootkit”, is an open source tool which can detect if a root kit has found its way in. Even if it finds one though, root kits can be exceptionally tenacious enemies. You may actually need to completely reinstall the operating system in order to get rid of any that you find.
Activate CMS auto-updates
CMSs are quite complex, so hackers are always trying to exploit security loopholes with them. Joomla!, Drupal and WordPress, are all hugely popular platforms, so developers are constantly working on new security fixes. This means updates are important and should be applied straight away. The best way to ensure this happens is to activate auto-updates, so you won’t even have to think about it. Your host isn’t responsible for the content of your website. So it’s up to you to ensure you update it regularly. And it won’t hurt to back it up once in a while either.
Backing up your server should be second nature, because you have so much to lose. One of the laws of the universe dictates that if something can go wrong – it will. Usually when it’s most inconvenient. You can’t leave it to chance, or to your hosting provider to do the backing up for you.
Consider using cloud backups and hard copies of your own. This naturally means more expense, but it’s money well spent. We can guarantee you won’t be thinking about cost when you lose everything and turn to your backup to restore.
Linux Server Security Summary
That’s a lot of tips, but you need to keep your linux server security updated in a world of thieves and vandals. These despicable beings are hard at work all the time, always looking to exploit any chink in a website’s armor. If you give them the slimmest opportunity to disrupt your business, they will happily take advantage of it. Since there’s such a huge army of them, you need to make sure that your castle has extremely strong defenses.
Let us know how many of these tips you have implemented, or if you have any questions in the comments below.
How useful was this post?
Click on a heart to rate it!
Average rating 3.3 / 5. Vote count: 23
Oh no, sorry about that!
Let us know how we can do better below
Thanks for your feedback!