Linux Server Security - Best Practices for 2020 - Plesk

Linux Server Security – Best Practices for 2020

Linux server security is on sufficient level from the moment you install the OS. And that’s great to know because… hackers never sleep! They’re kind of like digital vandals. Taking pleasure – and sometimes money too – as they inflict misery on random strangers all over the planet.

Anyone who looks after their own server appreciates the fact that Linux is highly secure right out the box. Naturally, it isn’t completely watertight. But it does do a better job of keeping you safe than most other operating systems.

Still, there are plenty of ways you can improve it further. So here are some practical ways how you can keep the evil hordes from the gates. It will probably help if you’ve tinkered under the hood of a web server before. But don’t think that you have to be a tech guru or anything like that.

Deactivate network ports when not in use

Deactivate network ports when not in use

Leave a network port open and you might as well put out the welcome mat for hackers. To maintain web host security you can use the “netstat” command to inform you which network ports are currently open. And also which services are making use of them. This should close off another avenue of attack for hackers.

You also might want to set up “iptables” to deactivate open ports. Or simply use the “chkconfig” command to shut down services you won’t need. Firewalls like CSF let you automate the iptables rules, so you could just do that. If you use Plesk platform as your hosting management software – please pay attention to this article about Plesk ports.

Alter the SSH port

The SSH port is usually 22, and that’s where hackers will expect to find it. To enhance Linux server security, change it to some other port number you’re not already using for another service. This way, you’ll be making it harder for the bad guys to inject malware into your server. To make the change, just go to /etc/ssh/sshd_config and enter the appropriate number.

Update Software for better Linux Server Security

Update software for better Linux server security

YUM (Yellowdog Updater Modified) is the main tool for managing and updating Red Hat Enterprise Linux versions 5 and later. RPM is Red Hat Package Manager. You can use both to keep your Linux server security and software components up to date. Just use apt-get (Ubuntu/ Debian) or manager (CentOS/RHEL) to upgrade to the latest versions of your software components.

If you want to, you can automate Linux server security updates using cronjob. This will mean that they install as soon as they become available. You should update any panels like Plesk or cPanel, too – but these panels usually do so automatically.

Never put off applying security patches to your websrver. Think of doing that as like leaving your front door open all day. The longer it’s open, the more likely you are to have someone bad come along and steal your furniture.

Get rid of any unwanted modules and packages

Your Linux distro probably came with a ton of things that you’ll never actually use. So consider weeding out the things that you don’t need. Anything you do leave in is only another potential entry point that uninvited guests can take advantage of. So only hold on to services that you can’t do without. With all the bloatware gone, your server will suddenly work like new again!

Turn off IPv6 to boost Linux server security

Turn off IPv6

IPv6 is better than IPv4, but you probably aren’t getting much out of it – because neither is anyone else. Hackers get something from it though – because they use it to send malicious traffic. So shutting down IPv6 will close the door in their faces. Go to edit /etc/sysconfig/ network and change the settings to read NETWORKING_ IPV6=no and IPV6INIT=no. Simple as that.

Turn off root logins to improve Linux server security

Linux servers the world over allow the use of “root” as a username. Knowing this, hackers will often try subverting web host security to discover your password before slithering inside. It’s because of this that you should not sign in as the root user. In fact, you really ought to remove it as an option, creating one more level of difficulty for hackers. And thus, stopping them from being able to get past your security with just a lucky guess.

So, all it takes is for you to create a separate username. Then use the “sudo” special access command to execute root level commands. Sudo is great because you can give it to any users  you want to have admin commands, but not root access. Because you don’t want to compromise security by giving them both.

So you deactivate the root account, but before, check you’ve created and authorized your new user. Next, go to /etc/ssh/sshd_config in nano or vi, then locate the “PermitRootLogin” parameter. Change the default setting of “yes” to “no” and then save your changes.

GnuPG encryption for web host security

GnuPG encryption

When data is on the move across your network, hackers will frequently attempt to compromise Linux server security by intercepting it. Always make sure anything going to and from your server has password encryption, certificates and keys. One way to do this is with an encryption tool like GnuPG. It uses a system of keys to ensure nobody can snoop on your info when in transit.

Change/boot to read-only

All files related to the kernel on a Linux server are in the “/boot” directory. The standard access level for the directory is “read-write”, but it’s a good idea to change it to “read-only”. This stops anyone from modifying your extremely important boot files.

Just edit the /etc/fstab file and add LABEL=/boot /boot ext2 defaults, rows 1 2 to the bottom. It is completely reversible, so you can make future changes to the kernel by changing it back to “read-write” mode. Then, once you’re done, you can revert back to “read only”.

A better password policy enhances Web Host Security

better password policy - linux server security

Passwords are always a security problem because humans are. People can’t be bothered to come up with a lot of different passwords – or maybe they can’t. So what happens? They use the same ones in different places. Or worse yet – combinations that are easy to remember, like “password” or “abcde”. Basically, a gift to hackers.

Make it a requirement for passwords to contain a mix of upper AND lower case letters, numbers, and symbols. You can enable password ageing to make users discard previous passwords at fixed intervals. Also think about banning old passwords, so once people use one, it’s gone forever. The “faillog” command lets you put a limit on the amount of failed login attempts allowed and lock user accounts. This is ideal to prevent brute force attacks.

So just use a strong password all the time

Passwords are your first line of defense, so make sure they’re strong. Many people don’t really know what a good password looks like. That it needs to be complex, but also long enough to make it the strongest it can be.

At admin level, you can help users by securing Plesk Obsidian and enforcing the use of strong passwords which expire after a fixed period. Users may not like it, but you need to make them understand that it saves them a lot of possible heartache.

So what are the ‘best practices’ when setting up passwords?

  1. Use passwords that are as long as you can manage
  2. Avoid words that appear in the dictionary (like “blue grapes”)
  3. Steer clear of number replacements that are easy to guess (like “h3ll0”)
  4. Don’t reference pop culture (such as “TARDIS”)
  5. Never use a password in more than once place
  6. Change your password regularly and use a different one for every website
  7.  Don’t write passwords down, and don’t share them. Not with anybody. Ever!

The passwords you choose should increase Web Host Security by being obscure and not easy to work out. You’ll also help your security efforts if you give your root (Linux) or RDP (Windows) login its own unique password.

Linux security security needs a firewall

Firewall helps Linux server security - Plesk

A firewall is a must have for web host security, because it’s your first line of defense against attackers, and you are spoiled for choice. NetFilter is built into the Linux kernel. Combined with iptables, you can use it to resist DDos attacks.

TCPWrapper is a host-based access control list (ACL) system that filters network access for different programs. It has host name verification, standardized logging and protection from spoofing. Firewalls like CSF and APF are also widely used, and they also come with plugins for popular panels like cPanel and Plesk.

Stop anonymous FTP uploads

Plesk as well as cPanel automatically disallow anonymous FTP, but some setups have it pre-enabled. If you let anyone upload incognito using FTP then you open yourself up to a considerable security risk. Because this means anybody can pollute your Linux server with whatever they want to. Such as malware or other unwanted and potentially dangerous materials, so don’t be tempted. You can switch off anonymous uploads by editing your server’s FTP configuration settings.

Try disk partitions for better Web host security

disk partitions - linux server security

If you partition your disks then you’ll be separating OS files from user files, tmp files and programs. Try disabling SUID/SGID access (nosuid) along with binaries (noexec) on the operating system partition

Use SFTP, not FTP

File transfer protocol (FTP) isn’t safe anymore, even if you encrypt your connection. FTP and FTPS won’t keep you safe from packet sniffing, which is where your network traffic gets logged by someone else. Only the credentials are encrypted, which isn’t much use to anyone.

SFTP is “FTP over SSH” (also called “secure FTP”), and it encrypts all the data, credentials and files included.

Install antimalware/antivirus software

Install antimalware/antivirus software

Your firewall may be good, but even the best won’t be perfect. Sooner or later some nasty software will slip through, so you need to prepare for that. Anti-malware software is another mandatory inclusion in your arsenal.  It may cost you more money, but an unwelcome intrusion is likely to cost you a lot more. So our advice is to invest in it.

It’s true that there are free anti-malware programs out there, but you get what you pay for. Paid software means better programmers and greater safety. If your budget doesn’t stretch that far – consider using ClamAV and Maldet. These are open-source applications that do a good job of scouring your server for potential threats.

Get a rootkit scanner

Root kits are one of the most destructive pieces of malware out there. They function at operating system (OS) level, which means that they fly under the radar of the usual security measures. Root kits can open up access to your server and you won’t even know that it’s happening. But on the plus side, “chrootkit”, is an open source tool which can detect if a root kit has found its way in. Even if it finds one though, root kits can be exceptionally tenacious enemies. You may actually need to completely reinstall the operating system in order to get rid of any that you find.

Activate CMS auto-updates

Activate CMS auto-updates

CMSs are quite complex, so hackers are always trying to exploit security loopholes with them. Joomla!, Drupal and WordPress, are all hugely popular platforms, so developers are constantly working on new security fixes. This means updates are important and should be applied straight away. The best way to ensure this happens is to activate auto-updates, so you won’t even have to think about it. Your host isn’t responsible for the content of your website. So it’s up to you to ensure you update it regularly. And it won’t hurt to back it up once in a while either.

Backup regularly

Backup regularly - linux server security - cloud

Backing up your server should be second nature, because you have so much to lose. One of the laws of the universe dictates that if something can go wrong – it will. Usually when it’s most inconvenient. You can’t leave it to chance, or to your hosting provider to do the backing up for you.

Consider using cloud backups and hard copies of your own. This naturally means more expense, but it’s money well spent. We can guarantee you won’t be thinking about cost when you lose everything and turn to your backup to restore.

Linux Server Security Summary

That’s a lot of tips, but you need to keep your linux server security updated in a world of thieves and vandals. These despicable beings are hard at work all the time, always looking to exploit any chink in a website’s armor. If you give them the slimmest opportunity to disrupt your business, they will happily take advantage of it. Since there’s such a huge army of them, you need to make sure that your castle has extremely strong defenses.

Let us know how many of these tips you have implemented, or if you have any questions in the comments below.

How useful was this post?

Click on a heart to rate it!

Average rating 3.1 / 5. Vote count: 14

Oh no, sorry about that!

Let us know how we can do better below

About

Elvis Plesky
Our fun and curious team mascot's always plugged into the latest trends. He's here to share his knowledge and help you solve your tech problems.
    Showing 5 comments
    • Avatar
      Spencer Ryce
      Reply

      How to secure wordpress websites, yesterday one of my website got infected from script and redirecting to different websites when i was trying to access.

      I am also using joomla and whmcs for websites hostasp and indiaaccess but not facing issue.

      So how to secure wordpress website in plesk ?

    • Avatar
      Radek Zajic
      Reply

      Dear Plesk, dear Elvis,
      2020 is just around the corner. What about editing this article to improve the IPv6 part? The better headline is `Set-up your firewall on both IPv6 and IPv4` and the body could focus on setting the apps for IPv4 and IPv6 at the same time, as well as configuring the firewall for both protocols.

      It’s quite sad that “linux server security best practices” keyword search on Google hints your article and lists the headlines, one of which (the disabling of IPv6) was written by someone who lives in the IPv6-denial world. The worse is that people will do whatever you suggest, which does not the IPv6 transition – at all.

      Thank you.

      • Debbie from Plesk
        Debbie from Plesk
        Reply

        Hey Radek, thanks for your feedback. We will be updating the IPv6 part in the coming month so stay tuned if it still serves your purpose 🙂

    • Avatar
      Ross Chandler
      Reply

      This advice to turn off IPv6 is very harmful advice and the claim that no one gets much out of it is very false too. It is more widely deployed than you seem aware. It is not a hotbed of hacker activity.

    Leave a Comment

    Start typing and press Enter to search