1. Encrypt Data Communication For Linux Server
All data transmitted over a network is open to monitoring. Encrypt transmitted data whenever possible with password or using keys / certificates.
1. Use scp or ssh, rsync, or sftp for file transfer. You can also mount remote server file system or your own home directory using special sshfs and fuse tools.
2. GnuPG allows to encrypt and sign your data and communication, features a versatile key management system as well as access modules for all kind of public key directories.
3. OpenVPN is a cost-effective, lightweight SSL VPN. Another option is to try out tinc that uses tunneling and encryption to create a secure private network between hosts on the Internet or private insecure LAN.
4. Lighttpd SSL (Secure Server Layer) Https Configuration And Installation
5. Apache SSL (Secure Server Layer) Https (mod_ssl) Configuration And Installation
2. Avoid Using FTP, Telnet, And Rlogin / Rsh Services on Linux
Under most network configurations, user names, passwords, FTP / telnet / rsh commands and transferred files can be captured by anyone on the same network using a packet sniffer. The common solution to this problem is to use either OpenSSH , SFTP, or FTPS (FTP over SSL), which adds SSL or TLS encryption to FTP. Type the following yum command to delete NIS, rsh and other outdated service:
# yum erase xinetd ypserv tftp-server telnet-server rsh-server
If you are using a Debian/Ubuntu Linux based server, try apt-get command/apt command to remove insecure services:
# sudo apt-get --purge remove xinetd nis yp-tools tftpd atftpd tftpd-hpa telnetd rsh-server rsh-redone-server -y
3. Minimize Software to Minimize Vulnerability in Linux
Do you really need all sort of web services installed? Avoid installing unnecessary software to avoid vulnerabilities in software. Use the RPM package manager such as yum or apt-get and/or dpkg to review all installed set of software packages on a system. Delete all unwanted packages.
# yum list installed
# yum list packageName
# yum remove packageName
OR
# dpkg --list
# dpkg --info packageName
# apt-get remove packageName
4. Keep Linux Kernel and software Up to Date
Applying security patches is an important part of maintaining Linux server. Linux provides all necessary tools to keep your system updated, and also allows for easy upgrades between versions. All security update should be reviewed and applied as soon as possible. Again, use the RPM package manager such as yum and/or apt-get and/or dpkg to apply all security updates.
# sudo yum update -y
OR
# sudo apt-get update && sudo apt-get upgrade -y
You can configure Red hat / CentOS / Fedora Linux to send yum package update notification via email. Another option is to apply all security updates via a cron job. Under Debian / Ubuntu Linux you can use apticron to send security notifications. It is also possible to configure unattended upgrades for your Debian/Ubuntu Linux server using apt-get command/apt command:
$ sudo apt-get install unattended-upgrades apt-listchanges bsd-mailx -y
5. Set Up Password Aging For Linux Users For Better Security
The chage command changes the number of days between password changes and the date of the last password change. This information is used by the system to determine when a user must change his/her password. The /etc/login.defs file defines the site-specific configuration for the shadow password suite including password aging configuration. To disable password aging, enter:
# chage -M 99999 userName
To get password expiration information, enter:
# chage -l userName
Finally, you can also edit the /etc/shadow file in the following fields:
{userName}:{password}:{lastpasswdchanged}:{Minimum_days}:{Maximum_days}:{Warn}:{Inactive}:{Expire}:
Where,
Minimum_days: The minimum number of days required between password changes i.e. the number of days left before the user is allowed to change his/her password.
Maximum_days: The maximum number of days the password is valid (after that user is forced to change his/her password).
Warn : The number of days before password is to expire that user is warned that his/her password must be changed.
Expire : Days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying when the login may no longer be used.
I recommend chage command instead of editing the /etc/shadow file by hand:
# chage -M 60 -m 7 -W 7 userName
6. Locking User Accounts After Login Failures
Under Linux you can use the faillog command to display faillog records or to set login failure limits. faillog formats the contents of the failure log from /var/log/faillog database / log file. It also can be used for maintains failure counters and limits.To see failed login attempts, enter:
#faillog
To unlock an account after login failures, run:
#faillog -r -u userName
Note you can use passwd command to lock and unlock accounts:
# lock Linux account
passwd -l userName
# unlock Linux account
passwd -u userName
7. How Do I Verify No Accounts Have Empty Passwords?
Type the following command
# awk -F: '($2 == "") {print}' /etc/shadow
Lock all empty password accounts:
# passwd -l accountName
8. Use fail2ban/denyhost as IDS (Install an Intrusion Detection System)
Fail2ban or denyhost scans the log files for too many failed login attempts and blocks the IP address which is showing malicious signs. See how to install and use denyhost for Linux. One can install fail2ban easily:
$ sudo apt-get install fail2ban
OR
$ sudo yum install fail2ban
Edit the config file as per your needs:
$ sudo vi /etc/fail2ban/jail.conf
Restart the service:
$ sudo systemctl restart fail2ban.service
9. Secure Apache/PHP/Nginx server
Edit httpd.conf file and add the following:
ServerTokens Prod
ServerSignature Off
TraceEnable Off
Options all -Indexes
Header always unset X-Powered-By
Restart the httpd/apache2 server on Linux, run:
$ sudo systemctl restart apache2.service
OR
$ sudo systemctl restart httpd.service
10. Disable USB/firewire/thunderbolt devices
Type the following command to disable USB devices on Linux system:
# echo 'install usb-storage /bin/true' >> /etc/modprobe.d/disable-usb-storage.conf
You can use same method to disable firewire and thunderbolt modules:
# echo "blacklist firewire-core" >> /etc/modprobe.d/firewire.conf
# echo "blacklist thunderbolt" >> /etc/modprobe.d/thunderbolt.conf
Once done, users can not quickly copy sensitive data to USB devices or install malware/viruses or backdoor on your Linux based system.
11. System Accounting with auditd
The auditd is provided for system auditing. It is responsible for writing audit records to the disk. During startup, the rules in /etc/audit.rules are read by this daemon. You can open /etc/audit.rules file and make changes such as setup audit file log location and other option. With auditd you can answers the following questions:
System startup and shutdown events (reboot / halt).
Date and time of the event.
User respoisble for the event (such as trying to access /path/to/topsecret.dat file).
Type of event (edit, access, delete, write, update file & commands).
Success or failure of the event.
Records events that Modify date and time.
Find out who made changes to modify the system’s network settings.
Record events that modify user/group information.
See who made changes to a file etc.
12. Delete X Window Systems (X11)
X Window systems on server is not required. There is no reason to run X11 on your dedicated Linux based mail and Apache/Nginx web server. You can disable and remove X Windows to improve server security and performance. Edit /etc/inittab and set run level to 3. Finally, remove X Windows system, enter:
# yum groupremove "X Window System"
On CentOS 7/RHEL 7 server use the following commands:
# yum group remove "GNOME Desktop"
# yum group remove "KDE Plasma Workspaces"
# yum group remove "Server with GUI"
# yum group remove "MATE Desktop"
0 Comments