Linux server hardening is a set of measures used to reduce the attack surface and improve the security of your servers. Hardening can be done on different levels, from the physical level, by restricting the access of unauthorized people, to the application level, by removing unwanted software listening on incoming connections.
Use Secure Shell Protocol
Secure Shell Protocol (or SSH) enables you to make a secure connection to your network services over an unsecured network. Here are some helpful tips for implementing SSH:
-Each server should be configured to use SSH for logging in remotely. Other protocols, such as Telnet and rlogin, transfer the password in plain text, leaving a gaping hole for punk-in-the-path (previously known as man-in-the-middle) attacks.
-Configure IPTables to restrict SSH access from known IPs only.
-Use SSH version 2 because of its security enhancements over SSH version 1.
-Consider disabling SSH altogether if it’s not needed.
-Key-based authentication should be used instead of password-based authentication.
-Client keys should be encrypted to prevent their use in case they are stolen.
-While configuring the server, root login should also be disabled and only users with the appropriately configured access level should be allowed to login. Users can use sudo to perform tasks requiring elevated privileges.
Close Open Ports
Tools like netstat will help you check which software is listening for incoming connections. If you find an unnecessary service or server application listening for inbound connections, disable the port or remove the application.
Vulnerabilities in such applications can be exploited by attackers, hence closing down unnecessary open ports can quickly reduce the attack surface.
To take it down one step further, block the unused ports to avoid any new service binding to them.
Enable Firewall
Using Linux iptables to keep a tab on incoming, outgoing, and forwarded practices can help you secure your servers. You can configure “allow” and “deny” rules to accept or send traffic from specific IP addresses. This restricts the unchecked traffic movement on your servers.
However, just securing the perimeter via a firewall is not enough. In the cloud, the VMs should be configured to run in a Zero Trust network, as opposed to on-premise VMs, which are in a demilitarized zone. Any communication between VMs is considered relatively secure.
Disable USB and Thunderbolt Devices
Allowing booting from unauthorized external devices can allow attackers to bypass the security of your system by booting the operating system from their external device.
To preempt this kind of access, lock down booting from external USBs, CDs, and disks from BIOS. As an added step, putting password protection on BIOS will make it so that boot settings can only be changed by authorized users.
While you’re at it, enabling UEFI Secure Boot will further ensure only trusted binaries are loaded during boot.
Disabling boot from external devices can only safeguard you from unauthorized access. Users who have access to the system and a malicious intent can still copy sensitive files to their USB and thunderbolt sticks. Worse still, they can install malware, viruses, or backdoors on your servers. Once access to USB and Thunderbolt devices is disabled, a user cannot harm the system in these ways.
Finally, consider encrypting your full disk to avoid data loss in case of theft of machines or drives themselves.
Turn On SELinux
Security-Enhanced Linux, or SELinux for short, is a built-in access control mechanism. For systems connected to the internet and accessed by public users, disabling SELInux can be catastrophic for your servers.
SELinux operates in the following three modes:
–Disabled: SELinux is completely off. You should avoid this mode at all times.
–Permissive: In this mode SELinux doesn’t enforce any policy, but logs and audits all actions. This can be used while configuring the machine and installing the services to ensure all services are running, but you should switch to Enforcing as soon as configuration is done.
–Enforcing: This mode is most secure and enforces all policies. This is the default mode of SELinux and is also the recommended mode.
Strong Password Policies
Using easy-to-crack passwords or continuing to use passwords that have been exposed in data breaches can weaken the security of even the most sophisticated systems. Here are a few password best practices:
-Disable accounts with empty passwords and ask users to set passwords for their accounts. Also disable the root account. Use of sudo should be promoted as it provides better auditing and control.
-Encourage stronger passwords and harder to guess passwords by requiring them to follow certain guidelines.
Purge Unnecessary Packages
Operating systems often come preloaded with software and services that run constantly in the background without notice. To enhance the security of your servers, list all packages and software installed on your servers using your package managers (apt, yum, dpkg).
Security vulnerabilities in such software can lead to compromised servers, so make it a practice to uninstall unnecessary programs.
Keep Kernel and Packages Updated
With such a large and active open-source community around Linux, security issues within the kernel and packages are fixed quickly. These fixes are available in the form of updated packages or patches in the Linux kernel.
Keep your kernel and packages updated with the latest security updates to avoid exploitation of known vulnerabilities.
Disable ICMP
Internet Control Message Protocol (ICMP) allows internet hosts to notify other hosts about errors and helps system administrators in troubleshooting. However, ICMP can also be exploited by adversaries to gain information about attacked networks.
When ICMP is enabled, malicious attacks including network discovery, covert communication channels, and network traffic redirections can be executed. Below are a few examples of types of attacks that can be unleashed when ICMP is enabled.
–Ping sweep: Attackers use this to identify all hosts on a network.
–Ping flood: Attackers can send ICMP messages in rapid succession, causing exhaustion of both incoming and outgoing bandwidth.
Keep in mind that completely disabling ICMP can hamper diagnostics, reliability, and network performance. Therefore, it’s best to disable only certain types of ICMP messages to secure network devices. You should still have Type 3 (Destination Unreachable) and Type 4 (Source Quench) enabled to avoid any network performance drop.
Logging and Auditing
Keeping detailed logging and auditing enabled for your servers is crucial. These logs can later be used to detect any attempted intrusions. Also, in case of intrusion, these logs will help you gauge the extent of the breach and offer insight for a blameless postmortem of the incident. Syslog logs all the messages in /var/log directory by default.