X
X
X
X

So sichern Sie Linux-Server

StartseiteArtikelCybersicherheitSo sichern Sie Linux-Server

Just because you don’t have anything of value on your server, doesn’t mean that malicious actors won’t target it. You may be thinking that since your server isn’t even running a website, let alone store customer data, you don’t need to take security seriously.

Nothing could be farther from the truth. Cybercriminals today prefer going after the low hanging fruit. They constantly scan for servers with potentially weak security. Once they identify such a target, they can usually execute a brute-force attack to infiltrate it.

As the owner of a public-facing server, the onus of security rests on your shoulders. Most of our servers are unmanaged, which means that securing the server is your responsibility. In the following guide, we will share tips and insights on how you can start securing your server today.


Contents

  1. What is server security?
  2. Why would anyone want to hack into my server anyway?
  3. How to secure a Linux server
    1. Use SSH keys
    2. Disable password authentication
    3. Set up hosts.allow and hosts.deny
    4. Ensure only necessary ports are open
    5. Install fail2ban and make sure it’s active for SSH
    6. Ensure public directories have bare-minimum permissions
    7. Limit who can use sudo
    8. Install security updates automatically
  4. Linux security tools you should know of
  5. FAQs

What is server security?

Server security includes the processes and tools used to protect a server from unauthorised access. Severs are prime targets for attackers because they lie at the heart of an organizational network. They also often contain sensitive data, like PII, application logs, or source code.

If you’ve hosted a website, it’s running on a server. If you’ve purchased some storage space from a cloud provider, it’s running on a server. If you’re about to build your company’s infrastructure online, you’ll probably need a lot of servers, and subsequently proper cloud server security.

The point is, most service delivery on the internet happens through servers, which makes it imperative that we secure them. This is especially true for Linux servers, because people often assume that they are inherently secure.

While it’s true that Linux offers much more ways to secure servers than its counterparts, the security isn’t built in. Administrators must explicitly perform security measures to secure Linux servers. The absence of security often indicates to an attacker that the server administrator is possibly inexperienced and hence, an easy target.


Why would anyone want to hack into my server anyway?

Did you know that billions of cyberattack requests originate each day? Take a look at this live threat attack map. What you need to understand is that hackers don’t sit on their computers with their morning coffee deciding who to target for the day, they wouldn’t be very successful then.

Instead, they create millions of bots that constantly automatically scan all public IP addresses on the internet, every second of every day. In fact, any new device that starts up with a public IP on the internet is scanned for weaknesses within 30 to 60 SECONDS of it going live. Yes, that was not a typo, it’s a scary fact.

That means before you’ve even logged into your server for the first time, there have already been thousands of break-in attempts on it. We often see in excess of 10,000 failed login attempts PER DAY on some of our client machines before they get locked down.

Cybercriminals target all types of servers. Enterprise servers, shared hosting servers, AWS instances, and even your personal server with no meaningful data on it. They randomly send out requests across the internet, hoping for any form of response.

Usually, if a server responds, it indicates weak security. This is the attacker’s cue to launch a brute-force attack, i.e. make thousands of attempts to guess the server’s username-password combo. Once they gain entry, they use the server as a staging point to launch their campaigns.

These may be junk-mail/spam floods or Denial of Service (DoS) attacks. Running botnets or Malware responders, or setting up Phishing sites. They could even set up bitcoin mining applications that run in the background, and consume all your server’s resources.

So, not only will any sensitive data be exposed forever, your server will also become an anonymous staging point for criminal activity, which would be virtually impossible to trace back to the original attackers.

Why you should take cyber security seriously

Are you taking cyber security seriously? Let’s look at some more reasons why it should always be your top-most priority:

  • Prevent financial loss, which may arise due to stolen intellectual property, service disruption, and any fines you may have to pay to regulatory bodies.
  • Prevent reputation loss, which your business will endure if it’s breached. Your customers will be hesitant to place their trust in you.
  • Prevent downtime, which is an inevitable outcome after a successful cyberattack.
  • Prevent sensitive data exposure.
  • Prevent your websites from slowing down. This may happen if adversaries hijack your CPU and RAM to run malicious applications, which are often resource intensive.
  • Establish yourself as trustworthy by implementing security measures and marketing your enhanced security posture.

How to secure a Linux server?

One of the advantages of using Linux is that it offers so many easy-to-use features to secure a server. Let’s look at how do you go about securing a server:

Use SSH keys

SSH, or secure shell, is a protocol used to authenticate and communicate with servers. There are multiple ways to use SSH to log in to a server. The easiest method is using password-based authentication, but it’s not considered secure.

A much safer alternative is using SSH key pairs. An SSH key pair consists of cryptographically secure keys, which ensure that only authorized clients, with the right keys, get to access the server. Each pair consists of a public key, which is configured at the server, and a private key, which is secretively stored by the client.

To create a SSH pair, follow these steps:

  1. Log in to your Linux server and type ssh-keygen.
  2. Press Enter when asked to specify the directory.
  3. If you want to protect the key with a passphrase, specify it in the next step. Otherwise hit Enter.

That’s it! This should create public and private key files in the user home directory (/home/~/.ssh). For root the default folder is /root/.ssh/id_rsa.

The files will typically be called id_rsa.pub and id_rsa. The .pub file is the public key. This can be copied into ~/.ssh/authorized_keys to allow any holder of both keys to access the server, WITHOUT a password. The advantage of this is that removing the key also removes access.

Disable password authentication

It’s recommended to disable password authentication on your server, and always use SSH keys to log in. Here’s how to do so:

  1. Open the file /etc/ssh/sshd_config in your favourite editor.
  2. Find the line in the file #PasswordAuthentication no, then remove the # from the beginning, and change yes to no
  3. Save the file and then depending on your Linux flavour, run the appropriate command to restart the SSH service:
    • For CentOS 7 and 8: sudo systemctl restart sshd
    • For Debian 11: sudo systemctl restart ssh
    • For Ubuntu 20: sudo systemctl restart ssh

Set up hosts.allow and hosts.deny

The /etc/hosts.allow and /etc/hosts.deny files give users the ability to define rules that only allow access to trusted clients. Once you create the files and add entries to them, the network daemon will consult them every time it gets a new request.

As the name indicates, allowed clients should be defined in the /etc/hosts.allow file, and if there are any blacklisted clients, they should be defined in the /etc/hosts.deny file. As a standard practice, you should reject all access by default, and only allow approved, known hosts. Here’s how to configure this:

  1. Create and open the /etc/hosts.deny file and put the following line inside it:
    ALL: ALL
  2. Create and open the /etc/hosts.allow and specify a list of known hosts. For example:
    ALL: LOCAL @test_netgroup

The above rule will only allow access from ALL hosts inside the local domain, and ALL members of the test_netgroup netgroup.

Ensure only necessary ports are open

Once you have all your software installed and running, make sure you have researched which ports each application runs on. Run the command netstat -punta to see which ports and applications are running.

Ensure that each open port is actually needed by the system or your application.
Ignore any ports running on the IP address 127.0.0.1, as this is an internal IP. Focus on ports running on IP 0.0.0.0 (Any IP) or the PUBLIC IP of your server. Shut down any-and-all applications that are not absolutely necessary.

Install fail2ban and make sure it’s active for SSH

The Fail2Ban SSH Module checks your log files for failed login attempts (for SSH). After a predefined number of failed login attempts, it blocks the IP address of the client trying to log in.

However, you should only install this if you do NOT have cPanel installed. cPanel uses CSF/LFD (Login Failure Daemon) to essentially do the same as fail2ban. In Ubuntu, fail2ban is usually activated by default for SSH. On CentOS, you usually have to activate it.

However, if for some reason fail2ban isn’t installed/enabled on your system, follow these steps to do so:

On CentOS 7/8:

sudo yum install epel-release
sudo yum install fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

On Ubuntu 20 and Debian 11:

sudo apt update
sudo apt install fail2ban

Ensure public directories have bare-minimum permissions

Permissions are often misunderstood and overrated as a security measure. Setting the correct permissions can keep a rogue application in check, or minimise the damage caused by a compromised account.

Set User and Group permissions on files AND directories, with no global permissions. If global permissions can’t be avoided, only use read-only.

Limit who can use sudo

sudo gives a user the ability to execute commands on other accounts, including root. Ensure that only authorised accounts have the permission to use sudo. To do this, you will need to create a sudousers group, and add all the required users to it:

  1. Create a new group:
    sudo groupadd sudousers
  2. Add all the relevant users to the group:
    sudo usermod -a -G sudousers myuser1
    sudo usermod -a -G sudousers myuser2

    Do this for all the users that require sudo rights.
  3. Before we make changes to the sudoers file, let’s create a backup:
    sudo cp --archive /etc/sudoers /etc/sudoers-bak
  4. Open to edit the sudoers file: sudo visudo
  5. Add the following line (if not already there):
    %sudousers ALL=(ALL:ALL) ALL

Install security updates automatically

It’s imperative to install critical security updates on your server, as soon as they are released. Most-if-not-all security updates are patches for known vulnerabilities and bugs, which can be exploited by malicious actors.

Ideally, you should be able to automatically install security updates from the official vendors. It may not be prudent to install ALL updates, as some may break the operating system. However, critical security updates shouldn’t be avoided or delayed at any cost.

Debian and Ubuntu both have built-in features that support automatic security update installation. We recommend enabling it. For CentOS, you can use the package DNF Automatic to set up automatic updates.


Linux security tools you should know of

Let’s finish this section off by looking at some security tools for Linux, across different categories:

Anti-virus / Anti-malware

Our favourite antivirus / anti-malware software for Linux is Sourcefire’s ClamAV. This is a free, open-source package designed to detect trojans, viruses, malware and other malicious threats. Included in the software are a multi-threaded scanning daemon, command line utilities for on-demand file scanning, and an intelligent tool for automatic signature updates.

Intrusion Detection Software (IDS)

Snort is a free, open-source tool that helps in the detection of intruders and also highlights malicious attacks against the system. In effect, Snort is merely a packet filter. But the true value of this tool lies in its signature-based detection of attacks, by analysing packets that Wireshark or tcpdump are incapable of analysing.

Canarytokens provide an early warning system, by mimicking devices, files or URLs that are attractive to attackers snooping around your system, and when engaged with you are automatically alerted.

Web server vulnerability testing

NIKTO is an open-source web server scanner that tests web servers for potentially dangerous CGI files. It also performs version-specific analysis, such as identifying outdated frameworks. One must note that every test or check report doesn’t necessarily point to a security problem, so keep an eye out for false positives.

Filesystem integrity and security

Chkrootkit is a free tool designed to check locally for signs of a rootkit infection on your Linux machine. The free software is a very popular choice, but Rootkit Hunter (rkhunter) is another, like-minded alternative.

Both these programs check your disk for any known malware and insecure setups. They can also optionally run on a schedule to warn you about any changes to specified directories or files. Another good program to watch your files for changes is Tripwire.

Firewalls and security

Last but not least, a good firewall can do a lot. If you do not want to learn iptables, the de-facto standard Linux firewall, you can manipulate it through various simplified front-ends. These include firewalld (CentOs 7 and later), CSF and UFW (more common on Debian variants such as Ubuntu).


Conclusion

We hope that by showing you how to secure a Linux server, we’ve made the internet a little more secure. These basic security tips help you lay a secure foundation, but it’s only a start. Server security is not a set-and-forget configuration, it takes constant work and updating.

Cybercriminals and their millions of automated bots don’t sleep. It’s up to you to advance and maintain your server security 24/7.

If you don’t have that kind of time, energy, or skills, then a managed server would would be the solution for you.

Stay informed on the latest security threats and news from reputable sites like The Hacker News and ZDNet. You can subscribe to their security newsletters or simply follow them on your preferred social media platform to get alerts and keep your systems SAFE.

Happy Hosting ????


Top