The best way to ensure that your Linux server is secure is to build it from scratch with a minimum amount of code that can be exploited by a hacker -- a custom compiled kernel and the bare minimum of packages needed for the server to do its intended job.

 

But what if you already have Linux servers running in your business? If that's the case then here are some simple steps you can take to improve security that take just a few minutes to implement:


Remove unnecessary software to minimize your attack surface - The more code your server is running, the more likely it is that a hacker will be able to find a vulnerability to exploit. Go through all the packages installed on your system and remove any that aren't necessary.

To list all installed packages: yum list installed or dpkg –l

To remove a package: yum remove somepackage or apt-get remove somepackage

Apply the latest security patches - Once a vulnerability in any software you're running has been discovered, your system is in danger until the vulnerability is patched.

To update your system with all patches that are available: yum update or apt-get update apt-get upgrade

You can automate this process to update daily or weekly using the cron scheduler by placing a suitable script in /etc/cron.daily/ or /etc/cron.weekly/

Avoid logging in as root - Use the sudo command instead to execute (and log) commands as root when necessary. Make sure that the accounts that need sudo privileges are listed in /etc/sudoers, which you can edit with visudo. You can give contractors and other users that may need it accounts with sudo privileges for certain commands, and delete the accounts or remove them from /etc/sudoers when they no longer need them.

You can disable root SSH login by opening the sshd_config file: vi /etc/ssh/sshd_config and then edit it by uncommenting or adding a line: PermitRootLogin no

It's also sensible to add, edit or uncomment a Protocol line: Protocol 2 to force the use of SSH protocol 2, rather than the less secure Protocol 1.

Restart the sshd service for this to take effect: /etc/init.d/sshd restart

Lock any user accounts which have no passwords -Accounts with no passwords are an unnecessary security risk. To find any accounts which have no password use the passwd command and look for any with the status NP (no password): passwd -Sa | grep NP

You can lock any accounts you find using passwd -l: passwd -l someuser

To unlock an account use: passwd -u

Lock user accounts after three failed login attempts -Restricting the number of login attempts before an account is disabled makes it hard for a hacker to guess a password successfully. You need to strike a balance between security and convenience, but genuine users are unlikely to mistype their password three times in a row.

To lock the account of user someuser after three attempts use the faillog command: faillog -m 3 -u someuser

You can use this command for all users using -a instead of -u someuser. However make sure that the root account can't be locked (using -m 0) to prevent being locked out of the root account by a deliberate denial of service attack on the root account.

Disable any services that you don't need to run - To discover what services are configured to start automatically, use the chkconfig command: chkconfig -list

Disable the following services if you don' specifically need them:

 

  • anacron
  • haldaemon
  • messagebus
  • apmd
  • hidd
  • microcode_ctl
  • autofs`
  • pcscd
  • avahi-daemon
  • isdn
  • readahead_early
  • bluetooth
  • kdump
  • readahead_later
  • cups
  • kudzu
  • firstboot
  • mcstrans
  • setroubleshoot
  • gpm
  • mdmonitor
  • xfs

To disable a service, use the service and chkconfig commands: service someservice stop chkconfig someservice off

You can use the netstat command to see what services are listening on any open ports: netstat -tulpn

Other measures that take longer or are more complex to implement:

Enforce complicated passwords: All account passwords should be long (more than eight characters) and made up of lower and upper case letters as well as digits and special characters. This makes them hard for a hacker to brute-force.

Disable IPv6: Unless you know that you need it, disabling IPv6 is a good idea as it is hard to monitor, making it attractive for hackers, and it's also hard to spot security vulnerabilities in the protocol.

Disable X Windows: Your server probably doesn't need a Windowing system installed. If not consider removing it completely.

Encrypt all confidential information: Consider encrypting both your stored data and data transmitted over the network, using tools like scp, sftp, GnuPG and OpenVPN.

Harden your kernel: Use a tool like grsecurity to provide additional security hardening to your system.

Protect your server against physical attacks: Configure your system so that it is only bootable from an internal hard drive to prevent an intruder starting your system from removable media. The BIOS and boot loader should then be protected with a strong password.

That's it for now. Happy hunting.

Paul Rubens has been covering IT security for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.