Blogternals

This article is not meant to be an end all solve all solution for “Securing Your Linux Server” or as some would say it “Hardening Their Linux Server”. The article is meant to be more along the lines of a good set of guide lines. We will cover the 101s of linux server lock down as well as a few advanced tricks that I have come up with through my own experiences. Of coarse I don’t have all the answers but I know that someone out there will get some useful information from this, so enjoy, and remember share your knowledge because someone else has already shared their knowledge with you!

The 101s

In this section I am just going to highlight the common knowledge stuff here. If you are looking for more details of specific things you can do to harden a given service it will be covered in the Advanced Tips section. In the Tips section I will draw out step by step or I will direct you to another article which clearly details what you can do to harden that given service.

Upgrade your system, applications, and the kernel and do it religiously

Hands down most systems are compromised due to lack of diligence when it comes to keeping their servers up-to-date. Most linux distros these days come with some type of package management solution and a way to automate the process of updating the system. It they provide it use it is my motto.

Shadow passwords (system level) and encrypt passwords on the web

Securing your passwords is essential. I can’t count how many times I have seen people storing passwords plain text and thought to myself are these people for real. Think about this for a second, if I can just read your password what stops me from using it. I want troll here long but please encrypt those passwords.

Use smart passwords

I know I said I would not troll long on the password subject but come on. The first thing we do when loggin into a server is to plug a password in somewhere ssh, telnet, smtp, or some custom application you have written to access the server the list goes on and on. Guess what guys, the first thing a hacker or cracker is gonna try is plugging a password in those same programs.

Use secure shell (ssh)

Ok you should be shot if you are still using telnet. Some of you are saying, “but my host provider does not provide ssh”, guess what time to get a new service provider. SSH2 is the only way to go as far as remote access goes. It can be used as a poor mans VPN solution, SFTP, and you can even set up a SOCKS proxy with it. This is a must, I repeat this is a must if you need remote access to your server.

Restrict access to services

Firewalls are your best friend. There are about two dozen firewall apps out there to chose from you just need to figure out what works best for you. I do recommend if you can install a hardware firewall but if you can’t at least use a software firewall. Other apps you can use here are iptables, denyhosts, fail2ban, and I am sure you can think of some I can’t.

Turn off or remove unneeded services

If your are not using a service or don’t know what a service is for shut it down. Not only will you be closing security holes but you will be freeing up resources as well. At the very least you should restrict access to just the ports you need open for your server, this usually means port 80 for apache, your custom SSH port and maybe SMTP or your DB (MySQL, SQL, Oracle, what ever DB you use) port all though I don’t recommend this.

Automate the restriction of services to “bad guys” or at the least install an intrusion detection software

If you don’t how to write a shell script and set up cron jobs, now is the time to learn. First it is not that hard to learn and second they can save loads of time and as we all know time is resource we don’t have enough of. Second when it comes to managing, and maintaining a linux server, you are going to repeat tasks over and over so why not have a shell script run at regular intervals to the repeat work for you. You can use denyhosts in conjunction with an automated shell script to create iptables based on the denyhosts application entries to just drop those services for offending ips. At the very least you should install something like tripwire so you know what is happening to your server while you sleep.

Treat your server like it is a money tree

You should not need an explanation here. Your server is making you money right? Even the weekend hobbyist can make money off of google adsense. You should treat your server with the same respect that you would any other resource in your company or hobby. The more care you give it, the better it will preform so do your self a favor and watch it closely and protect it at all times.

Applications, Scripts, and Commands

You need to take some time right now and familiarize yourself with the following apps, scripts, and commands. I can already hear some of you saying OK, another list that does not include blank, tell you what I will listen to your pleas send me an email (webmaster[at]blogternals[dot]com) with a subject of  “Linux Server Secure Guidelines” plea your case and I will include your script in the list. Some of you think I am kidding but I will even you give credit for your contribution if you take the time to compose that email.

Anyway without further delay:

awk - is a general purpose programming language that is designed for processing text-based data, either in files or data streams.
bash - is a free software Unix shell written for the GNU Project.
crontab - is a daemon for automating tasks.
dig - DNS lookup utility.
denyhosts - is a Python based security tool for SSH servers. It is intended to prevent brute force attacks on SSH servers by monitoring the log files
free - Display amount of free and used memory in the system.
grep - print lines matching a pattern.
iptables - is a user space application program that allows a system administrator to configure the tables provided by Xtables and the chains and rules it stores.
logwatch - utility for off site monitoring log files.
namp - Network exploration tool and security / port scanner
ps - report a snapshot of the current processes.
ssh - OpenSSH SSH client (remote login program)

Advanced Tips and Tricks

I will make the same comment here about if you don’t see it send me an email and I’ll put it here or you could sign up for an account here, write the article, and I will publish it. (webmaster[at]webternals[dot]com)

• Securing SSH
• Securing Apache – (Coming Soon)
• Securing MySQL