Importance of Linux Server Hardening in this Age
Linux was almost unknown to people almost a decade ago and Windows was ubiquitous and highly popular. The main reason for this is the missing interface for customers who wanted to use Linux and which in turn has many added advantages over windows servers. License Fee for Windows and Server Infections and removal hardships are the main reasons why people have started disliking Windows as an option. Moreover, nowadays Linux is getting added in the curriculum as well in most of the countries. Most Hosting Businesses have started moving to Linux Based hosting as it is less costly and the docs available for Linux related setups as well is freely available. Linux is the default choice for almost all new hosting owners. Thus Linux Server Hardening is a very important topic especially in the age of remote working amid the COVID-19 pandemic.
Linux Hardening Tips and checklist
Let’s discuss a checklist and tips for securing a Linux Server. For reference, we are using a Centos based server. I will suggest everyone who is hardening a new server should give a detailed report to the customer so that he can save the details in a text file for future reference. Here is the list:
- Documentation – Make sure you document every change you are making so that customers can make sure what all changes were done and if you encounter any issue in the future, you can revisit them and revert the changes without any help from an admin.
- OS update – Whenever you get a new server, the OS will not be having the latest updates as the image build might be a bit old. So make sure you update the OS packages using yum update.
- Remove unwanted packages – Make sure you take a list of installed packages in the server and then remove if any is not needed. For example, you do not need packages like xinetd ypserv, tftp-server, telnet-server, rsh-server, etc. We have created a list in this link and you can refer the same.
- Remove unwanted users – Make sure you check the /etc/passwd for users and remove any unwanted users.
- Check All listening ports and remove or block unwanted ports and their services. If the service is not needed, then remove the entire package.
- Disable Selinux – I know you might be surprised to see this but in my experience, handling SELinux and its settings will be a bit difficult for a layman or who needs simpler solutions. I normally suggest and setup either CSF / APF +BFD or AtomicCorp’s ASL based on the client’s confirmation.
- Strong Password policy – Make sure your server is having a strong password policy. In cPanel, you have the ability to set the password strength nowadays. But if you are using non-panel servers, then you can use pam_cracklib.so to force password policy.
- Password Aging Policy and Restricting the use of the Previous Password for Linux users. You can use the change command to make the existing password expire in x days. Regarding restricting the use of the previous password, we can set up using pam_unix.so setup.
- UID as Zero should only be set for the root user and no other user uid should be set as Zero
- SSH Service – SSH is the main route which hackers try as normally those who are not well versed in server management, they will normally ignore ssh level security as they do not understand the amount of opportunity a hacker can get when someone gets through via ssh as root. So you need to do the following:
- Disable Direct root access via ssh
- Disable Password-based Authentication for SSH service
- Change default SSH port from 22 to something unique like 3617, 5638, etc
- Make sure the SSH protocol is set to “2”
- Make sure you Allow only needed users using the “AllowUsers” option
- Disable X11Forwarding in ssh configuration.
- Setup 2-factor authentication using google-authenticator
We hope we have covered all the important security or hardening tips in the comprehensive list above. However, if you have any tip in mind that needs to be included in the list, please drop a comment. Nixtree is more than happy to receive any suggestions and comments as it helps in our improvement and also helping you better.