How to build secure Linux server?

build secure Linux
Spread the love

build secure Linux server

Linux servers are used for a variety of purposes, including file servers for managing and maintaining files, web servers for hosting Internet sites, mail servers for building and managing e-mail, and many more. Although it is much easier to use and maintain home and private servers because they are not connected to the Internet, but if your server is connected to the World Wide Web, to maintain and protect it, you need to follow the rules and security tips. Also observed. Those who are new to Linux and want to manage their own dedicated server should consider a few essential points that we are going to address in this article.

Install the things you need

If you are planning to set up a server, you may be saying that I have 40 GB of storage space; So I can install any software and service I want. Theoretically, you are the owner of the server, and thanks to the open source software of the Linux operating system, you can install anything you want. But you should not forget that even the most impenetrable servers may be attacked by exploiting vulnerable and unmodified components running on that server.

To have a secure server, the first rule is to keep your server as concise and simple as possible. Only install the packages you really need. If unwanted packages are already installed on your server, clear them. The fewer your software packages, the less likely you are to encounter bugs and software holes. Before installing any software and related packages (like ownCloud), you should read the documentation associated with that package and install only the items you need.

Do the things you need to do

The second rule for setting up and maintaining a Linux server is to run only the services you need. Many distributions and packages may run certain services on different ports at startup, which can pose security risks. So open the terminal and run the following command:

netstat -npl

The output of this command shows you which services are running on which ports. If you come across a service that should not be running, stop it. You should also take care of services that are active and running at system startup. You can monitor this issue by running the following command:

systemctl list-unit-files –type = service | grep enabled

Depending on the system, you may get an output similar to the one you see in the image above. If you encounter any unwanted service you can disable it with the powerful systemctl command:

systemctl disable service_name

Restrict server access

Just as you only give your home keys to people you know, you should also keep access to your server out of the reach of strangers. These rules clearly state that you must restrict access to your server. Note that doing this alone will not block malware from infiltrating your server, but doing so can increase the security layers of your server and make it more difficult to penetrate.

Never log in to the server with a Root account

Using a senior management account or root to log in to the server via ssh is not a good idea at all. So it is best to disable root access for the server via ssh. But before doing this, you need to create an account with which you can log in to the server via ssh and perform administrative tasks. Remember that you can always log in to the root user if you need to log in to the server.

There are different ways to add a new user to different Linux distributions. For example, the Red Hat / CentOS distribution uses the useradd command and the Ubuntu / Debian distribution uses the adduser command.

Use the following command to create a new user in Red Hat / CentOS (swapnil is our default username):

useradd swapnil

Then define a password for this user using the following command:

passwd swapnil

After entering this command you will be asked to enter a new password for this user. Now you need to give this user the ability to enjoy sudo. To do this, run the following command:

EDITOR = nano visudo

Then look for this line as shown below

#% wheel ALL = (ALL) ALL

Take the line out of comment mode. The # symbol at the beginning of each line indicates the comment (description) of that line, and by removing this symbol, the line also leaves the comment mode and becomes a command. After doing this, your line will look like this:

% wheel ALL = (ALL) ALL

Now save the file and exit it. If this user does not belong to the wheel group you can easily add it to this group using the following command:

# usermod -aG wheel swapnil

Use this command on Ubuntu systems:

adduser swapnil

Answer the questions the system asks you, including creating a new password for this user. After creating this user, use the following command to grant sudo powers to him:

gpasswd -a swapnil sudo

Open another new terminal window and try to log in to the server with this new user and execute management commands via sudo. If this is done correctly, follow the next steps.

Disable login with root user

After going through the previous steps, now it is time to disable root access. With this, no one can log in as a root user via ssh or any other method. To do this, open the sshd configuration file:

nano / etc / ssh / sshd_conf

Then find the following line and take it out of comment mode:

#PermitRootLogin no

Now save the file and exit it, then restart the service using the following command:

service ssh restart

Or:

systemctl restart sshd

Note: At this stage you should not exit the server yet. First you need to test whether you can successfully log in to the server via ssh using the account you have already created. Open a new window from the terminal and log in to the server using the account you created earlier, if all goes well you can now log out of the root account safely.

Change the port

The second change we want to make to the sshd configuration file is to change the default port. This is mostly done to enhance a layer of security by confusing the port number. Suppose a security company uses several vehicles of the same shape to move an important person. In this case, the attacker can not identify in which of these vehicles the person in question is riding. Changing the default port also makes it difficult for a hacker to correctly detect it.

Open the sshd_config file (this time via the sudo command, as you can no longer log in to the server using the root account):

sudo nano / etc / ssh / sshd_conf

Then find this line:

#Port 22

Remove the line from the comment mode and select another port number for it. Before choosing a new number, make sure that this port is not used by another service on your server. You can use the article on Wikipedia to get the number of common ports and not use them . For example, you can use port 1977:

Port 1977

Then save the file and exit it and restart the sshd service once. Check your settings again before leaving the server by opening another terminal window and logging in using the following template:

ssh -p {port_number} @server_IP

Example:

ssh -p1977

 This e-mail address is being protected from spambots. You need JavaScript enabled to view it

If you were able to successfully log in to the server, things would be fine.

Login without the need for a password

You can login to ssh more easily and quickly by disabling the need to enter a password. Also add another layer of security by completely disabling authentication with the password. Remember that by activating this feature, you can only connect to your server through the system in which you created the ssh keys.

To get started, first create the ssh key in your local system using the following command:

ssh-keygen – t rsa

After running this command, you will be asked a few questions, you can leave the location of this key in its default position and use a password to make it difficult to guess. Next you need to copy these keys to the server so that with this key both systems (local and server) can communicate with each other.

cat ~ / .ssh / id_rsa.pub | ssh -p 1977 swapnil @ remote -server “; mkdir -p ~ / .ssh && cat >> ~ / .ssh / authorized_keys”

Now try to access the server using another terminal window. If everything is done correctly, you will no longer be asked to enter a password.

Doing this step is used more to facilitate the work than to increase the security aspect. But in general, by completely disabling authentication with a password, you can also increase the security of your server. Open the sshd_config file and find this commented line:

#PasswordAuthentication yes

Then take it out of comment mode and change its value from yes to no, now save the file and exit it. Then restart the sshd service. Once again, keep your connection to the server in the current window. Open a new terminal and log in to the server (make sure this is done without asking for a password).

The disadvantage of these settings is that now you can only connect to the server through the system in which you created the ssh keys. Therefore, if you use several different computers to access the server, you should not use this method.

Conclusion

The above is a set of general considerations for new users who can follow to make their personal server more secure. But you have to keep in mind that saboteurs and aggressors are always one step ahead of us. They check all available holes to infiltrate your server. So it is best to always have a backup copy of your server content so that if it is lost for any reason (including cyber attacks) you can replace it quickly. Experts recommend that you always back up your content before and after making changes to your server. This way, if for any reason your server does not work properly and has a problem, you can use the backup to return to the previous step.

See alsobuild a stronger WiFi network with the second router