25 Hardening Security Tips for Linux Servers
Given the ease of executing this security essential, there’s no reason to avoid or procrastinate. The next principle is that you split bigger areas into smaller ones. If we look at that building again, we have split it into multiple floors. Maybe you visitor is only allowed on floor 4, in the blue zone. If we translate this to Linux security, this principle would apply to memory usage.
- They are formed by professionals reaching an agreement and share consensus-based tips with others in and outside the field.
- Make sure to change the default password of the admin page or disable it if it’s possible.
- Gus Khawaja is a security consultant and author at Pluralsight.
Pick a password that is different than any of the other passwords that you use for your system. Drive encryption will render any disk that is stolen useless by a would-be data thief. An encrypted drive is unreadable by anyone who doesn’t have the encryption password or key.
Log Configuration
This protocol has known vulnerabilities and must not be used. A good way to monitor log activity is to use third-party log monitoring software, such as LogWatch, for log analysis and notifications. Notifications and daily digests can be sent to administrators via email.
- Pick a password that is different than any of the other passwords that you use for your system.
- Notifications and daily digests can be sent to administrators via email.
- The pam_unix module parameter remember can be used to configure the number of previous passwords that cannot be reused.
- By securing a Linux Box you are automatically reducing the attack surface for a Hacker.
- This is because there will be fewer applications to exploit.
- When in doubt, opt for a local device to reduce vulnerability in the event of a cyber attack.
Disabling boot from external devices can only safeguard you from unauthorized access. Users who have access to the system and a malicious intent can still copy sensitive files to their USB and thunderbolt sticks. Worse still, they can install malware, viruses, or backdoors on your servers. Once access to USB and Thunderbolt devices is disabled, a user cannot harm the system in these ways. Approaching system hardening with a four-level approach is an effective way to secure your system in multiple areas. Locking down the BIOS and separating partitions sets a secure foundation at the machine level.
Check the installed packages
As more companies adopt Linux, the frequency of Linux attacks is also increasing. Contrary to popular belief, Linux is not inherently safe and should be hardened to safeguard your instances. The tips and methods discussed in this article are not exhaustive but they do cover hardening from a wide perspective. The importance of a well-managed backup can’t be overstated.
- Your customer’s data will be secure, there will be no downtime, services will run 24/7 and you will maintain client trust.
- Configure the BIOS to disable booting from CD/DVD, External Devices, Floppy Drive in BIOS.
- If you find an unnecessary service or server application listening for inbound connections, disable the port or remove the application.
- It requires serious effort to improve Linux security and apply system hardening measures correctly.
- The attackers are smart and the scripts they use often take care of the default settings of Fail2Ban like tools.
As a result, many firms disregard hardening work because of the resources that must be used while accepting the risk of production outages. Prior to implementation, the effects of any hardening activity in a Linux server should be assessed rigorously. Unfortunately, this testing process is highly time-consuming and difficult, especially in an organizational environment with so many interconnections. In addition, the user would not experience any downtime when hardening, thanks to automation. The most secure process would be to disable all root access.
Hardening Arch Linux
This way, you can easily see if you need to change any parameter to enhance the security of the SSH server. To take SSH security to the next level, you may also enable two-factor authentication. In this approach, you receive a one-time password on your mobile linux hardening and security lessons phone, email or through a third-party aunthentication app. Before you go for this approach, make sure that you have added your own public key to the server and it works. You may also add selected users to a new group and allow only this group to access SSH.