{"id":1869,"date":"2016-09-05T11:33:16","date_gmt":"2016-09-05T16:33:16","guid":{"rendered":"http:\/\/swildow.darktech.org\/wp\/?p=1869"},"modified":"2016-09-05T11:33:16","modified_gmt":"2016-09-05T16:33:16","slug":"securing-your-linux-server-in-8-steps","status":"publish","type":"post","link":"https:\/\/www.wildow.com\/blog\/?p=1869","title":{"rendered":"Securing your Linux Server in 8 Steps"},"content":{"rendered":"<header class=\"postheader_magnum\">\n<h1 id=\"header\" class=\"posttitle_magnum\"><a title=\"https:\/\/chrisreinking.com\/securing-your-linux-server-in-8-steps\/#header\" href=\"https:\/\/chrisreinking.com\/securing-your-linux-server-in-8-steps\/#header\" target=\"_blank\">Securing your Linux Server in 8 Steps<\/a><\/h1>\n<\/header>\n<div class=\"postcontent_magnum\">\n<p>Before I get going with too many tutorials, it might be a good idea to just step back and talk about the very first thing you should be doing from the start: securing your server!<\/p>\n<p>Luckily this doesn&#8217;t need to take a long time &#8211; we can secure things pretty quickly. Let&#8217;s get started!<\/p>\n<p><strong>STEP 1 &#8211; Update your server<\/strong><\/p>\n<p>Depending on your Linux distribution, your install ISO\/DVD could be months or even years old! Running updates on your server immediately will help get any vulnerable packages updated. We can do this in two lines:<\/p>\n<blockquote><p>sudo apt-get update<br \/>\nsudo apt-get upgrade<\/p><\/blockquote>\n<p><strong>STEP 2 &#8211; Disable root access via SSH<\/strong><\/p>\n<p>If you&#8217;ve ever watched your SSH logs after starting up a server, you&#8217;ll notice one thing very quickly: a lot of people are trying to access your server. The other thing you&#8217;ll notice is 95% of them are trying to access it via the root user.<\/p>\n<p>Let&#8217;s disable the root login by editing the sshd_config file.<\/p>\n<blockquote><p>sudo nano \/etc\/ssh\/sshd_config<\/p><\/blockquote>\n<p>Find the PermitRootLogin line and change it to &#8220;no&#8221;:<br \/>\n<code>PermitRootLogin no<\/code><\/p>\n<p><strong>STEP 3 &#8211; Change your SSH port<\/strong><\/p>\n<p>After Step 2, you&#8217;ll notice your logs still are full of login attempts. Even though they can&#8217;t get in as the root user, they&#8217;ll still keep trying. Let&#8217;s change the OpenSSH server to use a different port. Open the sshd_config file once more and edit the &#8220;Port&#8221; line to use an atypical number. For example:<br \/>\n<code>Port 5901<\/code><\/p>\n<p>Restart your SSH server in order to pickup the changes from Steps 2 and 3<\/p>\n<blockquote><p>sudo service ssh restart<\/p><\/blockquote>\n<p><strong>STEP 3.5 &#8211; Use SSH Key-based Logins<\/strong><\/p>\n<p>While this is a great to do on public-facing production servers, it&#8217;s really not necessary to need to be done on internal or development servers. If attackers can&#8217;t log in as root or even figure out what port SSH is on, you&#8217;re already avoiding 99.99% of attacks. If you&#8217;re interested in setting up key-based logins, <a href=\"https:\/\/help.ubuntu.com\/community\/SSH\/OpenSSH\/Keys\">check out this article<\/a> from Ubuntu.<\/p>\n<p><strong>STEP 4 &#8211; Enable your firewall<\/strong><\/p>\n<p>Most Linux distributions come with iptables by default. Iptables is a very powerful firewall but has quite a steep learning curve for those of us coming from a Windows Server background (don&#8217;t hate!). While I plan on creating an iptables tutorial in the future, a much easier frontend for iptables is UFW.<\/p>\n<blockquote><p>sudo apt-get install ufw<\/p><\/blockquote>\n<p>UFW&#8217;s context is very simple. The command is simply &#8220;ufw allow&#8221; followed by a port number. For example, this would open up traffic for an http server:<\/p>\n<blockquote><p>ufw allow 80<\/p><\/blockquote>\n<p>For popular protocols, you can use the protocol name to do the same thing:<\/p>\n<blockquote><p>ufw allow http<\/p><\/blockquote>\n<p>Make sure to allow the custom port number you gave your SSH server, otherwise you&#8217;ll lock yourself out! After you have all the rules added, just enable the firewall:<\/p>\n<blockquote><p>ufw enable<\/p><\/blockquote>\n<p>If you ever need to see what rules are currently set, just run:<\/p>\n<blockquote><p>ufw status<\/p><\/blockquote>\n<p><strong>STEP 5 &#8211; Check for open ports<\/strong><\/p>\n<p>For some reason, I always seem to end up with services running that I have no idea how they ended up on my system. Maybe another package listed them as a dependency. Maybe it just came with the default install. Regardless, if a service is listening on a port, it leaves the door open for possible exploit.<\/p>\n<p>We can see what ports currently have services listening on them by running a quick command:<\/p>\n<blockquote><p>sudo netstat -tulpn<\/p><\/blockquote>\n<p>Anything listening on 0.0.0.0:xxxx may be a problem. To fix, make sure your firewall is not allowing traffic to those ports through. Even better, uninstall the offending package by doing an <code>apt-get remove &lt;package&gt;<\/code><\/p>\n<p><strong>STEP 6 &#8211; Install Fail2Ban<\/strong><\/p>\n<p>Fail2Ban is a program that monitors the authentication logs of various programs. When too many attempts are detected, it blocks the source IP address. First, we&#8217;ll need to install it:<\/p>\n<blockquote><p>sudo apt-get install fail2ban<\/p><\/blockquote>\n<p>To configure, open up the configuration file in a text editor, find the services you want to have it watch (for example, SSH), and then restart the service.<\/p>\n<blockquote><p>sudo nano \/etc\/fail2ban\/jail.conf<\/p><\/blockquote>\n<ol class=\"linenums\">\n<li class=\"L0\"><code><span class=\"pun\">[<\/span><span class=\"pln\">ssh<\/span><span class=\"pun\">]<\/span> <span class=\"com\">#service name<\/span><\/code><\/li>\n<li class=\"L1\"><code><\/code><\/li>\n<li class=\"L2\"><code><span class=\"pln\">enabled <\/span><span class=\"pun\">=<\/span> <span class=\"kwd\">true<\/span> <span class=\"com\">#set this to true to enable <\/span><\/code><\/li>\n<li class=\"L3\"><code><span class=\"pln\">port <\/span><span class=\"pun\">=<\/span> <span class=\"lit\">5901<\/span> <span class=\"com\">#change this to the port you set in step 3 <\/span><\/code><\/li>\n<li class=\"L4\"><code><span class=\"pln\">filter <\/span><span class=\"pun\">=<\/span><span class=\"pln\"> sshd <\/span><\/code><\/li>\n<li class=\"L5\"><code><span class=\"pln\">logpath <\/span><span class=\"pun\">=<\/span> <span class=\"str\">\/var\/<\/span><span class=\"pln\">log<\/span><span class=\"pun\">\/<\/span><span class=\"pln\">auth<\/span><span class=\"pun\">.<\/span><span class=\"pln\">log <\/span><\/code><\/li>\n<li class=\"L6\"><code><span class=\"pln\">maxretry <\/span><span class=\"pun\">=<\/span> <span class=\"lit\">3<\/span> <span class=\"com\">#set this to how many attempts are allowed <\/span><\/code><\/li>\n<\/ol>\n<blockquote><p>sudo service fail2ban restart<\/p><\/blockquote>\n<p><strong>STEP 7 &#8211; Disable responding to pings<\/strong><\/p>\n<p>As lots of bots find your server by pinging, turning off pings is one way to help hide it (though this really only helps servers that you aren&#8217;t driving the public to). To prevent ping responses:<\/p>\n<blockquote><p>sudo nano \/etc\/sysctl.conf<\/p><\/blockquote>\n<p>Insert the following into the file:<br \/>\n<code>net.ipv4.icmp_echo_ignore_all = 1<\/code><\/p>\n<p>Save the file and reload the service:<\/p>\n<blockquote><p>sudo sysctl -p<\/p><\/blockquote>\n<p><strong>STEP 8 &#8211; Read your logs<\/strong><\/p>\n<p>This shouldn&#8217;t come as any surprise but actually reading the logs can help give you a better idea of what threats you are facing. If you&#8217;re getting a lot of invalid attempts coming in from IPs in a particular country, maybe download a geoip firewall tool to block a country. Things like that will help you adapt to threats as they come up.<\/p>\n<p><strong>Wrap Up<\/strong><\/p>\n<p>If you&#8217;ve done the above steps, then you are off to a good start. Some of you will say &#8220;Chris, this is hardly enough and dangerous to run a server if this is all you do.&#8221; Well you&#8217;re right &#8211; these guidelines are really meant as a starting point. There are bunches of other things we can do, however a lot of the securing process is dependent on the server role and location (internal vs external facing). While <a href=\"https:\/\/www.thefanclub.co.za\/how-to\/how-secure-ubuntu-1204-lts-server-part-1-basics\">this article<\/a> may go a bit overboard, I would definitely recommend looking over some of the other things you can do to secure your server.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Securing your Linux Server in 8 Steps Before I get going with too many tutorials, it might be a good idea to just step back and talk about the very first thing you should be doing from the start: securing &#8230; <a class=\"more-link\" href=\"https:\/\/www.wildow.com\/blog\/?p=1869\">Read More &raquo;<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12],"tags":[],"class_list":["post-1869","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1869","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.wildow.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1869"}],"version-history":[{"count":1,"href":"https:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1869\/revisions"}],"predecessor-version":[{"id":1870,"href":"https:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1869\/revisions\/1870"}],"wp:attachment":[{"href":"https:\/\/www.wildow.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1869"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.wildow.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1869"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.wildow.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1869"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}