Welcome to Our Community

While Linux.org has been around for a while, we recently changed management and had to purge most of the content (including users). If you signed up before April 23rd please sign up again. Thanks!

What are some tips/tricks for securing your Linux server?

Discussion in 'Linux Security' started by Rob, Apr 25, 2017.

  1. Rob

    Rob Administrator
    Staff Member

    Joined:
    Oct 27, 2011
    Messages:
    145
    Likes Received:
    394
    There are a number of steps taken to secure a Linux server on the Internet these days.. what are some of the things you do?

    Some things I recommend as soon as the network comes up on your machine:
    - Disable PasswordAuthentication and just use ssh-keys
    - Keep up with security updates for your distribution
    - Install software such as CSF/LFD to ban IPs of failed logins and lock things down


     
    KarlLinux likes this.
  2. Cybercraft

    Cybercraft New Member

    Joined:
    Apr 25, 2017
    Messages:
    11
    Likes Received:
    14
    • Search services run on lvl 3 and disable it with chkconfig and remove unwanted package
    • Disable unwanted network service with netstat
    • Deny cron job in your /etc/cron.deny
    • Disable root login + use ssh-only authentication and use SSH 2 protocol version (like Rob suggestion)
    • Create no-usb in modprobe.b/no-usb and add following line -> install usb-storage /bin/true
    • Check sestatus and activate SELinux =>
      setenforce enforcing (ubuntu based distro don't work with SELinux in my memory)
     
    KarlLinux likes this.
  3. KarlLinux

    KarlLinux New Member

    Joined:
    May 2, 2017
    Messages:
    17
    Likes Received:
    5
    Assuming this ignores plugged in USB devices? Or am I way out there?
     
  4. Cybercraft

    Cybercraft New Member

    Joined:
    Apr 25, 2017
    Messages:
    11
    Likes Received:
    14
    Yes, this one is optionnal.... I'm not in trust with dedicated from datacenter ^^
     
    KarlLinux likes this.
  5. Scotsgeek

    Scotsgeek Moderator
    Staff Member

    Joined:
    Apr 24, 2017
    Messages:
    7
    Likes Received:
    11
    Also, change your default ssh port of 22 to some other higher number. Most of the ports from 1 to 49151 are preassigned, or reserved, but: "The range 49152–65535 (215+214 to 216−1) contains dynamic or private ports that cannot be registered with IANA". They are free to use as an alternative port.

    Black Hat hackers are constantly scanning Port 22 to find an IP address and attempt to break in. By blocking Port 22 and using a higher number, they will ignore the IP address
     
    Cybercraft likes this.
  6. MattsBmann

    MattsBmann New Member

    Joined:
    May 18, 2017
    Messages:
    1
    Likes Received:
    0
    I can recommend you an IT course. Specially on Linux Security. There you can learn everything about Linux at different levels.
     
  7. ArcheyScrot

    ArcheyScrot New Member

    Joined:
    May 28, 2017
    Messages:
    4
    Likes Received:
    2
    OpenSCAP. It contains benchmarks and mitigation scripts for standardized baselines across different industries.

    To name some important ones:
    • -PCI-DSS Compliance Standards
    • -DISA Secure Technical Implementation Guidelines (STIG)
    • -United States Government Configuration Baseline (USGCB)

    Security controls and hardening rules are often updated by the community upstream.
     
    Rob likes this.

Share This Page