Linux-based operating systems are usually more secure compared to any other OS family – thanks to its inbuilt security model. However, the default security configuration may not always be ideal. Ultimately, it is the duty of the server administrator to fine tune the default security configuration and customize it according to his/her own requirements.
Linux provides a great deal of configuration options for hardening the security of your server. Discussed below are 7 proven hardening tips that can go a long way to make your Linux server impenetrable for the hackers.
- Disable Root Login:
First of all never ever login as the ‘root’ user. That can be a recipe for disaster because brute-force attacks often target the ‘root’ user. Rather disable the ‘root’ user and create a ‘sudo’ user to execute root level commands. ‘Sudo’ is a special user with the privilege to run certain administrative commands, without having to login as the root user. It adds an additional layer of security to your server system. So create a ‘sudo’ user, provide it the necessary permissions and then disable root login to prevent the possibility of brute-force hacking attempts.
- Change Default SSH Port Number
SSH hack is quite common these days. An easy mitigation step to is to change the default SSH port number. It’s a great way to confuse the hackers and prevent malicious scripts from directly connecting to the default port. So change the default SSH port number at the earliest.
To change the port number, simply open the SSH configuration file residing under /etc/ssh/sshd_conf) and choose a different port number. Furthermore don’t forget to make sure that no other service is using this particular port number.
- Remove Unwanted Modules
Linux distributions are bundled with lots of modules, packages and services. In order to minimize the threat surface, it is highly recommended to keep only those that you are likely to use. Due to a security flaw present in one module, the security of other modules might get compromised. Thus making your server vulnerable to security breaches. So avoid installing all unwanted modules, unused packages and unnecessary services to protect your server from potential security risks. Also make sure to audit your active server modules from time to time to find out any adverse activities.
- Use GnuPG Encryption:
When it comes to data security, data in transit over a network is often a soft target for the hackers. To minimize the risk of data theft, it’s important to encrypt data transmissions using passwords, keys and certificates. GnuPG encryption could probably be a very effective way to fight against data hacks while in transit.
GnuPG is a versatile key-based authentication management system that can keep your data under a protective wrapper during transition. It uses a ‘public key’ to encrypt the data. Without the corresponding ‘private key’, it won’t be possible to decrypt the data. So only the intended recipient who has the decryption key will be able to access the data.
- Have a Strong Password Policy:
Weak passwords are one of the most common threat surfaces when it comes to server security. So don’t forget to implement a strong password policy. Here are a few recommendations that can improve the overall security of your server –
- Enforce ‘password length’ parameter for higher security from brute force attacks. Also do not allow user accounts to have empty password.
- Enable password aging to force the users in changing old passwords at regular intervals.
- Restrict the re-use of previous passwords, while making sure that the passwords are changed at frequent intervals.
- Use ‘faillog’ command to set login failure limit to 3. It would automatically block logging attempt after 3 unsuccessful attempts.
- Don’t Use FTP, Instead Switch Over to sFTP
FTP or ‘File Transfer Protocol’ is an outdated service. Even if you are using ‘FTP over TLS’ (FTPS), it’s far from being safe as the entire transmission made between the host and the user is sent in plain text. This makes it possible for an eavesdropper to listen in and retrieve your confidential information including login details. So stop using FTP today and look for other viable alternatives.
Compared to FTP, a far better option is to use Secure FTP, or simply SFTP. Unlike FTP, the SFTP protocol is packet-based instead of text-based. SFTP has the ability to encrypt data fully while in transition. It performs all operations over an encrypted SSH connection, so it’s a far better approach for securing your data while in transfer.
- Disable Unused Network Ports/Services:
Finally enable only those network ports that are used by the OS and its components, while disabling all the remaining ones. Run a port scan using ‘netstat’ command for finding out non-functional yet open ports and associated services. You may also setup ‘iptables’ rules to close all open ports. Similarly ‘chkconfig’ command can be used to disable all unwanted network services. Disabling unused network ports/services can go a long way to keep your server out of the hackers’ reach.
A secure server is the foundation of a reliable website/application. Today, server security is not a privilege, but rather a mandate. So it’s important to secure your Linux server from the ground up before it gets too late.
While securing a Linux server is no doubt a challenging task, you can rely upon the best practices discussed in this article to prevent common security vulnerabilities. In-case you don’t have the technical expertise to implement the above mentioned suggestions, you can always count on GetMyAdmin to get the job done. Our comprehensive Linux Server Hardening service can ensure you a fully secure server environment. So bid adieu to all your anxiety with respect to security breaches by enrolling for our server hardening service today.