Subscribe

Newsletter

Subscribe to my newsletter for the latest updates. 👇

Comprehensive Linux Server Security and Hardening

Before delving into the specifics, it’s important to emphasize that hardening and securing a Linux server are not just advisable – they’re imperative.

In this comprehensive guide, I leverage my extensive experience with Linux servers to cover every essential aspect of server security and hardening.

It’s a collection of all security and hardening measures with links to detailed guides for each.

By following these guides one by one, your server will be thoroughly secured.

You’ll find the best practices and practical tips to ensure your server is protected from potential threats.

Mindset Shift

Now, for the first tip, it’s not about a specific system adjustment or change, but about how you think about server security.

Whether you’re a server administrator or a security professional, understanding the right mindset for server security is crucial.

Let’s be clear about what’s possible and what’s not in server security.

Technically, an unhackable server is possible if it’s never turned on and stays disconnected.

However, this isn’t practical for servers that need to be publicly accessible, like those hosting WordPress websites or online stores.

And guess what? There are various vulnerabilities, including new and unknown ones, emerging daily.

Don’t fall into the trap of believing that your servers are invincible or that hiring a top-notch security expert eliminates all risks.

True security means being prepared for anything at any time.

Secure Server Provider

Choosing the right server provider is crucial, and security should be a top consideration.

Think about it – if you pick a server provider that doesn’t protect its infrastructure from DDoS attacks and an attack happens, you’re left with few options.

Even though you can manage your server, you can’t control the foundational hardware.

One option is Hetzner, from which I have all my servers.

I’ve never encountered any security issues with this provider.

They put a lot of effort into securing their infrastructure, and being based in Germany, we all know the German quality.

If you’re interested in trying out Hetzner and you’re a new customer, use my referral link to receive 20€ in free credits to get started.

Essential Security Practices

Before you start using and managing your server, there are some essential practices you should take to ensure that you’re managing your server safely.

These practices should be implemented first on every newly deployed server before proceeding with any tasks.

This includes:

  1. Using strong passwords.
  2. Using a non-root user with root privileges instead of the root user.
  3. Opting for SSH key authentication over password authentication.
  4. Updating the server.
  5. Setting up a basic firewall.
  6. Using the config file for easy access to servers.

These practices should be implemented first before anything else.

They should be your top priority after setting up your server.

Using strong passwords is a well-known practice, and there isn’t much to add.

When accessing your server for the first time, you are probably using the root user and a password, which is not recommended.

The root user has total control over the entire server and password authentication leaves your server vulnerable to brute force attacks.

Adding a non-root user with sudo privileges and using SSH key authentication ensures safer administration and protects your server against brute force attacks.

It is crucial to regularly update your server to ensure it is patched with the latest security updates.

Setting up a basic firewall is a must at the beginning, with only SSH traffic allowed. Then you have time to plan for a more advanced setup.

Lastly, using the config file is not a security measure, but it could come in handy when it comes to quick access to the server when troubleshooting.

Read: I’ve written a detailed guide covering all the essential security practices you should implement on every newly deployed server.

Secure User Management

Securing your Linux server requires secure user management.

It’s important to restrict user access to their own data, secure login credentials, and employ secure methods for server access.

Furthermore, knowing the risks of using the root user and mastering the use of sudo to grant necessary privileges is vital.

Understanding how to manage the sudoers file is also crucial.

Read: Discover my comprehensive guide on securely managing users on Linux servers.

Securing SSH

SSH (Secure Shell) is secure by design, but using it with the default settings isn’t enough.

In my guide about essential security practices, we touched upon the necessary tweaks for SSH to enhance security, which include disabling root access and password authentication.

However, there are additional settings to tweak in order to further secure SSH beyond the basics.

This includes changing the SSH port, implementing access control, disabling unnecessary features, restricting SSH access, and more.

Read: I’ve written a detailed guide on securing SSH beyond the basics.

Using Fail2ban

Fail2Ban is a security tool that helps protect your server from unauthorized access attempts and brute force attacks by monitoring logs for suspicious activities and blocking the IP addresses of attackers.

This will allow your server to harden itself against these access attempts without intervention from you.

Securing SSH includes disabling password authentication and using only SSH keys, which will reduce the need for Fail2ban.

However, I still recommend installing Fail2ban as an additional security layer.

Read: Explore my detailed guide on installing and configuring Fail2ban.

Patching

It is crucial to regularly update your servers because many hacks happen when servers aren’t patched with the latest security updates.

Not taking patching seriously is like leaving your front door wide open and being shocked when someone walks in uninvited.

It is important for you to know how to update manually, set up automatic security updates, and enable the Canonical Livepatch Service to patch the Linux kernel without rebooting.

Updating manually comes in handy when updating packages that are not security patches, as I don’t recommend automating this, as some packages may break your server after the update.

I use Unattended Upgrades for automatic security updates along with the Canonical Livepatch Service for kernel patches.

Read: I’ve written a detailed guide on automating security updates for a Linux server, as well as enabling the Canonical Livepatch Service.

Firewall Setup

A firewall plays a key role in server security.

Think of it as your server’s bouncer – it filters incoming and outgoing traffic, allowing only authorized access to specific ports.

It is important to set up two firewalls: an OS-level firewall and a cloud-level firewall.

This firewall setup will enable you to create a more advanced firewall configuration.

Read: I’ve written a detailed guide on setting up a firewall using UFW, which is the OS-level firewall, and I’ve written a detailed guide on setting up a cloud firewall, which is the cloud-level firewall.

Blocking INVALID Packets

Hackers use tools to create TCP packets with unusual, weird flag combinations, known as INVALID packets, capable of causing significant harm.

UFW blocks these INVALID packets by default, but there are still instances where UFW may overlook and fail to block.

You can help UFW to block these packets by adding two additional rules to its configuration files.

Read: Explore my tutorial on effectively blocking INVALID packets with UFW.

Kernel Hardening

While the Linux kernel is fairly secure by default, there are steps we can take to make it even safer.

Kernel hardening can reduce the risk of certain network attacks and information leaks, making it harder for attackers to plan their attacks.

Hardening the Linux kernel involves adjusting certain kernel parameters.

Read: Explore my detailed guide on hardening the Linux kernel.

Privacy of Users’ Processes

By default, any user on a Linux server can use commands like top or htop to view all running processes, including those owned by other users.

While this can be useful in certain situations, it can also pose security risks by exposing sensitive information to potential attackers.

That’s why you should prevent users from seeing processes owned by other users.

Read: Check out my tutorial on preventing users from seeing each other’s processes.

Malware Scanning

Linux servers are often thought to be safe from malware, but that’s not entirely true.

While infecting Linux servers itself is tough, sharing files with Windows users or hosting platforms like WordPress can open doors to malware.

That’s why regularly scanning for malware is crucial.

I suggest always installing ClamAV (Clam AntiVirus) and Maldet (Linux Malware Detect) and using them together.

ClamAV is a free, powerful, and efficient open-source software that excels in detecting, quarantining, and removing various types of malware.

Maldet, on the other hand, is similar to ClamAV but tailored specifically for hosting environments.

It uses the ClamAV scan engine and includes a live monitoring feature that works with the Linux kernel’s inotify capability, detecting changes in files and scanning them promptly.

By using the ClamAV and Maldet combo, you’ll automatically protect your Linux server from malware without needing to run scans manually.

Read: Explore my comprehensive guide to protecting Linux servers from malware using the ClamAV and Maldet combo.

Rootkits Scanning

Rootkits are a major concern.

They are sneaky malware that can infect your Linux server without being noticed, making them a nightmare for server administrators.

That’s why it’s crucial to understand how to prevent them from being planted on your server and how to detect them.

Read: Check out my tutorial on scanning for rootkits on a Linux server.

Backups

The final tip, although arguably not directly related to security, is crucial enough to be included in this guide.

From the start, I emphasized the importance of maintaining a prepared mindset for any situation.

Without backups, how can you be truly prepared? What if your server gets hacked? Would you prefer struggling to recover or swiftly setting up a new server and restoring your business from a backup? The latter is my choice.

I ensure my backups are stored in at least three remote locations to safeguard against hacks, server failures, or any unforeseen events, providing a reliable plan B to keep my business operational.

As for specific backup solutions, it depends on what you’re hosting. For a WordPress site, use a plugin and an automated bash script for both application-level and server-level backups.

Use WP-CLI for an additional backup, and send these three backups to three different locations.

While this may seem costly and time-consuming, the investment is worthwhile. If three locations are impractical, opt for at least one location.

Crucially, it’s not just about backing up your data – it’s about testing those backups. Ensure you have tested and functional backups, not just stored files.

Imagine your server is compromised or inaccessible, and you need to revive your business.

Test your backup, measure the time it takes to restore your business online, and have a plan in place for data restoration in case of emergencies.

Conclusion and Final Thoughts

Great job reaching the end!

I hope this guide has been super helpful for you in securing your Linux server.

If you found value in this guide or have any questions or feedback, please don’t hesitate to share your thoughts in the comments section below.

Your input is greatly appreciated, and you can also contact me directly if you prefer.

Tags

Newsletter

Subscribe to my newsletter for the latest updates 👇

Leave a Reply

Your email address will not be published. Required fields are marked *

Related