Note: this tutorial was created using a Ubuntu server, but it should apply for other Linux distributions too, including your local web server.
1. Remove the Root SSH Access
One of the quickest ways to secure your Ubuntu server is to secure your SSH daemon by disabling your Root SSH access. By default, the OpenSSH server allows any incoming connection to log in as the root user. For example, running the following command in an insecure server will provide a login prompt: This can be an issue, as this leaves your server open and vulnerable to a password brute force attack. To fix this, log in to your Linux server and update your SSH daemon’s configuration file. Once you are inside your Linux server, edit the SSH config file: Search for the PermitRootLogin variable in GNU Nano by pressing Ctrl + W and typing PermitRootLogin. Change the value of PermitRootLogin from “yes” to “no,” then save the file by pressing Ctrl + o, then Ctrl + x. To apply the new setting, reload the server’s SSH daemon through systemctl:
2. Use a Public Keypair for SSH Access
Another quick way to secure your Linux server is to create a public keypair between your local and SSH user account. This approach skips the password login process and automatically authenticates you to your remote server. To create a public keypair, you need to first run the following command in your local machine: The keygen program will ask you for a number of details about the key you want to make. You can safely leave these options on default by pressing Enter three times. Export your new public keypair to your remote server by using the ssh-copy-id program. This is a simple utility that prepares both the local and remote machines for public key authentication over SSH. Log in to your remote machine by running the following command: It is also possible to further secure your Linux server by removing the login prompt in SSH. Open your daemon’s configuration file with the following command: Find the PasswordAuthentication variable and change its value from “yes” to “no.” Reload your SSH daemon by running the following command:
3. Harden the Firewall of Your Linux Server
Aside from restricting SSH access, you can also improve your Linux server’s security by configuring your firewall. By default, a new Linux machine will accept all incoming connections from any port. This can be an issue, as it leaves your server vulnerable to a port scanning attack. For example, a bad actor can scan your machine for any insecure ports and use that to find a suitable exploit. One way to fix this is by installing ufw, a simple firewall client that can control the ports and addresses that are available to the outside world. Run the following command to install ufw in Ubuntu: Set the default rules for ufw. These are the policies that your firewall will follow for any port that you do not customize. It is good practice to make sure that you are blocking all incoming connections: Configure your firewall for the services that you want to run in your machine. For example, running the following commands will allow you to log in through SSH and host a web server: Lastly, you need to enable your new firewall configuration by running sudo ufw enable. Further, you can check whether your firewall is online by running this command:
4. Create a New User for Every Service
By default, every file and program in a Linux system belongs to a particular user and group. To modify the system, you need to have the right permissions for the right folders. One way to increase the security of your Linux server is to create a new user account for every new service. This approach allows you to contain the privileges for each service to their own user account. To do this, run the following commands:
The -s flag sets the system shell for the new user account. In my case, my new account uses Bash for its shell. Both the -d and -m flags set the default user directory for the new account. The -G flag, on the other hand, adds the new account to any secondary groups that you specify. For example, adding the new account to the sudo group will allow it to run superuser commands. The passwd command allows you to set a new password for the new user account.
Once done, you can use your new user account by either logging off your current account or running su new-service.
5. Harden the Kernel of Your Server
The kernel is one of the most important parts of a Linux system and is the glue that links your machine’s hardware to your software. For example, compiling your own Linux kernel allows you to enable support for exotic hardware and features. Aside from that, the kernel also serves as the root process of the operating system. Securing the kernel is one of the most vital parts of securing your Linux server. One of the quickest ways to secure your kernel is through sysctl. This is a built-in utility that allows you to tweak the Linux kernel’s runtime options. However, it is important to note that sysctl will not cover the entire kernel hardening process, as securing the kernel will largely depend on what you need from it. Knowing that, you can run the following commands to prevent your kernel from reporting any diagnostics information: You can also run the following commands to tell your kernel to drop any fake connection requests made to your server: These commands, on the other hand, will force the kernel to validate each incoming connection to the machine: Lastly, the following set of commands will prevent any incoming connection to redirect the network traffic to a different gateway. Doing this will prevent your machine from falling foul to a man-in-the-middle attack. Tips: other than the above tips, you can also make use of these open-source tools to secure your Linux server. Image credit: Unsplash. All alterations and screenshots by Ramces Red. Aside from that, you could either physically access the machine and update “/etc/ssh/sshd_config” or access the root console from your VPS provider.
