How To Secure A Linux Server

An evolving how-to guide for securing a Linux server that, hopefully, also teaches you a little about security and why it matters.

Table of Contents

• Introduction
  • Guide Objective
  • Why Secure Your Server
  • Why Yet Another Guide
  • Other Guides
  • To Do / To Add
• Guide Overview
  • About This Guide
  • My Use-Case
  • Editing Configuration Files - For The Lazy
  • Contributing
• Before You Start
  • Identify Your Principles
  • Picking A Linux Distribution
  • Installing Linux
  • Pre/Post Installation Requirements
  • Other Important Notes
  • Using Ansible Playbooks to secure your Linux Server
• The SSH Server
  • Important Note Before You Make SSH Changes
  • SSH Public/Private Keys
  • Create SSH Group For AllowGroups
  • Secure /etc/ssh/sshd_config
  • Remove Short Diffie-Hellman Keys
  • 2FA/MFA for SSH
• The Basics
  • Limit Who Can Use sudo
  • Limit Who Can Use su
  • Run applications in a sandbox with FireJail
  • NTP Client
  • Securing /proc
  • Force Accounts To Use Secure Passwords
  • Automatic Security Updates and Alerts
  • More Secure Random Entropy Pool (WIP)
  • Add Panic/Secondary/Fake password Login Security System
• The Network
  • Firewall With UFW (Uncomplicated Firewall)
  • iptables Intrusion Detection And Prevention with PSAD
  • Application Intrusion Detection And Prevention With Fail2Ban
• The Auditing
  • File/Folder Integrity Monitoring With AIDE (WIP)
  • Anti-Virus Scanning With ClamAV (WIP)
  • Rootkit Detection With Rkhunter (WIP)
  • Rootkit Detection With chrootkit (WIP)
  • logwatch - system log analyzer and reporter
  • ss - Seeing Ports Your Server Is Listening On
  • Lynis - Linux Security Auditing
  • OSSEC - Host Intrusion Detection
• The Danger Zone
• The Miscellaneous
  • MSMTP (Simple Sendmail) with Google
  • Gmail and Exim4 As MTA With Implicit TLS
  • Separate iptables Log File
• Left Over
  • Contacting Me
  • Helpful Links
  • Acknowledgments
  • License and Copyright

(TOC made with nGitHubTOC)

Introduction

Guide Objective

This guides purpose is to teach you how to secure a Linux server.

There are a lot of things you can do to secure a Linux server and this guide will attempt to cover as many of them as possible. More topics/material will be added as I learn, or as folks contribute.

Ansible playbooks of this guide are available at How To Secure A Linux Server With Ansible by moltenbit.

(Table of Contents)

Why Secure Your Server

I assume you're using this guide because you, hopefully, already understand why good security is important. That is a heavy topic onto itself and breaking it down is out-of-scope for this guide. If you don't know the answer to that question, I advise you research it first.

At a high level, the second a device, like a server, is in the public domain -- i.e. visible to the outside world -- it becomes a target for bad-actors. An unsecured device is a playground for bad-actors who want access to your data, or to use your server as another node for their large-scale DDOS attacks.

What's worse is, without good security, you may never know if your server has been compromised. A bad-actor may have gained unauthorized access to your server and copied your data without changing anything, so you'd never know. Or your server may have been part of a DDOS attack, and you wouldn't know. Look at many of the large scale data breaches in the news -- the companies often did not discover the data leak or intrusion until long after the bad-actors were gone.

Contrary to popular belief, bad-actors don't always want to change something or lock you out of your data for money. Sometimes they just want the data on your server for their data warehouses (there is big money in big data) or to covertly use your server for their nefarious purposes.

(Table of Contents)

Why Yet Another Guide

This guide may appear duplicative/unnecessary because there are countless articles online that tell you how to secure Linux, but the information is spread across different articles, that cover different things, and in different ways. Who has time to scour through hundreds of articles?

As I was going through research for my Debian build, I kept notes. At the end I realized that, along with what I already knew, and what I was learning, I had the makings of a how-to guide. I figured I'd put it online to hopefully help others learn, and save time.

I've never found one guide that covers everything -- this guide is my attempt.

Many of the things covered in this guide may be rather basic/trivial, but most of us do not install Linux every day, and it is easy to forget those basic things.

(Table of Contents)

Other Guides

There are many guides provided by experts, industry leaders, and the distributions themselves. It is not practical, and sometimes against copyright, to include everything from those guides. I recommend you check them out before starting with this guide.

• The Center for Internet Security (CIS) provides benchmarks that are exhaustive, industry trusted, step-by-step instructions for securing many flavors of Linux. Check their About Us page for details. My recommendation is to go through this guide (the one you're reading here) first and THEN CIS's guide. That way their recommendations will trump anything in this guide.
• For distribution specific hardening/security guides, check your distributions documentation.
• https://security.utexas.edu/os-hardening-checklist/linux-7 - Red Hat Enterprise Linux 7 Hardening Checklist
• https://cloudpro.zone/index.php/2018/01/18/debian-9-3-server-setup-guide-part-1/ - # Debian 9.3 server setup guide
• https://blog.vigilcode.com/2011/04/ubuntu-server-initial-security-quick-secure-setup-part-i/ - Ubuntu Server Initial Security guide
• https://www.tldp.org/LDP/sag/html/index.html
• https://seifried.org/lasg/
• https://news.ycombinator.com/item?id=19178964
• https://wiki.archlinux.org/index.php/Security - many folks have also recommended this one
• https://securecompliance.co/linux-server-hardening-checklist/

(Table of Contents)

To Do / To Add

• Custom Jails for Fail2ban
• MAC (Mandatory Access Control) and Linux Security Modules (LSMs)
  • https://wiki.archlinux.org/index.php/security#Mandatory_access_control
  • Security-Enhanced Linux / SELinux
    • https://en.wikipedia.org/wiki/Security-Enhanced_Linux
    • https://linuxtechlab.com/beginners-guide-to-selinux/
    • https://linuxtechlab.com/replicate-selinux-policies-among-linux-machines/
    • https://teamignition.us/how-to-stop-being-a-scrub-and-learn-to-use-selinux.html
  • AppArmor
    • https://wiki.archlinux.org/index.php/AppArmor
    • https://security.stackexchange.com/questions/29378/comparison-between-apparmor-and-selinux
    • http://www.insanitybit.com/2012/06/01/why-i-like-apparmor-more-than-selinux-5/
• disk encryption
• Rkhunter and chrootkit
  • http://www.chkrootkit.org/
  • http://rkhunter.sourceforge.net/
  • https://www.cyberciti.biz/faq/howto-check-linux-rootkist-with-detectors-software/
  • https://www.tecmint.com/install-rootkit-hunter-scan-for-rootkits-backdoors-in-linux/
• shipping/backing up logs - https://news.ycombinator.com/item?id=19178681
• CIS-CAT - https://learn.cisecurity.org/cis-cat-landing-page
• debsums - https://blog.sleeplessbeastie.eu/2015/03/02/how-to-verify-installed-packages/

(Table of Contents)

Guide Overview

About This Guide

This guide...

• ...is a work in progress.
• ...is focused on at-home Linux servers. All of the concepts/recommendations here apply to larger/professional environments but those use-cases call for more advanced and specialized configurations that are out-of-scope for this guide.
• ...does not teach you about Linux, how to install Linux, or how to use it. Check https://linuxjourney.com/ if you're new to Linux.
• ...is meant to be Linux distribution agnostic.
• ...does not teach you everything you need to know about security nor does it get into all aspects of system/server security. For example, physical security is out of scope for this guide.
• ...does not talk about how programs/tools work, nor does it delve into their nook and crannies. Most of the programs/tools this guide references are very powerful and highly configurable. The goal is to cover the bare necessities -- enough to whet your appetite and make you hungry enough to want to go and learn more.
• ...aims to make it easy by providing code you can copy-and-paste. You might need to modify the commands before you paste so keep your favorite text editor handy.
• ...is organized in an order that makes logical sense to me -- i.e. securing SSH before installing a firewall. As such, this guide is intended to be followed in the order it is presented, but it is not necessary to do so. Just be careful if you do things in a different order -- some sections require previous sections to be completed.

(Table of Contents)

My Use-Case

There are many types of servers and different use-cases. While I want this guide to be as generic as possible, there will be some things that may not apply to all/other use-cases. Use your best judgement when going through this guide.

To help put context to many of the topics covered in this guide, my use-case/configuration is:

• A desktop class computer...
• With a single NIC...
• Connected to a consumer grade router...
• Getting a dynamic WAN IP provided by the ISP...
• With WAN+LAN on IPV4...
• And LAN using NAT...
• That I want to be able to SSH to remotely from unknown computers and unknown locations (i.e. a friend's house).

(Table of Contents)

Editing Configuration Files - For The Lazy

I am very lazy and do not like to edit files by hand if I don't need to. I also assume everyone else is just like me. :)

So, when and where possible, I have provided code snippets to quickly do what is needed, like add or change a line in a configuration file.

The code snippets use basic commands like echo, cat, sed, awk, and grep. How the code snippets work, like what each command/part does, is out of scope for this guide -- the man pages are your friend.

Note: The code snippets do not validate/verify the change went through -- i.e. the line was actually added or changed. I'll leave the verifying part in your capable hands. The steps in this guide do include taking backups of all files that will be changed.

Not all changes can be automated with code snippets. Those changes need good, old-fashioned, manual editing. For example, you can't just append a line to an INI type file. Use your favorite Linux text editor.

(Table of Contents)

Contributing

I wanted to put this guide on GitHub to make it easy to collaborate. The more folks that contribute, the better and more complete this guide will become.

To contribute you can fork and submit a pull request or submit a new issue.

(Table of Contents)

Before You Start

Identify Your Principles

Before you start you will want to identify what your Principles are. What is your threat model? Some things to think about:

• Why do you want to secure your server?
• How much security do you want or not want?
• How much convenience are you willing to compromise for security and vice-versa?
• What are the threats you want to protect against? What are the specifics to your situation? For example:
  • Is physical access to your server/network a possible attack vector?
  • Will you be opening ports on your router so you can access your server from outside your home?
  • Will you be hosting a file share on your server that will be mounted on a desktop class machine? What is the possibility of the desktop machine getting infected and, in turn, infecting the server?
• Do you have a means of recovering if your security implementation locks you out of your own server? For example, you disabled root login or password protected GRUB.

These are just a few things to think about. Before you start securing your server you will want to understand what you're trying to protect against and why so you know what you need to do.

(Table of Contents)

Picking A Linux Distribution

This guide is intended to be distribution agnostic so users can use any distribution they want. With that said, there are a few things to keep in mind:

You want a distribution that...

• ...is stable. Unless you like debugging issues at 2 AM, you don't want an unattended upgrade, or a manual package/system update, to render your server inoperable. But this also means you're okay with not running the latest, greatest, bleeding edge software.
• ...stays up-to-date with security patches. You can secure everything on your server, but if the core OS or applications you're running have known vulnerabilities, you'll never be safe.
• ...you're familiar with. If you don't know Linux, I would advise you play around with one before you try to secure it. You should be comfortable with it and know your way around, like how to install software, where configuration files are, etc...
• ...is well-supported. Even the most seasoned admin needs help every now and then. Having a place to go for help will save your