Shulou(Shulou.com)06/03 Report--

This article introduces the relevant knowledge of "what are the skills of Linux server security enhancement". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

What are the skills of Linux server security enhancement? The Linux server strengthens the update server, creates new privileged users, uploads SSH keys, strengthens SSH, enables firewalls, installs Fail2ban, and removes useless network services.

1. Update the server

The first thing to do to secure the server is to update the local repository and upgrade the operating system and installed applications by applying the latest patches.

On Ubuntu and Debian:

$sudo apt update & & sudo apt upgrade-y

On Fedora, CentOS, or RHEL:

$sudo dnf upgrade

2. Create a new privileged user

Create a new user account. Instead of logging in to the server as root, create your own account (user), give it sudo permissions, and then use it to log in to your server.

First create a new user:

$adduser

Grant the new user account sudo permissions by appending the sudo group (- G) to the user's group membership:

$usermod-a-G sudo

3. Upload SSH key

You should log in to the new server using the SSH key. You can use the ssh-copy-id command to upload the pre-generated SSH key to your new server:

$ssh-copy-id @ ip_address

Now you can log in to the new server without entering a password.

4. Security enhanced SSH

Next, make the following three changes:

Disable SSH password authentication

Restrict root remote login

Restrict access to IPv4 or IPv6

Open / etc/ssh/sshd_config using the text editor of your choice and make sure the following lines:

PasswordAuthentication yes

PermitRootLogin yes

Change it to this:

PasswordAuthentication no

PermitRootLogin no

Next, restrict the SSH service to IPv4 or IPv6 by modifying the AddressFamily option. To change it to use only IPv4 (which should be fine for most people), make the following changes:

AddressFamily inet

Restart the SSH service to enable your changes. Note that it is a good idea to establish two active connections to the server before restarting the SSH service. With these additional connections, you can fix all problems in the event of an error in restarting the SSH service.

On Ubuntu:

$sudo service sshd restart

On Fedora or CentOS or any system that uses Systemd:

$sudo systemctl restart sshd

5. Enable the firewall

Now you need to install a firewall, enable it, and configure it to allow only the network traffic you specify to pass through. Simple UFW (on Ubuntu) is an easy-to-use iptables interface that greatly simplifies the firewall configuration process.

You can install UFW in the following ways:

$sudo apt install ufw

By default, UFW rejects all incoming connections and allows all outgoing connections. This means that any application on the server can access the Internet, but any content that attempts to access the server cannot be connected.

First, make sure you can log in by enabling access to SSH, HTTP, and HTTPS:

$sudo ufw allow ssh

$sudo ufw allow http

$sudo ufw allow https

Then enable UFW:

$sudo ufw enable

You can see which services are allowed and denied in the following ways:

$sudo ufw status

If you want to disable UFW, you can disable it by typing:

$sudo ufw disable

You can also use firewall-cmd (on RHEL/CentOS), which has been installed and integrated into some distributions.

6. Install Fail2ban

Fail2ban is an application that checks server logs for duplicates or automatic attacks. If any attacks are found, it changes the firewall to block the attacker's IP address permanently or for a specified period of time.

You can install Fail2ban by typing:

$sudo apt install fail2ban-y

Then copy the accompanying configuration file:

$sudo cp / etc/fail2ban/jail.conf / etc/fail2ban/jail.local

Restart Fail2ban:

$sudo service fail2ban restart

That's it. The software will constantly check the log files for attacks. After a while, the application will establish a considerable number of blocked IP address lists. You can view this list by querying the current status of the SSH service in the following ways:

$sudo fail2ban-client status ssh

7. Remove useless network services

Almost all Linux server operating systems have enabled some network-oriented services. You may want to keep most of them, however, there are some you may want to delete. You can use the ss command to view all running web services: (LCTT translation note: only a few should be retained, and all confirmed irrelevant and useless services should be disabled or deleted. )

$sudo ss-atpu

The output of ss depends on your operating system. The following is an example that shows that the SSH (sshd) and Ngnix (nginx) services are listening on the network and preparing to connect:

Tcp LISTEN 0128 *: http *: * users: ("nginx", pid=22563,fd=7)

Tcp LISTEN 0128 *: ssh *: * users: ("sshd", pid=685,fd=3)

The way you delete unused services varies depending on your operating system and the package manager it uses.

To delete unused services on Debian / Ubuntu:

$sudo apt purge

To delete unused services on Red Hat/CentOS:

$sudo yum remove

Run ss-atup again to verify that these unused services are not installed and running.

This is the end of the content of "what are the skills of Linux Server Security Enhancement". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.