Shulou(Shulou.com)06/02 Report--

This introductory article will introduce you to the basic Linux server security knowledge. Although it is mainly for Debian/Ubuntu, you can apply everything described here to other Linux distributions. I also encourage you to study this material and expand it where applicable.

1. Update your server

The first thing to do to secure the server is to update the local repository and upgrade the operating system and installed applications by applying the latest patches.

On Ubuntu and Debian:

$sudo apt update & & sudo apt upgrade-y

On Fedora, CentOS, or RHEL:

$sudo dnf upgrade

2. Create a new privileged user

Next, create a new user account. Never log in to the server as root, but create your own account (user), give it sudo permissions, and then use it to log in to your server.

First create a new user:

$adduser

Grant the new user account sudo permissions by appending the sudo group (- G) to the user's group membership:

$usermod-a-G sudo

3. Upload your SSH key

You should log in to the new server using the SSH key. You can use the ssh-copy-id command to upload the pre-generated SSH key to your new server:

$ssh-copy-id@ip_address

Now you can log in to the new server without entering a password.

4. Security enhanced SSH

Next, make the following three changes:

Disable SSH password authentication

Restrict root remote login

Restrict access to IPv4 or IPv6

Open / etc/ssh/sshd_config using the text editor of your choice and make sure the following lines:

PasswordAuthentication yesPermitRootLogin yes

Change it to this:

PasswordAuthentication noPermitRootLogin no

Next, restrict the SSH service to IPv4 or IPv6 by modifying the AddressFamily option. To change it to use only IPv4 (which should be fine for most people), make the following changes:

AddressFamily inet

Restart the SSH service to enable your changes. Note that it is a good idea to establish two active connections to the server before restarting the SSH service. With these additional connections, you can fix all problems in the event of an error in restarting the SSH service.

On Ubuntu:

$sudo service sshd restart

On Fedora or CentOS or any system that uses Systemd:

$sudo systemctl restart sshd

5. Enable the firewall

Now you need to install a firewall, enable it, and configure it to allow only the network traffic you specify to pass through. Simple UFW (on Ubuntu) is an easy-to-use iptables interface that greatly simplifies the firewall configuration process.

You can install UFW in the following ways:

$sudo apt install ufw

By default, UFW rejects all incoming connections and allows all outgoing connections. This means that any application on the server can access the Internet, but any content that attempts to access the server cannot be connected.

First, make sure you can log in by enabling access to SSH, HTTP, and HTTPS:

$sudo ufw allow ssh$ sudo ufw allow http$ sudo ufw allow https

Then enable UFW:

$sudo ufw enable

You can see which services are allowed and denied in the following ways:

$sudo ufw status

If you want to disable UFW, you can disable it by typing:

$sudo ufw disable

You can also use firewall-cmd (on RHEL/CentOS), which has been installed and integrated into some distributions.

6. Install Fail2ban

Fail2ban is an application that checks server logs for duplicates or autoclicks. If any attacks are found, it will change the firewall to block the attacker's IP address permanently or within a specified period of time.

Https://article.pchome.net/content-2103559.html

Http://www.51cto.com/it/news/2019/1111/16471.html

Https://www.csdn.net/article/a/2019-11-11/15983970

You can install Fail2ban by typing:

$sudo apt install fail2ban-y

Then copy the accompanying configuration file:

$sudo cp / etc/fail2ban/jail.conf / etc/fail2ban/jail.local

Restart Fail2ban:

$sudo service fail2ban restart

That's it. The software will constantly check the log files for attacks. After a while, the application will establish a considerable number of blocked IP address lists. You can view this list by querying the current status of the SSH service in the following ways:

$sudo fail2ban-client status ssh

7. Remove useless network services

Almost all Linux server operating systems have enabled some network-oriented services. You may want to keep most of them, however, there are some you may want to delete. You can use the ss command to view all running web services: (LCTT translation note: only a few should be retained, and all confirmed irrelevant and useless services should be disabled or deleted. )

$sudo ss-atpu

The output of ss depends on your operating system. The following is an example that shows that the SSH (sshd) and Ngnix (nginx) services are listening on the network and preparing to connect:

Tcp LISTEN 0 128 *: http *: * users: (("nginx", pid=22563,fd=7)) tcp LISTEN 0 128 *: ssh *: * users: (("sshd", pid=685,fd=3))

The way you delete unused services varies depending on your operating system and the package manager it uses.

To delete unused services on Debian / Ubuntu:

$sudo apt purge

To delete unused services on Red Hat/CentOS:

$sudo yum remove

Run ss-atup again to verify that these unused services are not installed and running.

Summary

This tutorial describes the minimum steps required to harden a Linux server. You should enable other security layers depending on how the server is used. These security layers can include things such as individual application configurations, incoming detection software (IDS), and enabling access control (for example, two-factor authentication).

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.