security

Linux Server Security: Essential Hardening

Tejaswi Singh

Tejaswi Singh

5 min read
Linux Server Security: Essential Hardening

Securing a Linux server might sound daunting, but it's crucial for protecting your digital assets. This guide will walk you through essential security measures in simple, understandable terms.

Why Server Hardening Matters

Think of server hardening like securing your house - you want strong locks (user authentication), an alarm system (intrusion detection), and automatic lights (updates) to keep intruders away. These measures protect your server from unauthorized access and cyber attacks.

Creating a Secure User Account

Why Not Use Root?
Using the root account is like giving everyone a master key to your house. It's dangerous because root has unlimited power to change anything on your system.

Creating a Regular User

adduser demoUser

# Add user to the sudo group
usermod -aG sudo demoUser

# Verify the user got added to sudo group
groups demoUser

# To switch to demoUser
sudo -u demoUser -i

This creates a regular user named 'demoUser' with limited permissions, but can use 'sudo' for administrative tasks - similar to having a regular house key but keeping the master key locked away safely.

Automating System Updates

Why Automatic Updates Matter
Think of updates like security patches for your home's locks and windows. Without regular updates, your system becomes vulnerable to known security threats.Regular system updates are crucial for maintaining server security, but manually updating can be time-consuming and prone to human error. Let's set up automatic updates to ensure your server stays protected against known vulnerabilities.

Setting Up Unattended Upgrades

Install the unattended-upgrades package :-

sudo apt install unattended-upgrades

Navigate to the configuration directory :-

cd /etc/apt/apt.conf.d/

Enable automatic updates :-

sudo dpkg-reconfigure --priority=low unattended-upgrades

Understanding Key Configuration Files

20auto-upgrades Settings

This file controls the basic update behavior :-

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

Setting these to "1" enables daily package list updates and automatic upgrades.

50unattended-upgrades Optimization

Enable these crucial settings in /etc/apt/apt.conf.d/50unattended-upgrades :-

Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-WithUsers "true" #Optional;
Unattended-Upgrade::Automatic-Reboot-Time "03:00";

Why These Settings Matter

  • Remove-Unused-Kernel-Packages: Prevents disk space wastage from old kernels.
  • Maintains system cleanliness and reduces boot menu clutter.
  • Remove-New-Unused-Dependencies: Removes packages that were installed as dependencies but are no longer needed.
  • Remove-Unused-Dependencies: Keeps your system lean by removing obsolete packages.
  • Automatic-Reboot: Ensures kernel updates take effect.
  • Automatic-Reboot-WithUsers: Allows reboots even with active users.
  • Automatic-Reboot-Time: Schedules reboots for 3 AM to minimize disruption.

Best Practices

  • Monitor the update logs regularly at /var/log/unattended-upgrades.
  • Keep your package sources clean and reliable.
  • Test automatic updates on non-production systems first.
  • Set up monitoring to alert you of failed updates.
  • These automated updates provide a crucial security baseline while reducing administrative overhead. The careful timing of updates and reboots ensures your server stays secure with minimal service interruption.

Securing SSH Access: Implementing Key-Based Authentication

SSH (Secure Shell) is your server's front door. While password authentication is common, key-based authentication provides significantly stronger security. Let's set up this enhanced security measure step by step.

Understanding SSH Keys

SSH keys come in pairs: a public key (shared with servers) and a private key (kept secret on your computer). Think of the public key as a lock and the private key as your unique key - only they work together.

Generating SSH Keys

First, create a new ED25519 key pair, which offers superior security compared to traditional RSA keys:

ssh-keygen -t ed25519

When prompted :-

  • Press Enter to accept the default location (~/.ssh/id_ed25519)
  • Enter a strong passphrase for additional security.
  • Your keys will be generated in the .ssh directory.

Deploying Your Key

Copy your public key to the server :-

ssh-copy-id -i ~/.ssh/id_ed25519.pub username@server-ip

Enhancing SSH Security

Open a new terminal window while keeping your current SSH session active. This ensures you don't lock yourself out while making changes.

Modify the SSH daemon configuration:-

sudo nano /etc/ssh/sshd_config

Add these critical security settings:-

PermitRootLogin no
PasswordAuthentication no

By disabling password login and root access, you're essentially :-

  • Removing the traditional lock that thieves know how to pick.
  • Installing a modern security system that only responds to authorized key cards.

Applying Changes
Restart the SSH service to implement the new settings :-

sudo systemctl restart sshd

Testing the New Configuration
In your original terminal, log out :-

exit

Try logging in with your key :-

ssh username@server-ip

If everything is configured correctly, you'll log in using your SSH key. If you entered a passphrase during key generation, you'll need to enter it now.

Security Tips

  • Store your private key securely.
  • Use a strong passphrase for your key.
  • Keep backups of your keys in a secure location.
  • Never share your private key.
  • Consider using ssh-agent to manage your keys conveniently.
  • With these measures in place, your server is now protected by one of the strongest authentication methods available.

Protection Against Intruders

Understanding Fail2Ban

Fail2Ban acts like a security guard for your server. It watches for suspicious activity (like someone trying different keys in your lock) and temporarily blocks access from those IP addresses.

Installation and Initial Setup

First, install Fail2Ban using the package manager :-

sudo apt install fail2ban

After installation, verify that the service is running :-

sudo systemctl status fail2ban

If you see that it's not active, start the service :-

sudo systemctl start fail2ban

Configuration Setup

Fail2Ban uses configuration files to determine its behavior. While the default configuration file is /etc/fail2ban/jail.conf, it's best practice to create a separate jail.local file :-

cd /etc/fail2ban
sudo cp jail.conf jail.local

This approach ensures your custom settings remain intact even after system updates.

Essential Configuration Settings
Open the configuration file for editing:-

sudo nano jail.local

Key Settings to Modify :-
bantime: Set to 60 minutes (60m) - determines how long an IP address remains banned
ignoreip: Add your trusted IP addresses here to prevent accidental lockouts

bantime = 60m
ignoreip = 127.0.0.1/8 ::1 your-public-ip-address

Understanding the Configuration

Ban Time
The 60-minute ban duration provides a good balance between security and practicality. This means any IP address that triggers Fail2Ban's rules will be blocked from accessing your server for one hour.

IP Whitelist
The ignoreip setting creates a whitelist that includes:
Local loopback address (127.0.0.1/8)
IPv6 loopback (::1)
Your public IP address

Adding your public IP address of the machine that you use to ssh into your linux server is crucial to prevent accidentally locking yourself out of your own server.

After making these changes, restart and enable Fail2Ban to apply the new configuration:

sudo systemctl restart fail2ban
sudo systemctl enable fail2ban

When configured correctly, Fail2Ban could :-

  • Monitor login attempts.
  • Block IP addresses that show suspicious behavior.
  • Maintain a whitelist for trusted IP addresses.
  • Keeps logs of blocked attempts.
  • Regularly monitor system logs for unusual activity.
  • Keep your SSH keys secure and password-protected.
  • Maintain a list of authorized users and regularly review access.

 

Final Thoughts

Server security is an ongoing process, not a one-time setup. These measures provide a strong foundation, but staying informed about new security threats and regularly updating your security measures is essential.

Remember: The goal is to make your server secure enough that potential attackers will move on to easier targets, while keeping it usable for legitimate users.

Read more