Linux is an open-source operating system (OS) that's similar to UNIX but runs on a wide variety of hardware. It's a popular alternative to proprietary operating systems like Microsoft Windows and macOS. Despite Linux being a reliable system, some recommendations need to be followed to ensure your servers operate safely and effectively. Here are some basic practices for developers to follow for security in Linux instances.
Understanding Users and Groups in Linux System
To provide different levels of access to the file system and services on Linux it follows the hierarchy using users and groups.
The permissions to any file or application on Linux is basically of three types namely:
a) read - 4
b) write - 2
c) execute - 1
User group public
755
X - 744
This is also controlled by the 3 levels classified as
a) owner
b) group
c) world
You can use the above to provide different levels of security to your files and system. To do this we need to create users and passwords and provide key based access to the users to access the servers, which we would do by the commands followed.
To create a user type command
sudo useradd user1
We would now set the password for the user by using the command.
sudo passwd user1
Login to the user account on the server
su user1
To create the key for the user type
ssh-keygen -t rsa
This would create a directory .ssh and a couple of files in the home directory for the user.
To give the key based access to the user you need to copy the contents from the .ssh/id_rsa.pub to .ssh/authorized_key
cd .ssh
cat id_rsa.pub >>authorized_key
To access the server you need to copy the contents of the .ssh/id_rsa to a file on your local system with .pem extension.
cat id_rsa
Copy the output to a local file.
Connecting to the server using the key.
ssh -i private_key.pem user1@yourserver
This would connect to the server using user1.
To create a group you need to issue the command
sudo groupadd developers
To add the user to the group issue command
sudo adduser user1 developers
Adding a user to Sudoers List:
sudo usermod -aG sudo user1
Setting up Security Firewall
Linux boxes come with different security tools and you need to configure those to make your server more secure. The main tool that we use is a firewall which is used to block the unwanted traffic on the server. IPTables is the firewall for the Linux boxes and can be used with the command iptables along with the arguments.
We can then add a few simple firewall rules to block the most common attacks, to protect our VPS from script-kiddies. We can't really count on iptables alone to protect us from a full-scale DDOS or similar, but we can at least put off the usual network scanning bots that will eventually find our VPS and start looking for security holes to exploit. First, we start with blocking null packets.
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
We told the firewall to take all incoming packets with tcp flags NONE and just DROP them. Null packets are, simply said, recon packets. The attack patterns use these to try and see how we configured the VPS and find out weaknesses. The next pattern to reject is a syn-flood attack.
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
Syn-flood attack means that the attackers open a new connection, but do not state what they want (ie. SYN, ACK, whatever). They just want to take up our servers' resources. We won't accept such packages. Now we move on to one more common pattern: XMAS packets, also a recon packet.
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
Now we can start adding selected services to our firewall filter. The first such thing is a localhost interface:
iptables -A INPUT -i lo -j ACCEPT
We tell iptables to add (-A) a rule to the incoming (INPUT) filter table any trafic that comes to localhost interface (-i lo) and to accept (-j ACCEPT) it. Localhost is often used for, ie. your website or email server communicating with a database locally installed. That way our VPS can use the database, but the database is closed to exploits from the internet.
Now we can allow web server traffic:
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
We added the two ports (http port 80, and https port 443) to the ACCEPT chain - allowing traffic in on those ports. Now, let's allow users use our SMTP servers:
iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
Like stated before, if we can influence our users, we should rather use the secure version, but often we can't dictate the terms and the clients will connect using port 25, which is much easier to have passwords sniffed from. We now proceed to allow the users read email on their server:
iptables -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
Those two rules will allow POP3 traffic. Again, we could increase the security of our email server by just using the secure version of the service. Now we also need to allow IMAP mail protocol:
iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
We should also allow SSH traffic, so we can connect to the VPS remotely. The simple way to do it would be with this command:
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
we need to add one more rule that will allow us to use outgoing connections (ie. ping from VPS or run software updates);
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
It will allow any established outgoing connections to receive replies from the VPS on the other side of that connection. When we have it all set up, we will block everything else, and allow all outgoing connections.
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
Recheck if all the rules are correct and in place.
iptables -L -n
Save the rules.
iptables-save | sudo tee /etc/sysconfig/iptables
Service iptables restart
Another important command which generally comes in handy is to block specific IP’s
iptables -A INPUT -p tcp -s IPADDRESS -m tcp --dport 22 -j ACCEPT
SSH Security Rules
To configure a secure SSH environment on the linux box is the most crucial step to secure your server.
The configuration file for your ssh server is located in directory
/etc/ssh in sshd_config file.
Some of the important directives for the same are listed below.
Port 22
PermitRootLogin
PasswordAuthentication no
Creating Users with Limited Access
Nano /etc/pam.d/su
auth [success=ignore default=1] pam_succeed_if.so user = deployer
auth sufficient pam_succeed_if.so use_uid user = ubuntu
Fail2Ban Service - Introduction and Installation
Fail2ban is an open-source intrusion prevention framework that protects servers from brute-force attacks. It monitors log files for suspicious activity and bans IP addresses that show malicious behavior.
Installation:
- Install Fail2ban:
- On Debian/Ubuntu:
sudo apt update
sudo apt install fail2ban
Start and Enable Fail2ban Service:
sudo systemctl start fail2ban
sudo systemctl enable fail2ban
Configuration:
- Main Configuration File:
- Location: /etc/fail2ban/jail.conf
- It contains global settings and defaults. We can modify settings here.
Check Fail2ban Status:
systemctl status fail2ban.service
sudo fail2ban-client status ////// this command shows the number of jail and jail list
Status
|- Number of jail: 9
`- Jail list: apache-auth, apache-badbots, apache-modsecurity, apache-nohome, apache-noscript, apache-overflows, apache-shellshock, php-url-fopen, sshd
To manually ban an IP address using Fail2ban, we can use the following command:
sudo fail2ban-client set banip
For example, to ban the IP address 192.168.1.100 in the sshd jail, we would use:
sudo fail2ban-client set sshd banip 192.168.1.100
Unban an IP Address:
sudo fail2ban-client set unbanip
Monitoring the Log File in Real-Time
sudo tail -f /var/log/fail2ban.log
Conclusion
Hardening your infrastructure and systems is a vital step but can be difficult to handle from scratch. Evon Technologies is a leading software development company in India which takes advantage of industry standards. Have questions related to Linux security? Write to us at This email address is being protected from spambots. You need JavaScript enabled to view it. or call now to know more.
