CALL US
Get Free Quote

Linux Security and Hardening; The Practical Security Guide

  • Hardening your infrastructure and systems is a vital step but can be difficult to handle from scratch. Read our expert's guide on Linux security and hardening, and how Linux system administrators can keep their servers safe and secure

Linux is an open-source operating system (OS) that's similar to UNIX but runs on a wide variety of hardware. It's a popular alternative to proprietary operating systems like Microsoft Windows and macOS. Despite Linux being a reliable system, some recommendations need to be followed to ensure your servers operate safely and effectively. Here are some basic practices for developers to follow for security in Linux instances.

 

Understanding Users and Groups in Linux System

To provide different levels of access to the file system and services on Linux it follows the hierarchy using users and groups.
The permissions to any file or application on Linux is basically of three types namely:
a) read - 4
b) write - 2
c) execute - 1
User group public
755
X - 744
This is also controlled by the 3 levels classified as
a) owner
b) group
c) world
You can use the above to provide different levels of security to your files and system. To do this we need to create users and passwords and provide key based access to the users to access the servers, which we would do by the commands followed.
To create a user type command
sudo useradd user1
We would now set the password for the user by using the command.
sudo passwd user1
Login to the user account on the server
su user1
To create the key for the user type
ssh-keygen -t rsa
This would create a directory .ssh and a couple of files in the home directory for the user.
To give the key based access to the user you need to copy the contents from the .ssh/id_rsa.pub to .ssh/authorized_key
cd .ssh
cat id_rsa.pub >>authorized_key
To access the server you need to copy the contents of the .ssh/id_rsa to a file on your local system with .pem extension.
cat id_rsa
Copy the output to a local file.
Connecting to the server using the key.
ssh -i private_key.pem user1@yourserver
This would connect to the server using user1.
To create a group you need to issue the command
sudo groupadd developers
To add the user to the group issue command
sudo adduser user1 developers

Adding a user to Sudoers List:
sudo usermod -aG sudo user1

 

Setting up Security Firewall

Linux boxes come with different security tools and you need to configure those to make your server more secure. The main tool that we use is a firewall which is used to block the unwanted traffic on the server. IPTables is the firewall for the Linux boxes and can be used with the command iptables along with the arguments.
We can then add a few simple firewall rules to block the most common attacks, to protect our VPS from script-kiddies. We can't really count on iptables alone to protect us from a full-scale DDOS or similar, but we can at least put off the usual network scanning bots that will eventually find our VPS and start looking for security holes to exploit. First, we start with blocking null packets.

iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

We told the firewall to take all incoming packets with tcp flags NONE and just DROP them. Null packets are, simply said, recon packets. The attack patterns use these to try and see how we configured the VPS and find out weaknesses. The next pattern to reject is a syn-flood attack.

iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

Syn-flood attack means that the attackers open a new connection, but do not state what they want (ie. SYN, ACK, whatever). They just want to take up our servers' resources. We won't accept such packages. Now we move on to one more common pattern: XMAS packets, also a recon packet.

iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

Now we can start adding selected services to our firewall filter. The first such thing is a localhost interface:

iptables -A INPUT -i lo -j ACCEPT

We tell iptables to add (-A) a rule to the incoming (INPUT) filter table any trafic that comes to localhost interface (-i lo) and to accept (-j ACCEPT) it. Localhost is often used for, ie. your website or email server communicating with a database locally installed. That way our VPS can use the database, but the database is closed to exploits from the internet.

Now we can allow web server traffic:

iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

We added the two ports (http port 80, and https port 443) to the ACCEPT chain - allowing traffic in on those ports. Now, let's allow users use our SMTP servers:

iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT

Like stated before, if we can influence our users, we should rather use the secure version, but often we can't dictate the terms and the clients will connect using port 25, which is much easier to have passwords sniffed from. We now proceed to allow the users read email on their server:

iptables -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT

Those two rules will allow POP3 traffic. Again, we could increase the security of our email server by just using the secure version of the service. Now we also need to allow IMAP mail protocol:

iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT

We should also allow SSH traffic, so we can connect to the VPS remotely. The simple way to do it would be with this command:

iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

we need to add one more rule that will allow us to use outgoing connections (ie. ping from VPS or run software updates);

iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

It will allow any established outgoing connections to receive replies from the VPS on the other side of that connection. When we have it all set up, we will block everything else, and allow all outgoing connections.

iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP

Recheck if all the rules are correct and in place.
iptables -L -n

Save the rules.
iptables-save | sudo tee /etc/sysconfig/iptables

Service iptables restart

Another important command which generally comes in handy is to block specific IP’s
iptables -A INPUT -p tcp -s IPADDRESS -m tcp --dport 22 -j ACCEPT

 

SSH Security Rules

To configure a secure SSH environment on the linux box is the most crucial step to secure your server.
The configuration file for your ssh server is located in directory
/etc/ssh in sshd_config file.

Some of the important directives for the same are listed below.

Port 22

PermitRootLogin

PasswordAuthentication no

 

Creating Users with Limited Access

Nano /etc/pam.d/su
auth  [success=ignore default=1] pam_succeed_if.so user = deployer

auth  sufficient             pam_succeed_if.so use_uid user = ubuntu

 

Fail2Ban Service - Introduction and Installation

Fail2ban is an open-source intrusion prevention framework that protects servers from brute-force attacks. It monitors log files for suspicious activity and bans IP addresses that show malicious behavior.

Installation:

  1. Install Fail2ban:
    • On Debian/Ubuntu:

sudo apt update

sudo apt install fail2ban

Start and Enable Fail2ban Service:

sudo systemctl start fail2ban

sudo systemctl enable fail2ban

Configuration:

  1. Main Configuration File:
    • Location: /etc/fail2ban/jail.conf
    • It contains global settings and defaults. We can modify settings here.

Check Fail2ban Status:

systemctl status fail2ban.service

sudo fail2ban-client status ////// this command shows the number of jail and jail list

Status

|- Number of jail: 9

`- Jail list: apache-auth, apache-badbots, apache-modsecurity, apache-nohome, apache-noscript, apache-overflows, apache-shellshock, php-url-fopen, sshd

To manually ban an IP address using Fail2ban, we can use the following command:

sudo fail2ban-client set banip

For example, to ban the IP address 192.168.1.100 in the sshd jail, we would use:

sudo fail2ban-client set sshd banip 192.168.1.100

Unban an IP Address:

sudo fail2ban-client set unbanip
Monitoring the Log File in Real-Time

sudo tail -f /var/log/fail2ban.log


Conclusion

Hardening your infrastructure and systems is a vital step but can be difficult to handle from scratch. Evon Technologies is a leading software development company in India which takes advantage of industry standards. Have questions related to Linux security? Write to us at This email address is being protected from spambots. You need JavaScript enabled to view it. or call now to know more.

This email address is being protected from spambots. You need JavaScript enabled to view it.
Chatbot Examples: How 7 Industries Are Putting Cha...
Top 10 Digital Transformation Technologies

SEARCH BLOG

development Salesforce offshore software development CRM business offshore software development company C++ application outsourcing software apps web java Cloud computing mobile app development web development Big Data Analytics Big Data custom app development cloud mobile app development company J2ee website IT developers project management IT consulting and software development developer javascript Offshore development India Evon Technologies NodeJs Salesforce customization software development QA programming Automation Offshore development Salesforce Cloud Services Android development Salesforce consulting Product Development Web app development Web 3.0 Software development and testing testing consultant DevOps Joomla developers QA and Testing data business analysts Salesforce development risk management language data security startups offshore Salesforce Lightning digital marketing services mobile Salesforce CRM iOS apps Progressive Web Apps Offshore software development services digital marketing services india Social Media Marketing MVP Development Salesforce Mobile Development software development outsourcing consulting Agile Development Agile product Development Blockchain EmployeeEngagement Python Salesforce cloud enterprise project management methodology time tracking Staff Augmentation marketing automation companies Salesforce ISV partner Case Study WordPress Business continuity Resource Management Content Management System GDPR PHP development Big data and lead generation App Development Outsourcing Higher Productivity MVP software CMS Software project management methodologies Offshore development company Findnerd marketing automation

Our Team

We are a group of technology experts committed to designing, developing and delivering solutions for our clients, since the year 2006. Our team of 425+ stays ahead of the ever-evolving technology landscape it works in. Thus, we keep honing and expanding our expertise in order to cater to both startups as well as established enterprises. Know more about us here.

Certifications

  •   CMMI - Level 5
  •   ISO 27001 : 2022
  •   ISO 9001 : 2015

Get in Touch

  +91 97199 65550

  +44 203 372 4609

  +1 408 454 6110

 (HR) +91 8266041801

  evontech

 This email address is being protected from spambots. You need JavaScript enabled to view it.

  A- 5, IT Park, Dehradun, Uttarakhand, India, PIN - 248001.

follow us on

Subscribe to our Newsletter

We are proud to allocate our CSR funds to support the PM's Citizen Assistance and Relief in Emergency Situations Fund for the FY 2022-23.

PMCares logo
scroll up icon
×
We use cookies on our website to provide you with a more personalised digital experience and for analytics related to our website and other media. For more information, please review our Privacy Policy and Cookies Policy.