Keep in mind that these seven points make your Linux server more secure

Keep in mind that these seven points make your Linux server more secure

I run several Linux servers. I have one at home, serving as a file server, and three active servers used as my Site Server, email server, and cloud storage server. Although I am not worried about the server in my house, it is not in contact with the outside world, but the other three servers need to be carefully maintained and always need to be carefully maintained. Some new Linux users want to run their own servers. They must keep several things in mind. This is the focus of this article.

Figure 1: running services.

Install required services

If you want to run a server, you may think, "I have a 40 gb ssd storage system from Linode, so I can install any services I want to install ." Yes, you are the master of your website: you can install any software on the server. However, do not take it for granted. Even the most solid server will be hijacked by someone exploiting the loopholes of any unpatched or Vulnerable Software Component running on the server.

Therefore, the first rule is to streamline your server as much as possible. Only install the packages you actually need. If there are unnecessary packages, clear them. The fewer packages, the less likely the code is to be patched. Before installing any software and dependency packages (such as ownCloud), you should read the ownCloud instructions and install only the packages required by it.

Run the required services

The second rule is to run only the services needed. Many distributions or packages may enable certain services and run on different ports. This may bring security risks. Open the terminal and run the following command:

netstat -npl

The output result shows which services are running on which ports. If you find any service that should not run, stop it. You should also pay close attention to the services that have been enabled and run when the system is started. You only need to run the following command on the system that runs systemd to check this aspect:

systemctl list-unit-files --type=service | grep enabled

Depending on the system, you will get the output result shown in 1. If you find any unnecessary service, you can use the powerful systemct1 command to disable it:

systemctl disable service_name

Restrict access to the server

Just like you don't give your keys to people you know, or give the server access permissions to people you know. Once this rule is clarified, access to the server can be restricted. Keep this in mind: this will not eliminate the idea of destroying the bad guys on your server. However, its role is to add more layers of security to your server. Prevention is just a hacker.

Do not log on as the root user

It is not a good practice to access the server through ssh as a Super User. We will disable ssh access to the server as the root user. Before doing so, create a user with sudo permissions so that you can access the server through ssh, the Administrator task has been executed. Once you log on to the server, you can always switch the user to the root user, if necessary. If you already have a user on the system, skip a few steps. Otherwise, follow me.

Different releases use different methods to add new users. Red Hat/CentOS uses useradd and Ubuntu/Debian uses user adduser.

Create a user on Fedora/CentOS:

useradd swapnil

Then, create a password for the user:

passwd swapnil

It requires you to provide a new password for the user. Now you need to grant sudo permission to this user. Run the following command:

EDITOR=nano visudo

Find the following line (see Figure 2 ):

# %wheel ALL=(ALL) ALL

Figure 2: grant sudo permissions to users.

Remove the comment of the line (# The symbol means that the line is commented; remove the comment as long as it is removed), it looks like this:

%wheel ALL=(ALL) ALL

Now, save and close the file. If the user does not belong to the wheel group, you only need to run the following command to easily add it to the group:

# usermod -aG wheel swapnil

On Ubuntu, you can add new users and run the following command:

adduser swapnil

Answer some questions raised by the system, including creating a password for the user. Once the creation is complete, grant the sudo permission to the user:

gpasswd -a swapnil sudo

Open another terminal window, try to log on to the server as the user you just created, and execute some administrator tasks with sudo permissions. If everything is normal, go to the next step.

Disable Root User Logon

We want to disable root user logon, which means no one can log on to the server through ssh or as the root user. To do this, open the sshd configuration file:

nano /etc/ssh/sshd_conf

Next, find the comment line that displays the following content:

#PermitRootLogin no

Then save and close the file and restart the service:

service ssh restart

Or

systemctl restart sshd

Important: do not quit the server. You need to test whether the user you just created can successfully access the server through ssh. Open another instance of the terminal and use ssh to access the server as the user created previously. You do not want to be completely locked out of the server. If everything works properly, you can log out of the server as the root user.

For more details, please continue to read the highlights on the next page:

1 2 Next Page