25 ways to make your Linux server as safe as a bucket

1. Security of physical systems





Configure BIOS, disable boot from CD/DVD, external device, floppy drive. Next, enable the BIOS password and enable Grub password protection, which limits physical access to the system.





2. Disk partitioning





It is important to use a different partition, which guarantees higher data security for possible disasters. By dividing different partitions, the data can be grouped and isolated. When an accident occurs, only the data from the offending partition is corrupted, and the data for the other partitions can be preserved. You'd better have the following partitions, and third party programs are best installed under a separate file system/opt.





/


/boot


/usr


/var


/home


/tmp


/opt


Linuxqueen


Linuxqueen





3. Minimum package installation, minimum vulnerability





Do you really need to install all the services? It is recommended that you do not install unwanted packages to avoid vulnerabilities caused by these packages. This minimizes risk because a service vulnerability could jeopardize other services. Find and remove or stop unused services, minimizing system vulnerabilities. Use the ' chkconfig ' command to list all services running at level 3.





#/sbin/chkconfig--list |grep ' 3:on '





When you find that an unwanted service is running, use the following command to stop the service.





# chkconfig ServiceName off





Use the RPM Package Manager, such as the Yum or Apt-get tool, to list all installed packages and uninstall them using the commands below.





# yum-y Remove Package-name


# sudo apt-get remove package-name





4. Check the network listening port





With the help of the network command ' netstat ', you will be able to see all open ports and related programs. Use the ' chkconfig ' command I mentioned above to turn off unwanted network services in the system.


# NETSTAT-TULPN





5. Use SSH (Secure Shell)



The Telnet and rlogin protocols can only be used for plain text and cannot use encrypted formats, which may cause security vulnerabilities to occur. SSH is a security protocol that uses encryption when communicating with the server side of the client.





Never log on to the root account directly unless necessary. Use sudo to execute the command. Sudo is made by the/etc/sudoers file and can also be edited using the "Visudo" tool, which opens the configuration file through the VI editor.





It is also recommended that you change the default SSH 22 port number to a higher port number. Open the main SSH configuration file and make the following modifications to restrict user access.





# Vi/etc/ssh/sshd_config





Turn off root User login





Permitrootlogin No





Specific users through





Allowusers username





Using the second version of the SSH protocol





Protocol 2





6. Ensure the system is up to date





Always ensure that the system contains the latest version of patches, security fixes, and available kernels.





# Yum Updates


# yum Check-update





7. Lock Cron Task





Cron has its own built-in features that allow you to define who can not run the task. This is controlled through two files/etc/cron.allow and/etc/cron.deny. To lock in a cron user, you can simply write its name to Corn.deny, and allow the user to add the name to Cron.allow when running cron. If you want to prevent all users from using corn, you can add "all" as a row to the Cron.deny.





# echo All >>/etc/cron.deny





8. Prohibit USB detection





In many cases, we want to limit the user's use of USB to ensure system security and data disclosure. Create a file '/etc/modprobe.d/no-usb ' and use the following command to prevent the detection of USB storage.


Install Usb-storage/bin/true





9. Open SELinux





SELinux (Secure enhanced Linux) is a mandatory access control security mechanism provided by the Linux kernel. Disabling SELinux means that the system has lost its security mechanism. Before you get rid of SELinux, consider carefully if your system needs to be posted to the network and you want to access it on the public network, you need to pay more attention.





SELinux offers three basic operating modes:





Enforcement: This is the default mode, which is used to enable and enforce SELinux security Zollo.


Licensing mode: In this mode, SELinux does not enforce security Zollo, only warnings and log records. This pattern is useful when troubleshooting SELinux related issues.


Shutdown mode: SELinux is closed.





You can use the command line ' System-config-selinux ', ' getenforce ' or ' sestatus ' to browse the status of the current Seliux.





# Sestatus





If it is off mode, open SELinux with the following command





# Setenforce Enforcing





10. Remove KDE or GNOME desktop





It is not necessary to run the X Window desktop on a dedicated lamp server such as KDE and GNOME. You can remove or close them to improve system security and performance. Turn on/etc/inittab and then change the run level to 3 to close the desktops. If you remove it completely from the system, you can use the following command:





# yum Groupremove "X window System"





11. Close IPv6





If the IPV6 protocol is not used, it should be shut down because most applications and policies will not use IPV6, and it is not currently required by the server. You can turn it off by adding the following lines to your network configuration file.





# vi/etc/sysconfig/network


Networking_ipv6=no


Ipv6init=no





12. Restrict users from using old passwords





This is useful if you do not want users to continue using the old password. The old password file is located in/etc/security/opasswd. You can use the PAM module to implement it.





Open the '/etc/pam.d/system-auth ' file in Rhel/centos/fedora.





# Vi/etc/pam.d/system-auth





Open the '/etc/pam.d/common-password ' file in Ubuntu/debian/linux Mint.





# Vi/etc/pam.d/common-password





Add the following line to the ' auth ' block.





Auth sufficient pam_unix.so Likeauth Nullok





Add the following line to the ' password ' block to prevent users from reuse their last 5 passwords.





Password sufficient pam_unix.so Nullok Use_authtok MD5 Shadow remember=5





The server records only the last 5 passwords. If you try to use any of the last 5 old passwords you have used, you will see the following error message.





Password has been already used. Choose another.





13. How to check the user password expires?





In Linux, the user's password is stored in the '/etc/shadow ' file in an encrypted form. To check whether the user's password expires, you need to use the ' chage ' command. It will display the last modified date of the password and details of the password period. These details are the basis on which the system determines whether users must modify their passwords.





To view aging information for any existing user, such as expiration date and length, use the following command.





#chage-l username





To modify the password aging of any user, use the following command.





#chage-m username


#chage-M 60-m 7-w 7 userName





Parameters





-m set maximum number of days


-M set the minimum number of days


-W Set the number of days you want





14. Manually lock or unlock user accounts





Lock and unlock functions are very useful, you can lock an account for a week or one months, instead of removing this account from the system. You can use the following command to lock a specific user.





# passwd-l AccountName





Tip: This locked user is still visible only to the root user. This lock is replaced by the encrypted password (!). ) to achieve. If a person wants to use this account to enter the system, he will get a hint similar to the following error.





# Su-accountname





This are currently not available.





When unlocking a locked account, use the following command. This command will be replaced by (! The password is changed back.





# passwd-u AccountName





15. Enhanced Password





A significant number of users use very retarded passwords, and their passwords can be compromised through dictionary attacks or brute force attacks. The ' pam_cracklib ' module is stored in Pam, which forces the user to set a complex password. Open the following file through the editor.





# Vi/etc/pam.d/system-auth





Add one line to the file, using authentication parameters (Lcredit, Ucredit, Dcredit, or ocredit for lowercase letters, uppercase letters, numbers, and other characters)





/lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-2 dcredit=-2 ocredit=-1





16. Enable iptable (firewall)





It is highly recommended that you enable Linux firewalls to prevent illegal program access. Use iptable rules to filter inbound, outbound, and forwarded packets. We can allow and deny access to specific UDP/TCP ports for source and destination addresses.





17. Prohibit Ctrl+alt+delete reboot



In most Linux distributions, pressing ' ctrl-alt-delete ' will allow your system to reboot. Just say on the production server This is not a good practice, which can lead to misoperation.





This configuration is in the '/etc/inittab ' file, and if you open this file, you can see a similar paragraph below. The default line has been commented out. We must comment him out. This particular button will cause the system to reboot.





# Trap Ctrl-alt-delete


#ca:: Ctrlaltdel:/sbin/shutdown-t3-r now





18. Check the blank password account





Any empty password account means that this can be accessed by any unauthorized user on the web, a security threat to the Linux server. So, make sure that all users have a complex password and that no privileged users exist. The empty password account is the security risk, may be easy to conquer. You can use the following command to check whether a blank password account exists.





# Cat/etc/shadow | Awk-f: ' ($2== "") {print $} '





19. Show ssh prompts before login





The use of a legal and security alert is a good idea at the time of SSH authentication. For an SSH alert you can look at the following article.





20. Monitoring user Behavior





If you have a lot of users, it is important to collect information about each user's behavior and the consumption of their processes. User analysis can then be performed with some performance optimization and security issues. But what if you monitor and collect user behavior information?





There are two very useful tools, ' psacct ' and ' acct ', that can be used to monitor the behavior and processes of users in the system. These tools run in the background of the system and keep track of every user's behavior and services such as Apache, MySQL, SSH, FTP, etc.





21. Check the log regularly





Moving logs to a dedicated log server prevents intruders from easily changing local logs. The following are the default log files for common Linux and their usefulness:





/var/log/message– records the system log or the current activity log.


/var/log/auth.log– identity authentication log.


/var/log/kern.log– kernel log.


/var/log/cron.log–crond log (cron Task).


/var/log/maillog– Mail server log.


/var/log/boot.log– system boot log.


/var/log/mysqld.log–mysql the database server log.


/var/log/secure– certification log.


/var/log/utmp or/var/log/wtmp: Login log.


/var/log/yum.log:yum log.





22. Important File Backup





In a production environment, for disaster recovery, it is necessary to back up important files and keep them in a secure remote tape vault, remote site, or offsite hard drive.





NIC Bindings





There are two types of NIC binding modes that need to be used at the binding interface.





mode=0– round robin Mode


mode=1– Activation and Backup mode





NIC bindings can help us avoid single points of failure. In NIC bindings, we bind two or more network adapters together, providing a virtual interface that sets the IP address and sessions with other servers. This will enable our network to remain available when a NIC card is down or unavailable for other reasons.





24. Keep/boot read-only





The Linux kernel and all of his related files are stored under/boot and can be read and write by default. Setting it up for read-only can reduce the risk of illegal modification of important boot files.


# Vi/etc/fstab





Add the following line at the end of the file and save





Label=/boot/boot ext2 Defaults,ro 1 2





If you need to upgrade the kernel in the future, you need to go back to read and write mode.





25. Non-bird ICMP and broadcast requests





Add the following lines to the/etc/sysctl.conf to block out Ping and broadcast requests.





Ignore ICMP Request:


Net.ipv4.icmp_echo_ignore_all = 1





Ignore Broadcast Request:


Net.ipv4.icmp_echo_ignore_broadcasts = 1





Run the following line to load a modification or update





#sysctl-P





If you think the above safety tips are good for you, or what else you need to add, please write in the comments box below, and tecmint always be willing to hear your comments, suggestions and discussions.