How Do You Secure or Harden a Linux Server?

Problem scenario
You need to make a Linux server very secure. How do you harden a Linux server?

Answer

  1. You may need to reformat the server. Backup the data. When you reinstall Linux use full disk encryption. Make the boot partition read-only.
  2. Enforce complex passwords that must be changed every 30 to 90 days. Use John the Ripper (www.openwall.com/john) to ensure your passwords are strong.
  3. sshd_config should not "PermitRootLogin"
  4. Don't start Docker containers with sudo. Look into this one: could you remove root from the "docker" group? Or could do you some configuration to prevent "sudo" or the root user from starting Docker containers?
  5. Use microservices architecture to the extent possible. If a single-purpose container or single-purpose VM is a compromised, you retain integrity of other services and data. From a pragmatic perspective, the data may not be useful to the hacker of a single container or VM. If you are using Docker, see this posting.
  6. Keep the Linux kernel up-to-date.
  7. Use AppArmor or SELinux.
  8. Have back-ups. Security involves the Confidentiality, Integrity and Availability triad. Therefore having back-ups that you have tested with restoring are essential to hardening a Linux server.
  9. Use a host-based IDS (Intrusion Detection System).
  10. Have an network-based IDS (Intrusion Detection System).
  11. Have a firewall on the OS.
  12. Discover noowner files from time-to-time:

Noowner Files
Files not owned by any user or group can pose a security problem. Just find them with the following command which do not belong to a valid user and a valid group
find /dir -xdev ( -nouser -o -nogroup ) -print
You need to investigate each reported file and either assign it to an appropriate user and group or remove it.

https://www.cyberciti.biz/tips/linux-security.html (#26)

13. Use TCPWrappers

"… TCPWrappers a host-based networking ACL system to filter network access to Internet. " (This excerpt was taken from https://www.cyberciti.biz/tips/linux-security.html.)

tcpwrappers are probably not necessary for a modern version of RHEL. But for Ubuntu they seem to be used according to this site.

14. Check the configuration of /etc/sysctl.conf. This important file sets kernel parameters. To ensure it is secure, see this website https://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening/.

15. Restrict the core dumps via their governing configurations. (This was influenced by #15 of this external page.) To do this, see these postings:

16. Change the permissions settings of cronjob-related files. To do this, see #14 of this external page.

17. Install a shredder utility. Deleting sensitive files with this can help ensure confidentiality.

18. You may want to look into a Lojack-type recovery mechanism for the server.

19. You may want to read Bruce Schneier's blog.

Leave a comment

Your email address will not be published. Required fields are marked *