Important Security Information for Your Linux Server (Part 2 of 2)

This series of articles explains some important security recommendations and security measures that can help increase the security level of your Linux server.

This article provides specific security recommendations to configure your Linux server securely and to ensure its safe operation.

By default, the root user is created as the first user on every Linux system. The root user has the highest rights. With the root user, you have access to all commands and files and full read, write and executable permissions. If this user account is used improperly or inappropriately, it may have a significant impact on your server. Therefore, you should only use this user account to configure the server after its creation. 

As the root username is used as the default username for the root user, root is often a target for attacks. For this reason, it is recommended to you set up another user account. Then you can deactivate the SSH root login. When setting up the user account, make sure that it can obtain root user rights by entering the sudo command. Alternatively, you can deactivate password authentication for the root user in the /etc/ssh/sshd_config file using the PermitRootLogin prohibit-password entry. In this case, the root user can only log on to the server using SSH public-key authentication.

Further information can be found in the following article:

Deactivating the SSH root login

By default, port 22 is used to establish an SSH connection. This port is automatically configured during the installation of your operating system.

To reduce the number of brute force attacks, you can configure another port for SSH access. 

Further information can be found in the following article:

Changing the SSH port

To monitor remote activity, you should set up an email notification to report SSH logins. This email notification can be used to determine if an unauthorized access to the server occurs. A simple shell script that automatically sends an email notification to you each time you successfully log on to your server remotely is sufficient.

Fail2Ban is software that scans log files such as /var/log/pwdfail or /var/log/apache/error_log and temporarily bans IP addresses that make too many failed login attempts. Run this way, Fail2Ban can detect and repel brute force attacks. 

You can download Fail2Ban here.

An intrusion detection system is a system which is used to detect attacks on servers or networks at an early stage. Known intrusion detection systems are Tripwire, Aide and Psad.

Nmap is open-source software that allows you to perform security checks. With it, you can determine which hosts are available on the network. In addition, you can use Nmap to identify a host's open ports and the services that respond to these open ports. 

More information about Nmap can be found on the following page:

http://nmap.org

To harden the operating system of your server against attacks in an optimal way, we recommend you to consult the hardening guides, which are offered by the distribution providers.

CentOS 7

https://wiki.centos.org/HowTos/OS_Protection

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/index

Ubuntu

https://ubuntu.com/security?_ga=2.263273356.1615448989.1569829053-453270342.1569829053

Debian

https://www.debian.org/doc/manuals/securing-debian-howto/

If you suspect that your server is compromised despite all security measures, you should check the running processes. To check your server for suspicious processes, proceed as follows:

Ubuntu

• Log on to the server as an administrator.

• To display a list of running processes, enter the following command:

  root@localhost:~# ps aux

  Alternatively, you can redirect the running processes to a file using the following command:

  ps aux > processes.txt
  less processes.txt

CentOS 7

• Log on to the server as an administrator.

• To display a list of running processes, enter the following command:

  root@localhost:~# ps aux

  Alternatively, you can redirect the running processes to a file using the following command:

  ps aux > processes.txt
  less processes.txt

Pay attention to programs that are located in unusual directories. Examples:

/usr/local/bin
/var/www
/tmp

If you see a process that you cannot identify, we recommend that you first investigate whether the process may be running by default by your operating system or by an installed application. 

In addition, scan your server for malware and viruses using a malware scanner and an anti-virus program.

Protect or rename subdirectories of applications

Hackers often scan for certain subdirectories of applications, such as /phpmyadmin. When they find such a directory, they try out all the security holes to get access. If you cannot protect these subdirectories, you should rename them.

If you do not need these applications, you should uninstall them for security reasons.

Back up your databases

If you are using a database such as MySQL or MariaDB, you should make sure to back it up. Some important safety measures are listed below:

• Make sure that the local "root" user must authenticate.

• Use the strongest available hashing algorithms for authentication.

• Check, if your backup strategy is properly implemented and test the database recovery. A normal file backup may be insufficient. Instead, create a database export with tools like mysqldump or pg_dump.

You can find the first article of this article series here:

Important Security Information for Your Linux Server (Part 1 of 2)