Important Security Information for Your Linux Server (Part 2 of 2)

This series of articles explains some important security recommendations and security measures that can help increase the security level of your Linux server.

This article provides specific security recommendations to configure your Linux server securely and to ensure its safe operation.

Please Note

These security recommendations apply only to servers with root access.

Deactivate the SSH Root Login

By default, the root user is created as the first user on every Linux system. The root user has the highest rights. With the root user, you have access to all commands and files and full read, write and executable permissions. If this user account is used improperly or inappropriately, it may have a significant impact on your server. Therefore, you should only use this user account to configure the server after its creation. 

As the root username is used as the default username for the root user, root is often a target for attacks. For this reason, it is recommended to you set up another user account. Then you can deactivate the SSH root login. When setting up the user account, make sure that it can obtain root user rights by entering the sudo command. Alternatively, you can deactivate password authentication for the root user in the /etc/ssh/sshd_config file using the PermitRootLogin prohibit-password entry. In this case, the root user can only log on to the server using SSH public-key authentication.

Further information can be found in the following article:

Deactivating the SSH root login

Change the SSH Port

By default, port 22 is used to establish an SSH connection. This port is automatically configured during the installation of your operating system.

To reduce the number of brute force attacks, you can configure another port for SSH access. 

Please Note

Before changing the port, make sure that the applications and services installed on the server can be configured without the default port 22. Otherwise, changing the default port may cause these applications and services to stop working.

Further information can be found in the following article:

Changing the SSH port

Set up an Email Notification to Report SSH Logins

To monitor remote activity, you should set up an email notification to report SSH logins. This email notification can be used to determine if an unauthorized access to the server occurs. A simple shell script that automatically sends an email notification to you each time you successfully log on to your server remotely is sufficient.

Please Note

The script described here will not send an email if a user establishes an SSH connection using a program such as WinSCP that does not perform a full login!

The following example describes how to create a script to report SSH logins.

  • Open the editor.

  • Add the script in the following format:

    #!/bin/bash

    echo "Login to $(hostname) on $(date +%Y-%m-%d) at $(date +%H:%M)"
    echo "User: $USER"
    echo
    finger

  • Save the script in the /opt directory with the file name shell-login.sh

  • To run the script, add the following line to the /etc/profile file:
    /opt/shell-login.sh | mailx -s "SSH log-in to YOUR HOSTNAME" e-mail_address@example.com

  • Assign the script 755 permission:
    chmod 755 /opt/shell-login.sh

Protect the SSH Login from Brute Force Attacks with fail2ban

Fail2Ban is software that scans log files such as /var/log/pwdfail or /var/log/apache/error_log and temporarily bans IP addresses that make too many failed login attempts. Run this way, Fail2Ban can detect and repel brute force attacks. 

You can download Fail2Ban here.

Install an Intrusion Detection System

An intrusion detection system is a system which is used to detect attacks on servers or networks at an early stage. Known intrusion detection systems are Tripwire, Aide and Psad.

Check Your Server for Open Ports with Nmap

Nmap is open-source software that allows you to perform security checks. With it, you can determine which hosts are available on the network. In addition, you can use Nmap to identify a host's open ports and the services that respond to these open ports. 

More information about Nmap can be found on the following page:

http://nmap.org

Consult Additional Hardening Guides

To harden the operating system of your server against attacks in an optimal way, we recommend you to consult the hardening guides, which are offered by the distribution providers.

CentOS 7

https://wiki.centos.org/HowTos/OS_Protection

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/index

Ubuntu

https://ubuntu.com/security?_ga=2.263273356.1615448989.1569829053-453270342.1569829053

Debian

https://www.debian.org/doc/manuals/securing-debian-howto/

Check Suspicious Processes

If you suspect that your server is compromised despite all security measures, you should check the running processes. To check your server for suspicious processes, proceed as follows:


Ubuntu

  • Log on to the server as an administrator.

  • To display a list of running processes, enter the following command: root@localhost:~# ps aux
    Alternatively, you can redirect the running processes to a file using the following command:
    ps aux > processes.txt
    less processes.txt


CentOS 7

  • Log on to the server as an administrator.

  • To display a list of running processes, enter the following command: root@localhost:~# ps aux
    Alternatively, you can redirect the running processes to a file using the following command:
    ps aux > processes.txt
    less processes.txt

Pay attention to programs that are located in unusual directories. Examples:

/usr/local/bin
/var/www
/tmp

If you see a process that you cannot identify, we recommend that you first investigate whether the process may be running by default by your operating system or by an installed application. 

In addition, scan your server for malware and viruses using a malware scanner and an anti-virus program.

Security Tips for Applications and Databases

Protect or rename subdirectories of applications

Hackers often scan for certain subdirectories of applications, such as /phpmyadmin. When they find such a directory, they try out all the security holes to get access. If you cannot protect these subdirectories, you should rename them.

If you do not need these applications, you should uninstall them for security reasons.

Back up your databases

If you are using a database such as MySQL or MariaDB, you should make sure to back it up. Some important safety measures are listed below:

  • Make sure that the local "root" user must authenticate.

  • Use the strongest available hashing algorithms for authentication.

  • Check, if your backup strategy is properly implemented and test the database recovery. A normal file backup may be insufficient. Instead, create a database export with tools like mysqldump or pg_dump.

More articles from this series

You can find the first article of this article series here:

Important Security Information for Your Linux Server (Part 1 of 2)