### Micro.Blog (Patrick H. Mullins)
==============================================================================================
[Back] - Date: 2019-09-23 @ 06:18 AM EST by PHM / Linux Server Security 101

Disclaimer: This is meant to serve as a primer and as an introduction to basic Linux server security. This guide focuses on Debian/Ubuntu, however everything presented can be applied to other distributions as well. You are encouraged to research the material presented here and to extend it where applicable.

1. Update Your Server

The first thing you should do in order to secure your server is to update the local repositories and upgrade the operating system and installed applications by applying the latest patches.

  $ sudo apt update && sudo apt upgrade -y

2. Create a new privileged user account

Next, we need to create a new user account. You should never log into your server as root. Instead, you should create your own account, give it sudo rights, and then use it to log into your server.

Let's start out by creating a new user:

  $ adduser username

Now lets give your new user account sudo rights:

  $ usermod -a -G sudo username

3. Upload your SSH key

You'll want to use a SSH key to log into your new server. You can upload your pre-generated SSH key to your new server using the `ssh-copy-id` command.

  $ ssh-copy-id username@ip_address

Now you can log on to your new server without having to type in a password.

4. Secure SSH

Next, we need to take make some changes to the SSH service. You need to make three changes: disable SSH password authentication, restrict root from logging in remotely, and restricting access to IPv4 or IPv6.

Open /etc/ssh/sshd_config using nano or vi and make sure that

  PasswordAuthentication yes
  PermitRootLogin yes

is changed to look like this:

  PasswordAuthentication no
  PermitRootLogin no

Next, we need to restrict the SSH service to either IPv4 of IPv6 by modifying the AddressFamily option. To change it to only use IPv4 (should be fine for most folks) make the following change:

  AddressFamily inet

Now we need to restart the SSH service to enable our changes. Note that it's a good idea to have two active connections to your server before restarting the SSH server. Having that extra connection will allow you to fix anything should the restart go wrong.

  $ sudo service sshd restart

5. Enable Firewall

Now we need to install a firewall, enable it, and configure it to only allow network traffic that we designate. UFW, or Uncomplicated Firewall, is an easy to use interface to iptables that greatly simplifies the process of configuring a firewall.

You can install UFW using the following:

  $ sudo apt install ufw

By default, UFW will deny all incoming connections and allow all outgoing connections. This means any application on your server will be able to reach the Internet while anyone trying to reach your server will not be able to connect.

First, let's make sure that we can log in by enabling access to SSH, HTTP, and HTTPS.

  $ sudo ufw allow ssh
  $ sudo ufw allow http
  $ sudo ufw allow https

Now we need to enable UFW.

  $ sudo ufw enable

You can see what services are allow/denied as follows:

  $ sudo ufw status

If you ever want to disable UFW you can do so by typing in the following:

  $ sudo ufw disable

6. Install Fail2Ban

Fail2Ban is an application that examines server logs looking for repeated or automated attacks. If any are found it will alter the firewall to block the IP address of the attackers either permanently or for a specified amount of time.

You can install Fail2Ban by typing in the following:

  $ sudo apt install fail2ban -y

Next we need to copy the included configuration file.

  $ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Now we need to restart Fail2Ban.

  $ sudo service fail2ban restart

That's all there is to it. The software will now continuously examine the log files looking for attacks. After a while the app will build up quite a list of banned IP addresses. You can view this list by requesting the current status of the SSH service like this:

  $ sudo fail2ban-client status ssh

7. Remove Unused Network-Facing Services

You can see all running network services by using the ss command.

  $ sudo ss -atpu

The output from ss will be different depending on your operating system. This is an example what you might see. It shows that the SSH (sshd) and NGINX (nginx) services are listening and ready for connection.

  tcp LISTEN 0 128 *:http *:* users:(("nginx",pid=22563,fd=7))
  tcp LISTEN 0 128 *:ssh *:* users:(("sshd",pid=685,fd=3))

How you go about removing an unused service will be different depending on your operating system and the package manager it uses.

To remove an unused service on Debian/Ubuntu:

  $ sudo apt purge service_name

To remove an unused service on Red Hat/CentOS:

  $ sudo yum remove service_name

Run ss -atup again to verify that the unused services are no longer installed and running.

Final Thoughts

This tutorial represents the bare minimum needed to harden a Linux server. Additional security layers can and should be enabled depending on server use. These layers can include things like individual application configurations, intrusion detection software, and enabling access control like two-factor authentication.