If you have servers connected to the internet, you likely have valuable data stored on them that needs to be protected from bad actors.
Linux server hardening is a set of measures used to reduce the attack surface and improve the security of your servers. Hardening can be done on different levels, from the physical level, by restricting the access of unauthorized people, to the application level, by removing unwanted software listening on incoming connections.
We’ll cover 10 necessary practices for hardening your Linux servers and substantially reducing the attack surface. We’ll also include tips on logging, auditing, and compliance best practices. All of these help with early detection in the event that your servers are compromised.
Our list starts with some common tips and progresses to advanced and lesser-known suggestions. Let’s begin.
1. Use Secure Shell Protocol
Secure Shell Protocol (or SSH) enables you to make a secure connection to your network services over an unsecured network. Here are some helpful tips for implementing SSH:
- Each server should be configured to use SSH for logging in remotely. Other protocols, such as Telnet and rlogin, transfer the password in plain text, leaving a gaping hole for punk-in-the-path (previously known as man-in-the-middle) attacks.
- Configure IPTables to restrict SSH access from known IPs only.
- Use SSH version 2 because of its security enhancements over SSH version 1.
- Consider disabling SSH altogether if it’s not needed.
- Key-based authentication should be used instead of password-based authentication.
- Client keys should be encrypted to prevent their use in case they are stolen.
- While configuring the server, root login should also be disabled and only users with the appropriately configured access level should be allowed to login. Users can use sudo to perform tasks requiring elevated privileges.
2. Close Open Ports
Tools like netstat will help you check which software is listening for incoming connections. If you find an unnecessary service or server application listening for inbound connections, disable the port or remove the application.
Vulnerabilities in such applications can be exploited by attackers, hence closing down unnecessary open ports can quickly reduce the attack surface.
To take it down one step further, block the unused ports to avoid any new service binding to them.
3. Enable Firewall
Using Linux iptables to keep a tab on incoming, outgoing, and forwarded practices can help you secure your servers. You can configure “allow” and “deny” rules to accept or send traffic from specific IP addresses. This restricts the unchecked traffic movement on your servers.
However, just securing the perimeter via a firewall is not enough. In the cloud, the VMs should be configured to run in a Zero Trust network, as opposed to on-premise VMs, which are in a demilitarized zone. Any communication between VMs is considered relatively secure.
4. Disable USB and Thunderbolt Devices
Allowing booting from unauthorized external devices can allow attackers to bypass the security of your system by booting the operating system from their external device.
To preempt this kind of access, lock down booting from external USBs, CDs, and disks from BIOS. As an added step, putting password protection on BIOS will make it so that boot settings can only be changed by authorized users.
While you’re at it, enabling UEFI Secure Boot will further ensure only trusted binaries are loaded during boot.
Disabling boot from external devices can only safeguard you from unauthorized access. Users who have access to the system and a malicious intent can still copy sensitive files to their USB and thunderbolt sticks. Worse still, they can install malware, viruses, or backdoors on your servers. Once access to USB and Thunderbolt devices is disabled, a user cannot harm the system in these ways.
Finally, consider encrypting your full disk to avoid data loss in case of theft of machines or drives themselves.
5. Turn On SELinux
Security-Enhanced Linux, or SELinux for short, is a built-in access control mechanism. For systems connected to the internet and accessed by public users, disabling SELInux can be catastrophic for your servers.
SELinux operates in the following three modes:
- Disabled: SELinux is completely off. You should avoid this mode at all times.
- Permissive: In this mode SELinux doesn’t enforce any policy, but logs and audits all actions. This can be used while configuring the machine and installing the services to ensure all services are running, but you should switch to Enforcing as soon as configuration is done.
- Enforcing: This mode is most secure and enforces all policies. This is the default mode of SELinux and is also the recommended mode.
6. Strong Password Policies
Using easy-to-crack passwords or continuing to use passwords that have been exposed in data breaches can weaken the security of even the most sophisticated systems. Here are a few password best practices:
- Disable accounts with empty passwords and ask users to set passwords for their accounts. Also disable the root account. Use of sudo should be promoted as it provides better auditing and control.
- Encourage stronger passwords and harder to guess passwords by requiring them to follow certain guidelines.
7. Purge Unnecessary Packages
Operating systems often come preloaded with software and services that run constantly in the background without notice. To enhance the security of your servers, list all packages and software installed on your servers using your package managers (apt, yum, dpkg).
Security vulnerabilities in such software can lead to compromised servers, so make it a practice to uninstall unnecessary programs.
8. Keep Kernel and Packages Updated
With such a large and active open-source community around Linux, security issues within the kernel and packages are fixed quickly. These fixes are available in the form of updated packages or patches in the Linux kernel.
Keep your kernel and packages updated with the latest security updates to avoid exploitation of known vulnerabilities.
9. Disable ICMP
Internet Control Message Protocol (ICMP) allows internet hosts to notify other hosts about errors and helps system administrators in troubleshooting. However, ICMP can also be exploited by adversaries to gain information about attacked networks.
When ICMP is enabled, malicious attacks including network discovery, covert communication channels, and network traffic redirections can be executed. Below are a few examples of types of attacks that can be unleashed when ICMP is enabled.
- Ping sweep: Attackers use this to identify all hosts on a network.
- Ping flood: Attackers can send ICMP messages in rapid succession, causing exhaustion of both incoming and outgoing bandwidth.
Keep in mind that completely disabling ICMP can hamper diagnostics, reliability, and network performance. Therefore, it’s best to disable only certain types of ICMP messages to secure network devices. You should still have Type 3 (Destination Unreachable) and Type 4 (Source Quench) enabled to avoid any network performance drop.
10. Logging and Auditing
Keeping detailed logging and auditing enabled for your servers is crucial. These logs can later be used to detect any attempted intrusions. Also, in case of intrusion, these logs will help you gauge the extent of the breach and offer insight for a blameless postmortem of the incident. Syslog logs all the messages in /var/log directory by default.
Here are some additional tips for improving the security of your servers.
Turn Off IPv6
If your network applications are not using IPv6 protocol, disable it to decrease the attack surface. You can do this by editing the /etc/sysconfig/network file.
Separate Disk Partitions
Using the same partition for OS, user files, and software is a disaster waiting to happen. If there is an intrusion, all of your data will be at risk. Keeping partitions separated and grouped can help decrease the radius of any attack. A sample partition scheme is given below.
You should also ensure all third party applications are installed on a separate partition, /opt for example.
The importance of a well-managed backup can’t be overstated. An offsite backup of your server can help you quickly recover any lost machines due to intrusion or attack.
To this end, you should set up encrypted backups to external storage systems, such as NAS or through cloud backup services.
Automated Threat and Compliance Monitoring Tools
So far, the tips we’ve covered for hardening your Linux servers are meant to reduce the attack surface. But don’t mistake a hardened Linux instance for a fully secured machine. Doing so may invite lawsuits due to data theft or loss.
Hardening your Linux instances is just the first step. The second step is investing in a security solution that protects the application workloads at runtime, such as Intezer Protect. These tools constantly monitor your entire infrastructure, identifying and stopping malicious or unauthorized code as it attempts to execute. Additionally, Intezer Protect provides info on vulnerabilities and misconfigs in runtime to prevent attacks.
Most runtime solutions are not designed for the world of cloud and Linux environments. They are usually a migrated Windows endpoint solution, creating high CPU issues and slowing down production environments. Traditional Windows EDRs also tend to have low detection rates of Linux threats. Intezer Protect is the fastest to identify attacks in Linux and containerized environments and is also perfect for highly scalable cloud environments, averaging only 0.5% CPU.
As more companies adopt Linux, the frequency of Linux attacks is also increasing. These increased threats make hardening a worthwhile task. Contrary to popular belief, Linux is not inherently safe and should be hardened to safeguard your instances. The tips and methods discussed in this article are not exhaustive but they do cover hardening from a wide perspective.
Hardening your Linux instances doesn’t mean that you’re safe from every malicious attack, though, it just reduces the attack surface. For Defense in depth security through runtime protection and visibility get started with Intezer Protect for free.