Hardening your Linux server's security: a step-by-step guide

As a system administrator, it's your responsibility to ensure the security of your Linux servers. With hackers and cyber criminals constantly finding new ways to target servers, it's important to take proactive measures to protect your systems. In this article, we'll provide a step-by-step guide for hardening the security of your Linux server. We'll cover a range of topics, including:

Configuring firewall rules
Setting up two-factor authentication
Implementing strong password policies
Keeping your server up to date with security updates and patches

By following the steps outlined in this article, you'll be able to significantly improve the security of your Linux server, and reduce the risk of potential threats. So, let's get started! The first step in securing your Linux server is to set up a firewall. A firewall is a security system that controls incoming and outgoing network traffic based on predetermined rules. It acts as a barrier between your server and the internet, helping to protect your system from unauthorized access and potential threats. In the next section, we'll explain how to set up firewall rules using iptables, a common tool for managing firewall rules on Linux systems.

Configuring firewall rules

Firewall rules are an essential part of securing a Linux server. They allow you to control which network traffic is allowed to enter and leave your system, helping to protect it from unauthorized access and potential threats. In this section, we'll explain how to configure firewall rules using ufw, a user-friendly firewall application for Linux systems. Installing ufw Before you can use ufw, you'll need to make sure it's installed on your system. If it's not already installed, you can install it using your package manager. For example, on Ubuntu, you can use apt-get to install ufw:

sudo apt-get update 
sudo apt-get install ufw

On other distributions, you may need to use a different package manager. For example, on CentOS, you can use yum to install ufw:

sudo yum update 
sudo yum install ufw

Once ufw is installed, you can start creating firewall rules.

Creating firewall rules There are several different types of firewall rules you can create with ufw, depending on your specific security needs. Here are a few examples of common firewall rules that you might consider implementing on your Linux server:

Allow incoming traffic on specific ports: If you need to allow incoming traffic on certain ports (for example, to allow incoming SSH connections), you can use the allow action and specify the protocol (TCP or UDP) and the port number. For example, the following rule will allow incoming SSH connections (on port 22):
```
  ufw allow 22/tcp
```
Allow incoming traffic from specific IP ranges: If you want to allow incoming traffic from a specific range of IP addresses, you can use the allow action and specify the IP range. For example, the following rule will allow incoming traffic from the IP range 10.0.0.0/24:
```
  ufw allow from 10.0.0.0/24
```
Allow outgoing traffic to specific destinations: If you want to allow outgoing traffic to specific destinations, you can use the allow action and specify the destination IP or hostname. For example, the following rule will allow all outgoing traffic to the IP address 10.0.0.1:
```
  ufw allow out to 10.0.0.1
```
Block incoming traffic from specific IP addresses: If you want to block incoming traffic from specific IP addresses, you can use the deny action and specify the source IP. For example, the following rule will block all incoming traffic from the IP address 10.0.0.1:
```
  ufw deny from 10.0.0.1
```

These are just a few examples of the types of rules you can create with ufw. You can use these examples as a starting point and create more complex rules that meet the specific security needs of your system. Once you've configured your firewall rules, it's important to regularly review and update them to ensure that your server remains secure. Enabling and disabling ufw Once you've created your firewall rules, you'll need to enable ufw to start enforcing them. You can do this with the ufw enable command:

ufw enable

To disable ufw, you can use the ufw disable command:

ufw disable

keep in mind that if you disable ufw, all firewall rules will be disabled, and your server will be vulnerable to potential threats. It's important to only disable ufw when you need to make temporary changes to your firewall rules, and to re-enable it as soon as possible. That's it! You've now learned how to configure firewall rules using ufw. In the next section, we'll explain how to set up two-factor authentication to further improve the security of your Linux server.

Best practices for server security when setting up the firewall

When setting up the firewall on your Linux server, there are a few best practices you should follow to ensure maximum security. Here are a few tips to keep in mind:

Only allow traffic on the ports you need: One of the most important security measures you can take is to only allow traffic on the ports that are absolutely necessary for your server. This helps to reduce the attack surface of your server, making it less vulnerable to potential threats.
Use a default-deny policy: A default-deny policy means that all traffic is denied, unless specifically allowed by a firewall rule. This is a more secure approach than a default-allow policy, where all traffic is allowed unless specifically denied by a firewall rule.
Block traffic from known malicious IP addresses: If you know of specific IP addresses that are known to be used by hackers or other malicious actors, you should consider blocking traffic from those IP addresses. You can use the deny action in ufw to block traffic from specific IP addresses.
Regularly review and update your firewall rules: As your server evolves and your needs change, it's important to regularly review and update your firewall rules. Make sure to remove any unnecessary rules, and add new ones as needed.

By following these best practices, you can help to ensure that your server is as secure as possible, and reduce the risk of potential threats. Here are a few additional best practices for server security when setting up the firewall:

Use strong passwords: When setting up your firewall, make sure to use strong, unique passwords for any accounts that have access to the firewall configuration. This helps to prevent unauthorized access to your firewall, and helps to ensure that your server remains secure.
Enable logging: Enabling logging can be helpful for detecting and debugging potential security issues. ufw allows you to enable logging by using the ufw logging on command. Once logging is enabled, ufw will log all firewall activity to the /var/log/ufw.log file.
Use secure protocols: Whenever possible, use secure protocols (such as HTTPS or SFTP) to communicate with your server. This helps to prevent interception of data by unauthorized parties.
Stay up to date: Make sure to keep your firewall software and operating system up to date with the latest security patches and updates. This helps to ensure that your server is protected against the latest threats.

By following these additional best practices, you can further improve the security of your Linux server when setting up the firewall.

Setting up two-factor authentication

Two-factor authentication (2FA) is a security measure that requires users to provide an additional layer of authentication when logging into a system. With 2FA, users are required to enter a one-time password (OTP) in addition to their regular password. This helps to prevent unauthorized access to your server, even if an attacker has obtained your password. In this section, we'll explain how to set up 2FA on your Linux server using google-authenticator. Installing google-authenticator

To set up 2FA on your Linux server, you'll need to install the google-authenticator package. This package provides a command-line tool that you can use to set up 2FA for your server. You can install google-authenticator using your package manager. For example, on Ubuntu, you can use apt-get to install the package:

sudo apt-get update sudo apt-get install libpam-google-authenticator

On other distributions, you may need to use a different package manager. For example, on CentOS, you can use yum to install the package:

sudo yum update sudo yum install google-authenticator

Once google-authenticator is installed, you can start setting up 2FA for your server. Setting up 2FA for an individual user To set up 2FA for an individual user, you'll need to run the google-authenticator command as that user. This will guide you through the process of setting up 2FA for that user's account. Here's an example of how to set up 2FA for the user1 account:

Run the google-authenticator command as the user you want to set up 2FA for. For example, if you want to set up 2FA for the user1 account, you would run the following command:
```
 google-authenticator
```
Follow the prompts to set up 2FA for the user's account. The google-authenticator command will ask you a series of questions, including:

Whether you want to enable 2FA for the user's account
Whether you want to use a time-based OTP (TOTP) or a counter-based OTP (HOTP)
Whether you want to allow multiple uses of the same OTP

Make sure to answer these questions carefully, as they will affect the security of the user's account.

Once you've answered the questions, google-authenticator will generate a secret key and display a QR code. The secret key is a unique string that is used to generate the OTPs, and the QR code can be used to easily set up 2FA on a smartphone or other device. Make sure to save the secret key and QR code in a secure location.
To complete the setup process, you'll need to update the sshd configuration to require 2FA for the user's account. To do this, edit the /etc/ssh/sshd_config file and add the following line:
```
 ChallengeResponseAuthentication yes
```

This will enable 2FA for the user's account. Make sure to restart the sshd service to apply the changes:

systemctl restart sshd

That's it! You've now set up 2FA for the user's account. The user will need to provide an OTP in addition to their regular password when logging into the server. Setting up 2FA for all users If you want to set up 2FA for all users on your server, you'll need to follow a similar process, but with a few additional steps. Here's an example of how to set up 2FA for all users on a Ubuntu server:

Install the libpam-google-authenticator package:

 sudo apt-get update sudo apt-get install libpam-google-authenticator

Edit the /etc/pam.d/sshd file and add the following line at the end:
```
 auth required pam_google_authenticator.so
```

This will enable 2FA for all users on the server.

Edit the /etc/ssh/sshd_config file and add the following line:
```
 ChallengeResponseAuthentication yes
```

This will require all users to provide an OTP in addition to their regular password when logging into the server.

Restart the sshd service to apply the changes:
```
 systemctl restart sshd
```

That's it! You've now set up 2FA for all users on your server. All users will need to provide an OTP in addition to their regular password when logging into the server. Enabling 2FA for a specific group of users If you only want to enable 2FA for a specific group of users, you can use PAM configuration files to specify which users should be required to use 2FA. Here's an example of how to enable 2FA for the admin group on a Ubuntu server:

Create a new PAM configuration file for the admin group. To do this, create a new file called /etc/pam.d/sshd-admin and add the following line:
```
 auth required pam_google_authenticator.so
```

This will enable 2FA for the admin group.

Edit the /etc/ssh/sshd_config file and add the following line:
```
 Match Group admin ChallengeResponseAuthentication yes
```

This will require all users in the admin group to provide an OTP in addition to their regular password when logging into the server.

Restart the sshd service to apply the changes:
```
 systemctl restart sshd
```

That's it! You've now set up 2FA for the admin group on your server. All users in the admin group will be required to provide an OTP in addition to their regular password when logging into the server. By setting up 2FA on your Linux server, you can significantly improve the security of your system, and reduce the risk of unauthorized access. Implementing 2FA with OTP in Details Once you've set up 2FA on your Linux server, users will be required to provide an OTP in addition to their regular password when logging in. Here's an example of how this works:

The user initiates an SSH connection to the server using their regular username and password.
The server prompts the user for an OTP. This can be done using a variety of methods, such as displaying a prompt on the command line or sending an SMS message to the user's smartphone.
The user enters the OTP and submits it to the server.
The server verifies the OTP and, if it is correct, allows the user to log in. If the OTP is incorrect, the server denies the login request.

This process adds a layer of security to the login process and helps to prevent unauthorized access to the server, even if an attacker has obtained the user's password. There are a few different ways that OTPs can be generated and delivered to users. Some common methods include:

Time-based OTP (TOTP): TOTP is a common method for generating OTPs. With TOTP, the OTP is generated based on the current time and a secret key. The secret key is shared between the server and the user's device and is used to generate the OTP. TOTP is typically used with smartphone apps, such as Google Authenticator or Authy, which can generate OTPs based on the secret key.
Counter-based OTP (HOTP): HOTP is another method for generating OTPs. With HOTP, the OTP is generated based on a counter value and a secret key. The counter value is incremented each time an OTP is generated, and the secret key is used to generate the OTP. HOTP is typically used with hardware tokens, such as security keys or smart cards, which can generate OTPs based on the counter value and secret key.
SMS-based OTP: SMS-based OTP is a method for delivering OTPs via text message. With this method, the server sends an OTP to the user's smartphone via SMS, and the user enters the OTP to log in. This can be a convenient method for users who don't have a smartphone app or hardware token, but it is generally less secure than TOTP or HOTP, as SMS messages can be intercepted by third parties.

By implementing 2FA with OTP, you can significantly improve the security of your Linux server and reduce the risk of unauthorized access. It's important to choose the OTP generation and delivery method that is most appropriate for your needs, and to carefully manage the secret keys and counter values used to generate the OTPs. In addition to choosing the right OTP generation and delivery method, there are a few other best practices you should follow when implementing 2FA with OTP:

Use unique secret keys: Make sure to use unique secret keys for each user's account. This helps to ensure that OTPs can't be easily intercepted or guessed by attackers.
Enable OTP rate limiting: OTP rate limiting is a feature that limits the number of OTP attempts that a user can make within a certain period. By enabling OTP rate limiting, you can help prevent brute force attacks, in which an attacker tries to guess the OTP by making repeated login attempts.
Use secure communication channels: Whenever possible, use secure communication channels (such as HTTPS or SFTP) to transmit OTPs between the server and the user's device. This helps to prevent interception of the OTP by unauthorized parties.

By following these best practices, you can further improve the security of your Linux server when implementing 2FA with OTP. In the next section, we'll explain how to implement strong password policies to further improve the security of your server.

Implementing strong password policies

Strong password policies are an essential component of server security. By requiring users to create and use strong passwords, you can help to prevent unauthorized access to your server, even if an attacker has obtained a user's password. In this section, we'll explain the importance of strong passwords for Linux server security, provide tips for creating and managing strong passwords, and describe tools and techniques for enforcing password policies on Linux servers. Importance of strong passwords for Linux server security Strong passwords are an important defense against unauthorized access to your server. By requiring users to create and use strong passwords, you can help to prevent attackers from guessing or cracking the passwords and gaining access to the system. To be effective, passwords should be long, complex, and unique. Long passwords are more difficult for attackers to guess or crack, and complex passwords are more resistant to dictionary attacks and other common cracking techniques. Unique passwords are also important, as using the same password for multiple accounts makes it easier for attackers to gain access to multiple systems. By implementing strong password policies, you can significantly improve the security of your Linux server and reduce the risk of unauthorized access. Tips for creating and managing strong passwords Here are a few tips for creating and managing strong passwords:

Use a password manager: A password manager is a tool that helps you to generate and store strong, unique passwords for all of your accounts. Password managers typically use cryptographic techniques to securely store your passwords, and can also generate random, complex passwords for you.
Use a combination of upper and lower case letters, numbers, and special characters: By using a combination of different types of characters in your passwords, you can make them more difficult to guess or crack.
Use long passwords: Longer passwords are generally more secure than shorter ones, as they are more difficult for attackers to guess or crack. Aim for passwords that are at least 12 characters long.
Don't use dictionary words or personal information: Avoid using dictionary words or personal information (such as your name or birthdate) in your passwords. These types of passwords are easy for attackers to guess or crack.
Use different passwords for different accounts: Don't use the same password for multiple accounts.

If an attacker obtains one of your passwords, they will be able to gain access to all of your accounts if you use the same password for all of them. By using unique passwords for each account, you can reduce the risk of unauthorized access. Tools and techniques for enforcing password policies on Linux servers There are a few tools and techniques that you can use to enforce strong password policies on your Linux server:

pam_pwquality: pam_pwquality is a PAM module that can be used to enforce password policy rules on a Linux system. With pam_pwquality, you can specify a variety of password policy rules, such as minimum password length, required character types, and password aging rules. To use pam_pwquality, you'll need to install the libpam-pwquality package and configure the pam_pwquality module in the /etc/pam.d/common-password file.
pam_cracklib: pam_cracklib is another PAM module that can be used to enforce password policy rules on a Linux system. Like pam_pwquality, pam_cracklib allows you to specify a variety of password policy rules, such as minimum password length and required character types. To use pam_cracklib, you'll need to install the libpam-cracklib package and configure the pam_cracklib module in the /etc/pam.d/common-password file.
/etc/login.defs: The /etc/login.defs file is a system-wide configuration file that can be used to enforce password policy rules on a Linux system. With /etc/login.defs, you can specify a variety of password policy rules, such as minimum password length, password aging rules, and required character types.

By using these tools and techniques, you can effectively enforce strong password policies on your Linux server, and help to prevent unauthorized access to the system. One of the most commonly used tools for enforcing password policies on Linux servers is pam_pwquality. In this example, we'll show you how to use pam_pwquality to enforce a password policy on a Ubuntu server. To use pam_pwquality, you'll need to install the libpam-pwquality package and configure the pam_pwquality module in the /etc/pam.d/common-password file. Here's an example of how to do this:

Install the libpam-pwquality package:

 sudo apt-get update 
 sudo apt-get install libpam-pwquality

Edit the /etc/pam.d/common-password file and add the following line:

password required pam_pwquality.so

This will enable the pam_pwquality module for all applications that use the common-password file.

You can also specify additional pam_pwquality options in the /etc/security/pwquality.conf file. Here are a few examples of options that you can use to enforce a password policy:
- Require passwords to be at least 12 characters long: minlen = 12
- Require passwords to contain at least one uppercase letter, one lowercase letter, and one digit: dcredit = -1 ucredit = -1 lcredit = -1
- Set the maximum password age to 90 days: maxage = 90

These options will require passwords to be at least 12 characters long, contain at least one uppercase letter, one lowercase letter, and one digit, and have a maximum age of 90 days. The minlen option sets the minimum password length, the dcredit, ucredit, and lcredit options require passwords to contain at least one uppercase letter, one lowercase letter, and one digit, and the maxage option sets the maximum password age to 90 days. By configuring the pam_pwquality module and specifying these options, you can effectively enforce a strong password policy on your Ubuntu server. Users will be required to create passwords that meet these criteria to set or change their passwords. It's important to regularly review and update your password policy to ensure that it remains effective in protecting your server. As new security threats emerge, you may need to adjust your password policy to address these threats. For example, you may need to increase the minimum password length or require the use of more complex passwords to better protect your server. By implementing a strong password policy and regularly reviewing and updating it, you can help to ensure that your Linux server is secure and protected from unauthorized access.

Keeping your Linux server up to date

One of the most important things you can do to maintain the security of your Linux server is to keep it up to date. This means regularly installing security updates and patches to fix vulnerabilities and prevent exploits. In this section, we'll explain the importance of security updates and patches, describe how to check for and apply updates on your Linux server, and provide best practices for maintaining regular updates and patches. Importance of security updates and patches Security updates and patches are an essential part of maintaining the security of your Linux server. These updates fix vulnerabilities and exploits that can be exploited by attackers to gain unauthorized access to your system. By installing security updates and patches as soon as they are available, you can help protect your server from these vulnerabilities and prevent unauthorized access. Failing to install security updates and patches can leave your server vulnerable to attacks, and can increase the risk of data loss or compromise. It's important to regularly check for and install security updates and patches on your Linux server to ensure that it is secure and protected from potential vulnerabilities. How to check for and apply updates on your Linux server There are a few different ways to check for and apply updates on your Linux server, depending on the distribution you are using. On Ubuntu: You can use the apt-get tool to check for and apply updates on Ubuntu. Here's an example of how to do this:

Update the package list
```
  sudo apt-get update
```
Upgrade installed packages to the latest version
```
  sudo apt-get upgrade
```

The apt-get update command updates the package list and the apt-get upgrade command upgrades the installed packages to the latest version. On CentOS: You can use the yum tool to check for and apply updates on CentOS. Here's an example of how to do this:

Update the package list

  sudo yum check-update
  sudo yum update

Upgrade installed packages to the latest version
```
  sudo yum upgrade
```

The yum check-update command updates the package list and the yum upgrade command upgrades the installed packages to the latest version.

Best practices for maintaining regular updates and patches

Here are a few best practices for maintaining regular updates and patches on your Linux server:

Set up automatic updates: Many Linux distributions offer automatic update features that can help to ensure that your server is always up to date. On Ubuntu, for example, you can use the unattended-upgrades package to automatically install security updates and patches.
Monitor for new updates and patches: Regularly check for new updates and patches, and install them as soon as they are available. This will help to ensure that your server is always protected against the latest vulnerabilities.
Test updates and patches before deploying: Before installing updates and patches, it's a good idea to test them in a staging environment to ensure that they don't cause any issues with your server.
Keep a backup of your server: Before installing updates and patches, it's a good idea to keep a backup of your server in case something goes wrong. This will allow you to easily restore your server if there are any issues with the updates or patches.

By following these best practices, you can help to ensure that your Linux server is always up to date and protected against vulnerabilities. Enabling automatic updates To help ensure that your Linux server is always up to date, you can set up automatic updates. This will allow the system to automatically check for and install updates and patches as they become available, without requiring you to manually check and install them. Here are a few examples of how to enable automatic updates on different Linux distributions: On Ubuntu: You can use the unattended-upgrades package to enable automatic updates on Ubuntu. To install and configure unattended-upgrades, follow these steps:

Install the unattended-upgrades package:

sudo apt-get update sudo apt-get install unattended-upgrades
Configure the unattended-upgrades package by editing the /etc/apt/apt.conf.d/50unattended-upgrades file. For example, you can enable automatic installation of security updates by adding the following line:
```
 Unattended-Upgrade::Automatic-Reboot "true"; Unattended-Upgrade::Automatic-Reboot-Time "03:00";
```
This will enable automatic reboots (if necessary) at 3:00 AM.
You can also specify which types of updates you want to install automatically. For example, to enable automatic installation of security updates, you can add the following line:
```
 Unattended-Upgrade::Origins-Pattern { "origin=Debian,codename=${distro_codename},label=Debian-Security"; };
```
This will enable automatic installation of security updates from the Debian-Security repository.

By configuring unattended-upgrades, you can enable automatic updates on Ubuntu, which will help to ensure that your server is always up to date and protected against vulnerabilities. On CentOS: You can use the yum-cron package to enable automatic updates on CentOS. To install and configure yum-cron, follow these steps:

Install the yum-cron package:

 sudo yum update 
 sudo yum install yum-cron

Enable the yum-cron service by running the following command:
```
 sudo systemctl enable yum-cron
```
Start the yum-cron service by running the following command:
```
 sudo systemctl start yum-cron
```
You can configure the yum-cron service by editing the /etc/yum/yum-cron.conf file. For example, you can enable automatic installation of updates by setting the apply_updates option to yes:
```
 apply_updates = yes
```
You can also specify the types of updates you want to install automatically by setting the update_cmd option. For example, to enable automatic installation of security updates, you can set the update_cmd option to security:
```
 update_cmd = security
```

By configuring yum-cron, you can enable automatic updates on CentOS, which will help to ensure that your server is always up to date and protected against vulnerabilities.

Conclusion

In this article, we've covered several steps you can take to harden the security of your Linux server. We've explained how to:

Configure firewall rules using ufw
Set up two-factor authentication
Implement strong password policies
Keep your Linux server up to date with security updates and patches

By following these steps and implementing these security measures, you can help to ensure that your Linux server is secure and protected against unauthorized access.

Here are a few additional resources and tools that you may find useful for improving the security of your Linux server:

Hardening CentOS 7 - A tutorial on how to harden CentOS 7 for production
Linux Server Hardening Tips - A list of tips for hardening Linux servers
Security Measures for Linux Servers - A guide to security measures for Linux servers

By staying up to date with the latest security best practices and tools, you can help to ensure that your Linux server is secure and protected against potential vulnerabilities and threats.