dotlinux guide

How to Harden Your Linux Server Against Cyber Threats

Linux servers power critical infrastructure, from web applications and databases to cloud environments and IoT networks. Their open-source nature, flexibility, and stability make them a top choice for organizations worldwide—but this popularity also makes them prime targets for cyber threats. Malicious actors exploit vulnerabilities in misconfigured systems, outdated software, weak access controls, and unpatched services to gain unauthorized access, steal data, or disrupt operations. Server hardening is the process of securing a server by reducing its attack surface, minimizing vulnerabilities, and enforcing strict security policies. It is not a one-time task but an ongoing practice that adapts to evolving threats. This blog will guide you through the fundamental concepts, step-by-step implementation, common practices, and best practices for hardening your Linux server, equipping you with the tools to defend against cyber threats effectively.

Table of Contents

Understanding Linux Server Hardening

What is Server Hardening?

Server hardening is the process of configuring a server to reduce its vulnerability to attacks by eliminating unnecessary components, enforcing strict access controls, and updating software to patch known vulnerabilities. The goal is to create a “最小权限” (principle of least privilege) environment where only essential services and users have access, limiting the potential impact of a breach.

Why Harden a Linux Server?

  • Prevent Unauthorized Access: Linux servers often store sensitive data (e.g., user credentials, financial records) or run critical services (e.g., web servers, databases). Hardening blocks brute-force attacks, SQL injection, and other entry points.
  • Compliance: Regulations like GDPR, HIPAA, and PCI-DSS require organizations to secure systems handling sensitive data. Hardening helps meet these compliance standards.
  • Reduce Attack Surface: By disabling unused services and ports, you minimize the number of potential targets for attackers.
  • Protect Against Zero-Day Exploits: While no system is 100% secure, hardening layers (e.g., firewalls, intrusion detection) mitigate risks from unpatched vulnerabilities.

Key Security Principles

  • Defense in Depth: Use multiple layers of security (e.g., firewall + IDS + file permissions) so that if one layer fails, others still protect the system.
  • Least Privilege: Users and processes should only have the minimum permissions required to perform their tasks (e.g., a web server shouldn’t run as root).
  • Regular Patching: Update the OS and software to fix known vulnerabilities.
  • Secure Configuration: Avoid default settings (e.g., default passwords, open ports) that are often exploited.
  • Audit & Monitor: Continuously log and analyze system activity to detect and respond to threats early.

Step-by-Step Linux Server Hardening Process

1. Initial Setup & System Updates

Start with a minimal installation (e.g., using “Minimal” ISO for RHEL/CentOS or “Server” edition for Ubuntu) to avoid unnecessary packages. Then, update the system to patch vulnerabilities:

For Debian/Ubuntu:

# Update package lists and upgrade installed packages
sudo apt update && sudo apt upgrade -y

# Remove unused packages
sudo apt autoremove -y && sudo apt autoclean

For RHEL/CentOS/Rocky Linux:

# Update all packages
sudo dnf update -y

# Clean up old packages
sudo dnf autoremove -y && sudo dnf clean all

Why? Outdated software is a top attack vector. Tools like apt and dnf ensure you get the latest security patches.

2. User Account Security

Weak user accounts are a common entry point. Secure them with:

a. Disable Root SSH Access

Never allow direct root login via SSH. Edit /etc/ssh/sshd_config:

sudo nano /etc/ssh/sshd_config

Set:

PermitRootLogin no

Restart SSH:

sudo systemctl restart sshd  # Debian/Ubuntu
# OR
sudo systemctl restart sshd.service  # RHEL/CentOS

b. Enforce Strong Passwords

Use pam_pwquality to enforce password complexity:

# Install on Debian/Ubuntu
sudo apt install libpam-pwquality -y

# Install on RHEL/CentOS
sudo dnf install pam-pwquality -y

Edit /etc/security/pwquality.conf:

minlen = 12          # Minimum password length
dcredit = -1         # Require at least 1 digit
ucredit = -1         # Require at least 1 uppercase letter
lcredit = -1         # Require at least 1 lowercase letter
ocredit = -1         # Require at least 1 special character
maxrepeat = 3        # Prevent repeated characters (e.g., "aaaa")

c. Use SSH Key Authentication

Passwords are vulnerable to brute-force attacks. Use SSH keys instead:

  1. Generate a key pair on your local machine: 
    ssh-keygen -t ed25519 -C "[email protected]"  # Ed25519 is more secure than RSA
  2. Copy the public key to the server: 
    ssh-copy-id -i ~/.ssh/id_ed25519.pub your_username@server_ip
  3. Disable password authentication in /etc/ssh/sshd_config: 
    PasswordAuthentication no
ChallengeResponseAuthentication no
  4. Restart SSH and test login: 
    ssh your_username@server_ip  # Should log in without a password

d. Limit Sudo Access

Only grant sudo privileges to trusted users. Edit the sudoers file with visudo (safer than direct editing):

sudo visudo

Add:

your_username ALL=(ALL:ALL) NOPASSWD:ALL  # Not recommended; use with caution
# OR (better)
your_username ALL=(ALL:ALL) ALL  # Requires password for sudo

3. Network Security

Control inbound/outbound traffic and secure network services.

a. Configure a Firewall

Use ufw (Uncomplicated Firewall) for simplicity (Debian/Ubuntu) or firewalld (RHEL/CentOS).

For ufw (Debian/Ubuntu):

# Install ufw (usually pre-installed)
sudo apt install ufw -y

# Allow essential ports (adjust as needed)
sudo ufw allow 22/tcp  # SSH
sudo ufw allow 80/tcp  # HTTP (if running a web server)
sudo ufw allow 443/tcp # HTTPS

# Deny all other incoming traffic
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Enable the firewall
sudo ufw enable

# Verify status
sudo ufw status verbose

For firewalld (RHEL/CentOS):

# Start and enable firewalld
sudo systemctl start firewalld
sudo systemctl enable firewalld

# Allow ports
sudo firewall-cmd --add-port=22/tcp --permanent
sudo firewall-cmd --add-port=443/tcp --permanent

# Reload to apply changes
sudo firewall-cmd --reload

# Verify
sudo firewall-cmd --list-all

b. Close Unused Ports

Identify and disable unnecessary open ports with ss or netstat:

ss -tuln  # List all listening TCP/UDP ports

If a port (e.g., 111 for rpcbind) is unused, stop the service and disable it:

sudo systemctl stop rpcbind
sudo systemctl disable rpcbind

c. Secure SSH Further

  • Change the default SSH port (22) to a non-standard port (e.g., 2222) to reduce brute-force attempts: 
    sudo nano /etc/ssh/sshd_config
    Set: 
    Port 2222
    Update the firewall to allow the new port: 
    sudo ufw allow 2222/tcp && sudo ufw delete allow 22/tcp  # For ufw
  • Limit SSH access by IP (edit /etc/ssh/sshd_config): 
    AllowUsers [email protected]/24  # Only allow SSH from 192.168.1.x subnet

4. File System Security

Restrict file/directory permissions and protect critical system files.

a. Set Strict File Permissions

  • Ensure sensitive files (e.g., /etc/passwd, /etc/shadow) have tight permissions: 
    sudo chmod 644 /etc/passwd
sudo chmod 000 /etc/shadow  # Readable only by root
  • For user home directories: 
    chmod 700 ~/  # Only the user can read/write/execute
chmod 600 ~/.ssh/id_ed25519  # Private SSH key (read/write only by user)

b. Use Immutable Files

Prevent accidental or malicious modification of critical files with chattr:

sudo chattr +i /etc/passwd  # Make /etc/passwd immutable
sudo chattr +i /etc/shadow

To modify later, remove the immutable flag:

sudo chattr -i /etc/passwd

c. Mount Filesystems with Security Options

Edit /etc/fstab to add security flags like noexec (prevent executable files), nosuid (block set-user-ID bits), and nodev (block device files) for non-root partitions:

sudo nano /etc/fstab

Example entry for /tmp:

tmpfs /tmp tmpfs defaults,noexec,nosuid,nodev 0 0

Remount to apply changes:

sudo mount -o remount /tmp

5. Service Hardening

Disable unused services and secure running ones.

a. List & Disable Unused Services

# List enabled services (systemd)
sudo systemctl list-unit-files --type=service --state=enabled

# Disable example: avahi-daemon (network discovery, often unnecessary)
sudo systemctl stop avahi-daemon
sudo systemctl disable avahi-daemon

b. Harden Web Servers (e.g., Nginx/Apache)

If running a web server, secure it with:

  • HTTPS: Use Let’s Encrypt for free SSL/TLS certificates: 
    sudo apt install certbot python3-certbot-nginx -y  # For Nginx
sudo certbot --nginx -d yourdomain.com
  • Security Headers: Add to Nginx (/etc/nginx/sites-available/default): 
    add_header X-Content-Type-Options "nosniff";
add_header X-Frame-Options "DENY";
add_header X-XSS-Protection "1; mode=block";
  • Disable Directory Listing: In Nginx: 
    autoindex off;

6. Logging & Monitoring

Track system activity to detect breaches early.

a. Enable Centralized Logging

Use rsyslog (default on most Linux systems) to forward logs to a central server. Edit /etc/rsyslog.conf:

*.* @@central-log-server-ip:514  # Forward all logs to port 514 (UDP)

b. Install Fail2ban (Brute-Force Protection)

fail2ban blocks IPs with repeated failed login attempts (e.g., SSH, FTP).

Installation:

# Debian/Ubuntu
sudo apt install fail2ban -y

# RHEL/CentOS
sudo dnf install fail2ban -y

Configuration: Copy the default config and customize:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

Set:

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log  # Debian/Ubuntu
# logpath = /var/log/secure  # RHEL/CentOS
maxretry = 3  # Ban after 3 failed attempts
bantime = 3600  # Ban for 1 hour (3600 seconds)

Restart fail2ban:

sudo systemctl restart fail2ban
sudo systemctl enable fail2ban

c. Monitor Logs with logwatch

logwatch summarizes daily logs and emails reports:

# Install
sudo apt install logwatch -y  # Debian/Ubuntu
# OR
sudo dnf install logwatch -y  # RHEL/CentOS

# Configure (edit /etc/logwatch/conf/logwatch.conf)
sudo nano /etc/logwatch/conf/logwatch.conf

Set Output = mail and MailTo = [email protected].

7. Additional Security Layers

Add extra protection with tools and encryption.

a. Intrusion Detection/Prevention (IDS/IPS)

Use OSSEC (host-based IDS) or Snort (network-based IDS).

OSSEC Example:

# Install OSSEC (simplified)
curl -LO https://github.com/ossec/ossec-hids/archive/refs/tags/3.7.0.tar.gz
tar -xvf 3.7.0.tar.gz
cd ossec-hids-3.7.0
sudo ./install.sh

Follow the prompts to configure email alerts and monitor logs/files.

b. Malware Scanning

Use ClamAV for antivirus scanning:

# Install
sudo apt install clamav clamav-daemon -y  # Debian/Ubuntu
sudo freshclam  # Update virus definitions
sudo clamscan -r /home  # Scan /home directory recursively

c. Full Disk Encryption

Encrypt the server’s disk during installation (recommended) or use cryptsetup for existing systems (advanced).

Common Practices for Linux Server Security

  • Regular Updates: Run apt update && apt upgrade or dnf update weekly (or automate with unattended-upgrades).
  • Backup Data: Use rsync, borgbackup, or cloud services (e.g., AWS S3) to back up critical data. Test restores regularly.
  • Disable IPv6: If not used, disable IPv6 in /etc/sysctl.conf: 
    net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
    Apply with sudo sysctl -p.
  • Avoid Unnecessary Software: Only install packages required for the server’s purpose (e.g., don’t install a GUI on a headless server).

Best Practices for Ongoing Security

  • Penetration Testing: Hire third parties or use tools like nmap, nikto, or OpenVAS to simulate attacks.
  • 2FA for SSH: Add two-factor authentication with Google Authenticator: 
    sudo apt install libpam-google-authenticator -y
google-authenticator  # Follow prompts to set up
    Edit /etc/pam.d/sshd and add auth required pam_google_authenticator.so.
  • Network Segmentation: Isolate the server from untrusted networks using VLANs or subnets.
  • Security Headers: For web servers, use headers like Content-Security-Policy and Strict-Transport-Security (HSTS).
  • Incident Response Plan: Define steps to take if a breach occurs (e.g., isolate the server, notify stakeholders, restore from backups).

Conclusion

Linux server hardening is a critical, ongoing process that requires a proactive approach. By following the steps outlined—securing user accounts, configuring firewalls, updating software, and monitoring logs—you can significantly reduce your server’s vulnerability to cyber threats. Remember: no single tool or step guarantees security; instead, adopt a defense-in-depth strategy with multiple layers of protection. Stay informed about new vulnerabilities (e.g., via CVE Details) and regularly audit your server’s security posture. With diligence, you can keep your Linux server secure against evolving threats.

References