Does your business use Linux? If so, you’re not alone: countless other companies around the world rely on it daily too. One of the biggest benefits of using Linux is that Linux servers are open source, which makes them some of the most flexible and cost-effective servers available. Linux allows you to share resources and take part in its user community, which is particularly helpful for smaller businesses. It’s no surprise that Linux is a common choice for entrepreneurs launching new enterprises. However, as Linux is open source, it has its fair share of security flaws that you need to consider. Securing your Linux server is vital to defend your business from various threats and to safeguard your customers’ data.
But how can you do that? In this guide to securing your Linux server, we’ll explore everything you need to know to get started.
Keep Your Linux Server Up to Date
The most important step in securing your Linux server is updating it often, so you can take advantage of the latest security revisions. Updating your server is a must to protect it from evolving cybersecurity threats.
Some Linux servers may update automatically, but you can still do it manually if you would prefer (or if you don’t know whether your server has automatic updates). You can implement manual updates in two ways:
Using Update Manager
Linux’s Update Manager will search for the latest updates and automatically let you know when one is available. As Linux distros have a graphical user interface (GUI), you can update your server in a fast, easy way.
Using Linux Terminal
The Linux terminal is the primary tool for inputting commands and updating your Linux server manually. To do this, access the Linux server at a local repository and apply the most up-to-date patches.
If you’re using Ubuntu or Debian, enter this command:
$ sudo apt update && sudo apt upgrade -y
But if you’re using Fedora, RHEL, or CentOS, this command should do the trick instead:
$ sudo dnf upgrade
An updated Linux server will be compatible with the latest security methods and tools, so you can explore various cybersecurity options. However, you may not be able to enable current Linux updates or distributions in older Windows or Mac systems. With that in mind, you should only set up a new Linux system on a computer that is relatively new.
Create a Privileged Account to Avoid Mistakes
When administrators log into a Linux server, they tend to avoid the root access terminal for a good reason: inputting a single command incorrectly, even with a minor typo, can cause problems. You could accidentally ruin your server and the data stored on it if you’re not sure what to do.
That’s why only team members with a clear understanding of Linux servers and how to perform key functions should be designated as root users.
Fortunately, you can create a user account that has superuser do (sudo) privileges, which allows seasoned users to leverage root commands without putting them into the root terminal. As a result, you can decrease the risk of causing unintentional damage to the server and data considerably.
How do you set up a privileged user account? It’s pretty simple. Follow these steps to get started:
- Enter
$ adduser <username>
to make a new user - Input this code to allocate sudo rights to the new user:
$ usermod -a -G sudo <username>
You have now set up a new user for your server and given them administrator permissions. If you want to, you can use that same profile for implementing all upgrades and other commands as needed.
Set up Secure SSH Keys and Passwords
Businesses typically rely on SSH keys and passwords to secure their Linux servers. If you have created a new user profile with sudo privileges, using SSH keys and strong passwords is a must. This prevents just anyone from using that profile and making unauthorized changes to your server configuration.
However, it’s no good using just any password for your Linux server (or any other platform, for that matter): you need one that offers reliable protection and keeps unwelcome users out. Fortunately, Linux makes this process quick and easy. You can use the terminal to create and tweak system passwords whenever you like.
When creating passwords, variety is one of the most important points to bear in mind. Use uppercase and lowercase letters, numbers, and symbols to make your password difficult to guess. Use between 12 and 16 characters.
Creating complex passwords will make it more difficult for hackers to break them, even with brute-force attacks. Even the most experienced intruders will struggle to guess your passwords, which can help to keep them out of your server.
If you’re concerned about remembering your Linux server passwords, you may find a password manager helpful. These can store your passwords securely, so you don’t need to write them down or leave reminders next to your computer.
Setting Up Your SSH Key
SSH server keys enable you to access your Linux server safely with no need for a password. They can be particularly helpful if you struggle to remember passwords or you would prefer not to use a password manager instead.
When starting to use an SSH key, you don’t need to create one entirely by yourself: you can generate a fresh key in the Linux terminal, then upload it to your Linux server. Use this command: $ ssh-copy-id <username>@ip_address
However, making your SSH key secure requires a little more work. You need to:
- Turn off SSH password authentication.
- Disable remote root access to stop users from signing into your server from an external system.
- Disable IPv4 and IPv6 access
Each of the steps above is easy to complete. Use a text editor to open /etc /ssh / sshd_config, then check out the following:
- PasswordAuthentication yes
- PermitRootLogin yes
Now, change both of these lines to show “no” instead of “yes” at the end. That’s straightforward with your text editor.
With that done, you need to switch the SSH service to either IPv4 or IPv6. Use your text editor to change the AddressFamily line so it uses IPv4 only, which is good enough for most business owners. The line should read:
- AddressFamily inet
For the changes to come into effect, restart your SSH service — that means you won’t need to tweak the modifications again after that. The command differs depending on which type of Linux server you use.
For Fedora, CentOS, or any Systemd option, use $ sudo systemctl restart sshd
For Ubuntu, use $ sudo service sshd restart
Finally, you have uploaded your SSH key and can sign into your server with no need to enter a password. However, it’s generally best to use passwords and SSH keys to safeguard your Linux server. This will give your server more comprehensive protection against various threats.
Reduce Unnecessary Services for Added Security
Multiple network-facing services are included with all Linux servers. You should keep the majority of these, but you can remove the rest to reduce the number of vulnerabilities in your network. Enabling services that you hardly ever use will give potential attackers another possible (and unnecessary) doorway into your server.
To begin, check out the list of network services that your Linux runs via the following command: $ sudo ss -atpu
Different operating systems create different outputs, but regardless, you should remove any services that you don’t use and never will. Enter the following commands (one for different server types) to remove them:
- CentOS and Red Hat:
$ sudo yum remove <service_name>
- Ubuntu and Debian:
$ sudo apt purge <service_name>
When you complete this step, rerun the SS -atup command to confirm that those services have been removed from your Linux server successfully.
Set Up a Reliable Firewall
Installing a firewall is one of the most popular and simple ways to protect a server or database. They can help to keep various types of threats, such as malware, at bay. If you don’t already have a firewall installed to safeguard your Linux server, you can choose from an extensive range of open-source options.
However, not all firewalls are identical. Some enable outgoing traffic and stop incoming traffic, which allows you to use the internet without letting apps connect to your server. Some firewalls, though, provide moderate access or permit certain users only to access the server.
In most cases, the Uncomplicated Firewall, or UFW, is a reliable option. You can set up UFW to only accept approved traffic, which is helpful if you’re looking to create a personalized configuration.
Use this code to install UFW: $ sudo apt install ufw
When you have installed UFW with that code, it will block all incoming network traffic but allow outgoing traffic. Next, you need to make sure that you can sign in properly through SSH, HTTP, and HTTPs. Here are the codes you need:
- SSH:
$ sudo ufw allow ssh
- HTTP:
$ sudo ufw allow http
- HTTPS:
$ sudo ufw allow https
When these settings are in place, use this code to enable UFW: $ sudo ufw enable
. You can use $ sudo ufw disable
to deactivate the firewall if necessary.
Additionally, your firewall should have web server access to regularly update its security and implement the latest features.
Depending on your distribution, firewall-cmd may already be installed, but UFW is a solid firewall offering comprehensive protection regardless.
Try Fail2ban for Added Security
If you have reason to believe your business may be targeted by hackers or cybercriminals, you can use Fail2ban to check your server for repeated or automated attacks.
This server log application will automatically adjust your firewall to block an attacker’s IP address if it identifies any signs of an attack. Those blocks can stay in place permanently or for a period of your choosing.
Use this command to install Fail2ban:
$ sudo apt install fail2ban -y
Enter the following configuration file code:
$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Finally, restart the application to start running it:
$ sudo service fail2ban restart
Fail2ban should be in action once you enter the above code. You can rely on this application to flag attempted logins from remote servers, and you can tweak your configuration file or server as required. Using Fail2ban can make it harder for unauthorized users to gain access.
Once it’s running, Fail2ban will continuously check log files for warning signs of an attack. It will create a roster of IP addresses that it has blocked after a short while, but if you want to unblock one for any reason, enter the following code to view Fail2ban’s present status:
$ sudo fail2ban-client status ssh
Improve Your Server Security with 2FA
Two-factor authentication (2FA) is a widely used security measure. When 2FA is enabled, you need to verify your identity in one more than one way before you can access the server. Various organizations use 2FA to protect accounts, such as banks. You may need to submit your password and answer a question (such as your mother’s maiden name) before you can access your account. That offers extra security and makes it more difficult for others to access personal data.
If you want to implement 2FA on your server, you can do it fairly easily. All you need to do is install an authentication package, which requires any users trying to access your Linux server to verify their identity with some other means alongside a password.
The extra security authentication required could be a QR code, for example, displayed on a different device to the one being used. Make sure you check out a number of 2FA packages before you uninstall one. Look at the different options available and choose one that has a solid reputation for improving security.
Use Packages from Third Parties Sparingly
As Linux is open source, it imposes no restriction on the number of third-party packages you can add. Some of these may be helpful or just fun, but some will include security issues that could cause concern.
Take care to use server packages that you know you will use often, but only if they pose no apparent security risks. Look into the different packages available to find out if other users have experienced any security problems. That’s a simple way to discover how trustworthy a package is.
Conclusion
Keeping your Linux server secure isn’t a one-off step: it’s a continuous process that requires vigilance combined with trusted tools and techniques.
Follow the steps above to get the best results, and stay aware of the latest security innovations and cybersecurity threats to maintain a robust configuration.