When it comes to security for a Linux server…Think layers! There are a number of options you have when it comes to adding extra security measures to your server; we have outlined some of them for you here.
Restrict/ Disable root access
It is recommended that root access is restricted to the local console of your server only or disabled altogether. There may be occasions when remote access is needed in an emergency; however, this should be restricted to only a trusted member of your organization using SUDO. SUDO also provides audit information allowing you to see which user has installed something on your server or has executed a program.
It can also be helpful to provide root access information to your hosting provider in the event your administrator is unavailable or you have managed services attached to your account where the help of your host is needed. If your host does not have this access, they would not be in a position to assist you should the need arise.
The minimum standard for passwords is 8 characters or longer. Utilizing long passwords that contain upper and lower case letters, numbers and non-alpha-numeric characters should be your only consideration. Simple alpha-numeric passwords should never be used.
Example: ¾ç õÀ` Ȑ#-°ḠÍ Ǥ *ẙ×á¬ ǒ´¡gbù Ⱬåì also utilizes spaces and foreign language characters.
Additionally, enforcing password ageing that requires users to change their passwords regularly and locking user accounts after a certain number of failed login attempts should be employed. It is also important to note that a secure record of passwords is kept ensuring old passwords are not recycled and current passwords are accessible if they are not easily remembered as in the example above. Updating your system to use SHA-512 hash algorithm instead of MD5 is also highly suggested and easily done with a simple command:
authconfig --passalgo=sha512 –update
Although MD5 hashes have been used successfully in the past, they are subject to more hacking attempts than the evolved SHA family.
Encrypt data communication with the server
Whenever you communicate with your server, the data being transmitted can be monitored. Utilizing specific tools can minimize your data from being intercepted.
Starting with the tools that should be avoided, FTP (File Transfer Protocol), Telnet, and Rsh, these 3 should be denied access from the start since their transmission, which is sent in cleartext and not encrypted, may be intercepted by anyone on the same network using a packet sniffer. There are much more secure ways of accessing your server. Additionally, IPv6, if not being used, should be disabled. IPv6 can be used to send bad traffic to your server. Since it is relatively new, there are not many tools available to automatically check this type of traffic. Unless your server admin is monitoring this traffic regularly, it is currently a best practice to disable it altogether.
Tools that should be used, or at least considered include VPN, PGP/GPG Keys, SFTP and SSH to name a few.
Virtual Private Networks are a first step in securing connections to your server. They allow you to create your own private network over a public network, such as the internet. If you prefer to use an open source VPN, you might look at openVPN. Conversely, if you prefer an industry-trusted product, you might be interested in Barracuda’s Virtual SSL VPN.
Despite the name ‘Pretty Good Privacy’, PGP and its open source counterpart GPG or GnuPG offer you a way to encrypt and decrypt data communication with your Linux server. There are also two-factor authentication programs can be used such as Wikid.
SFTP (Secure File Transfer Protocol)
While this may sound just like FTP, notice the S for Secure. SFTP is an encrypted session and therefore no passwords will be sent to the server in cleartext form. Filezilla, another open source project will allow SFTP connections as well as other types of connections if they are needed. Filezilla is available for download for end users using Windows, Linux or Mac OS X. Fugu is another SFTP program that can be downloaded yet is only available for end users running Mac OS X. Fugu also allows you to transfer files using Secure Copy (SCP) and create SSH Tunnels. One other popular Mac OS X SFTP program is Cyberduck.
SSH (Secure Shell)
SSH is considered to be the secure alternative to Telnet. Allowing you to log into your server remotely and/or transfer files through an encrypted tunnel, SSH is one of the most-used, critical pieces of software.
Securing SSH Logins
If your server has more than one IP, bind sshd to one of those IPs and don’t use it for anything else. Doing this will add an extra layer of security. To accomplish this, you will need to edit /etc/ssh/sshd_config. Once you have this file open, you’ll want to scroll down to the section that looks like this:
#Protocol 2, 1
- Step 1 is to uncomment the port number and change the value to anything other than Port 22. Selecting a port number above the 40k range is preferred. When changing any port number, you must ensure that this new port is opened on the firewall, otherwise, you will no longer be able to connect using this new port.
- Step 2, change the protocol to only 2 instead of 2, 1.
- Step 3 is to change the listen address entry accordingly.
- Step 4 is to disable the root login. Locate #PermitRootLogin yes and change it to PermitRootLogin no (without the ‘#’ as to uncomment the line).
- Step 5, restart sshd and verify that everything is functioning as it should be.
Remove unnecessary software
Disable all unnecessary services and daemons (services that runs in the background). You need to remove all unwanted services from the system start-up. Type the following command to list all services which are started at boot time in run level #3:
# chkconfig --list | grep '3:on'
To disable a service:
# service serviceName stop
# chkconfig serviceName off
Strengthen your iptables ruleset
The default ruleset in CentOS is not quite secure enough. It has open ports and allows traffic that isn’t necessary. With a few simple commands you can close ports and stop network services that are not required for your server to function properly.
Linux Security Extensions
Apache mod_ssl is a module that adds another strong level of encryption to your server through the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.
Install a brute force detection module. Brute force is a method of defeating a cryptographic scheme by trying a large number of possibilities using a single computer or distributed network. To prevent brute force attacks against SSH, consider using a program such as DenyHosts.
mod_evasive is a module that will provide evasive action should an HTTP DoS, DDos attack and/or brute force attack. It is easily configured and can send abuse reports via email and store them in syslog files. It does not block legitimate traffic, only scripted attacks.
Applying security patches is an important part of maintaining Linux servers. Linux provides all necessary tools to keep your system updated, and also allows for easy upgrades between versions. All security updates should be reviewed and applied as soon as possible. CentOS can be configured to send email notifications for updates as well as setting up cron jobs to automatically apply all security updates.
Linux Kernel Security is equally important. The kernel allows communication between the hardware and software on the server as well as managing the system’s resources. Programs that help secure your server’s kernel include: SELinux (included with CentOS), AppArmour, and grsecurity. Each offering their own features, they differ in user comfort levels with grsecurity being the easiest to use/for new users, AppArmour for new to advanced users, and SELinux for advanced users. Having a written policy in place to administer these updates will help keep your Kernel up to date and ensure all updates are tested prior to being installed.
Lunarpages Dedicated Managed Hosting Intense and Ultra addon options include Ksplice Uptrack. Ksplice Uptrack is a service that allows our clients to apply 100% of the kernel security updates for Linux without having to reboot their server. To date, over 2 million updates have been applied to production servers using Ksplice Uptrack, all the while avoiding down time and offering peace of mind that the server is continuously updated.
Checking your system logs
Built in to your policies should be a routine to check the system logs on your server. This task can be done manually or it can be automated which can save a lot of time on your part. If syslogd (system logging daemon) and klogd (kernel logging daemon), the standard logging utilities built into Linux servers are not granular enough, syslog-ng (new generation) should be reviewed.
If you prefer to use system log analytic software, a couple choices you have are:
Splunk – a program that allows you to view, search, and analyze your logs in one location using a simple GUI. Since all of your data is indexed in one place, you can troubleshoot and investigate any issues that arise as well as document your server’s compliance within minutes.
Sentry Tools – a collection of security services that scans, audits and report on a continuous basis.
Other periodic checks to perform
Mailers are similar to FormMail that are used by hackers to send out spam email and relay messages that can be a security risk for you.
A rootkit is a malicious, stealth software program that can be installed after a hacker has gained access to your server’s root or admin. Once installed a rootkit can wreak havoc on your server. You can check your system with chkrootkit or rkhunter. If you choose Lunarpages’ Managed Hosting Intense option, rootkit checks are included.
Hackers will sometimes upload a PHP shell on to your server for easy access later on.
One final yet critical step you should consider is taking regular backups of your server. Have you ever lost a file that you have spent a lot of time creating? Imagine losing everything on your server. In the event that you experience a system failure as a result of a hardware issue or the root being exploited, having a backup will make recreating your server that much easier. Lunarpages offers backup services utilizing R1Soft Backup software through our Dedicated Managed Hosting options.
Employing these measures can greatly reduce your risk of being compromised on any level. These are but a few examples that should be considered; ones that we feel are the more important ones. If securing your Linux server seems overwhelming, Lunarpages does offer Managed Hosting Services and we can assist you with your security.