Linux Security Checklist for Servers
CybersecuritySecuring a Linux server involves a multi-layered approach to mitigate risks and vulnerabilities. Here’s a comprehensive guide on hardening Linux servers, focusing on various aspects of system security.
1. Initial Setup and Configuration
1.1. Minimal Installation:
- Install only the necessary packages to reduce potential attack vectors. Avoid installing unnecessary software.
1.2. Secure Boot Settings:
- Configure BIOS/UEFI to boot only from the intended hard disk.
- Disable booting from external media.
1.3. Update System Regularly:
- Keep the system and installed packages up-to-date using a package manager (
apt
,yum
,dnf
, etc.). - Configure automatic security updates.
2. User and Authentication Management
2.1. Remove Unnecessary User Accounts:
- Disable or remove default accounts that are not required.
- Ensure no user has a UID of 0 other than root.
2.2. Strong Password Policies:
- Enforce password complexity (use
pam_pwquality
or similar). - Set password aging policies to require regular changes.
- Use
chage
to configure password expiration and warning days.
2.3. Disable Root Login:
- Use
PermitRootLogin no
in/etc/ssh/sshd_config
to disable direct root SSH login. - Encourage the use of
sudo
for administrative tasks.
2.4. Implement Multi-Factor Authentication (MFA):
- Use tools like
Google Authenticator
orDuo Security
to add an extra layer of security.
3. Filesystem Security
3.1. Filesystem Configuration:
- Use filesystems with journaling (e.g., ext4).
- Separate system and user data into different partitions.
- Use
noexec
,nosuid
, andnodev
mount options where applicable.
3.2. File Permissions and Ownership:
- Regularly check and correct file permissions using tools like
find
andchmod
. - Use
chown
to ensure files are owned by the correct users and groups.
3.3. Protect Sensitive Files:
- Restrict access to
/etc/shadow
and other sensitive files. - Ensure only root has write access to important configuration files.
4. Network Configuration and Security
4.1. Disable Unused Network Services:
- List all listening services using
netstat
orss
. - Disable and remove services that are not needed.
4.2. Use a Firewall:
- Configure
iptables
,nftables
, orfirewalld
to control incoming and outgoing traffic. - Implement a default deny policy for incoming traffic and allow only necessary services.
4.3. Intrusion Detection System (IDS):
- Deploy tools like
Snort
orSuricata
to monitor network traffic for suspicious activity.
4.4. Secure SSH:
- Change the default SSH port from 22 to something less common.
- Use key-based authentication instead of passwords.
- Disable SSH protocol 1 by ensuring
Protocol 2
is set in/etc/ssh/sshd_config
. - Limit user access to SSH by configuring
AllowUsers
orAllowGroups
.
5. System Auditing and Monitoring
5.1. Enable and Configure Logging:
- Use
rsyslog
orsyslog-ng
for system logging. - Ensure logs are stored securely and reviewed regularly.
- Forward logs to a remote logging server.
5.2. Use Auditd:
- Install and configure
auditd
to track system calls and monitor key files and directories. - Customize audit rules in
/etc/audit/audit.rules
.
5.3. File Integrity Monitoring:
- Use tools like
AIDE
(Advanced Intrusion Detection Environment) orTripwire
to monitor file integrity.
6. Application Security
6.1. Secure Web Server:
- Use a reverse proxy like
Nginx
to add a layer of security. - Disable unnecessary modules and features.
- Use HTTPS to encrypt traffic between the client and server.
6.2. Secure Database Server:
- Disable remote root access.
- Use strong passwords for database users.
- Restrict database access to specific IP addresses.
6.3. Apply Security Updates:
- Regularly update all installed applications and services to patch vulnerabilities.
7. Data Encryption and Protection
7.1. Encrypt Sensitive Data:
- Use
LUKS
for full disk encryption. - Encrypt sensitive files and backups using
GnuPG
or similar tools.
7.2. Secure Communication:
- Use
OpenSSL
to create and manage SSL/TLS certificates. - Ensure all data in transit is encrypted.
8. Backup and Recovery
8.1. Regular Backups:
- Implement regular backup procedures.
- Test backups to ensure data can be restored successfully.
8.2. Store Backups Securely:
- Encrypt backup files.
- Store backups off-site or in a secure, isolated location.
9. Kernel and Module Security
9.1. Harden Kernel Parameters:
- Configure
/etc/sysctl.conf
to harden the kernel settings. - Disable packet forwarding, IP source routing, and ICMP redirects.
9.2. Use Kernel Security Modules:
- Enable and configure SELinux or AppArmor to enforce security policies.
- Review and apply appropriate security policies for your environment.
10. Physical Security
10.1. Server Room Security:
- Ensure physical access to servers is restricted to authorized personnel only.
- Use locks, surveillance, and access control systems.
10.2. Hardware Security:
- Disable unused physical ports (USB, FireWire) in BIOS/UEFI.
- Use hardware-based security modules like TPM (Trusted Platform Module) if available.
Conclusion
Securing a Linux server is an ongoing process that requires regular updates, monitoring, and audits. By following this comprehensive checklist, you can significantly enhance the security posture of your Linux servers, protecting them from potential threats and vulnerabilities. Implementing these practices will help create a robust security environment that can withstand various attack vectors.