How to Secure Your Linux Server: A Detailed Guide

If you’re one of the millions of business owners that uses Linux, you already know that Linux servers are cost-effective, versatile, and supremely flexible due to their open-source nature. Linux provides community cooperation and shared resources, especially for small business owners, making it a primary and popular choice for lots of enterprising entrepreneurs.

That all said, Linux being open source also means that it has security risks and vulnerabilities. You need to know how to secure your Linux server both to protect your business and the data of your customers as you expand your brand. Let’s take a closer look at how you can secure a Linux server in a variety of different ways.

Why Security in Linux is Important

Linux security is important because Linux is so popular with web servers, attackers write custom scripts targeting the operating system to scan for known vulnerabilities and exploit them. For example, web server response headers return critical information about the host, including the server operating system, unless administrators follow the OWASP suggestion to hide this information.

With the Linux distribution and version in hand, attackers can then launch targeted attacks against a web server. If the Linux version has known vulnerabilities, an attacker can either download pre-made scripts or craft an exploit of their own. In other words, a combination of returning information about the Linux version running on the server and running outdated software leaves the web server open to exploits. Kernel vulnerabilities are serious threats to the stability of the web, and they can have critical consequences. Vulnerabilities such as Dirty Cow and SACK Panic gave attackers elevated privileges or a denial-of-service (DoS), and these issues were just two examples that could lead to critical data breaches or downtime.

Kernel vulnerabilities aren’t the only source of vulnerabilities. Third-party applications also introduce vulnerabilities and give attackers the opportunity to steal data. Heartbleed was discovered in 2014 and continues to be a problem for older unpatched Linux-based servers allowing threat actors to steal data in a buffer underflow exploit. The vulnerability was found in several older versions of OpenSSL, commonly used as an encryption library on Linux servers.

How to Secure Linux Servers?

With numerous vulnerabilities open to attackers, it’s critical for administrators to be aware of their attack surface and the risks involved with default settings on Linux and any third-party applications that could cause issues. You can’t decrease risk by 100%, but you can take the right precautions and perform hardening on the operating system regardless of the distribution installed.

Here are a few tips for hardening security in Linux:

• Install only necessary packages. It’s tempting to install every package you think might be useful in the future, but the more packages you install on a server, the more risk you add. For example, if you don’t need to host DNS, then you shouldn’t install DNS packages or leave its service ports open (53).
  
• Use an alternative to root. Although root is a target for any threat actor, it’s especially risky on public-facing servers. Instead of leaving the root user active, you can create a new user and elevate its privileges on the server. After elevating privileges, you can reduce them on root or disable the account.
  
• Enforce password security. Password length and complexity defend against brute-force dictionary attacks. Passwords for critical accounts should be at least 12 characters and rotated frequently. Many administrators know the importance of password complexity, but they don’t have a rotation schedule. Passwords should be rotated frequently to reduce the window an attacker has to compromise a system should your password get leaked or brute-forced.
  
• Secure SSH. Gaining access to SSH could give an attacker full control over the server, so securing it should be a priority. You can make several changes on the server to ensure that SSH is secure.

Update Your Linux Server

Before you do anything else, you should make sure your Linux server is up-to-date and as modern as possible. Regularly updating your Linux server is key to maintaining good digital defenses and strong server security – note that this tip is also true for any cyber security element, like a firewall, antivirus software, and so on.

Your Linux server might update automatically. But if you aren’t sure whether this is the case, or you want to update your Linux server manually, you have two options:

Use the Update Manager in Linux, which searches for updates and notifies you if any are available automatically. All Linux distributors or distros have a GUI or graphical user interface that enables you to update your Linux server quickly and easily

•    Use the Linux terminal, which is the main terminal through which you can enter commands and manually update your system

Want to follow the second route? You can do that by accessing the Linux server at local repositories, then applying the latest patches.

• On Debian and Ubuntu, use the following patch in the command line: $ sudo apt update && sudo apt upgrade -y

• On RHEL, CentOS, or Fedora, use the following patch: $ sudo dnf upgrade

Once your Linux server is updated, it will be responsive to all the modern cybersecurity techniques and tools you want to use. It’ll also be inherently a little more secure against discovered security threats, like malware intrusions or “back doors.”

Note that some Windows or Mac computers may not allow new Linux distributions or updates to functionality because of their age. Therefore, make sure you only install a new Linux system on a relatively new or modern PC.

Make a Privileged User Account for Modifications

Most business owners and administrators avoid using the root access terminal when logging into their Linux servers. That’s because the root login terminal, while powerful, is also risky if you don’t know what you’re doing; just entering one wrong command or a typo can destroy or decimate your server and its data. Thus, any root users need to know what they’re doing and how to do things like open ports, etc.

That’s why it’s much smarter to make a user account with Sudo privileges. Such privileged accounts enable users like you to use root commands without actually implementing those commands into the root terminal, thereby reducing the above-mentioned risk.

Fortunately, creating a new privileged user account for higher Linux server security is fairly straightforward.

•   First, create a new user by typing – $ adduser <username>

• Next, give that user sudo rights by entering the following code – $ usermod -a -G sudo <username>

Once this is done, you’ll have created a new user profile on your Linux server, but that profile will have system administrators privileges and permissions. You can go forward using that profile for all your other digital upgrades and any other commands or controls you want to implement. Think of it as giving yourself the keys to the digital kingdom.

Implement a Password or SSH Key

Passwords and SSH keys are also popular ways to secure a Linux server. This is an important step after setting up a new account with privileges and administrative access; otherwise, anyone can access that profile and make changes to your server without your agreement.

A password is a strong security measure for both Linux servers and all other digital platforms, like firewalls, databases, etc. Luckily, Linux makes it easy for you to set up and/or edit a system password using the terminal. Just choose a password that you like, then enter it.

A word of advice: try to make a strong Linux password that can’t easily be guessed. A good rule of thumb is to make a password that includes at least one uppercase and lowercase letter each, one number, and one symbol at minimum, with a minimum number of characters, like 12. That way, even a brute force attack will have a hard time getting through your password defense, and people won’t be able to guess your password even if they know something about you.

Have trouble remembering passwords? Use a password manager or simply write the password down in a secure area that only you can access, like inside your safe.

Install a Linux Firewall

Firewalls are tried-and-true methods of protecting databases and servers alike from all kinds of cyber hazards, like malware attacks. Therefore, you should always ensure your Linux server has a firewall installed. Fortunately, there are lots of open source firewalls you can install and implement depending on your preferences.

Note that there are some differences between different firewalls, however. For instance, some firewalls allow outgoing traffic but prevent any incoming traffic from affecting your server whatsoever. That prevents apps from reaching your server but still lets you access the Internet. Other firewalls may allow limited access or enable some server use from select individuals.

Use the Security Keys for identification

Using Security Keys has two main advantages.

1. You can access your terminal without entering a password.
2. You can disable password logging completely so that no password is required to connect to the server.

This feature protects against certain possible attacks, such as brute force attacks.

Conclusion

This is all for this fundamental tutorial on how to secure a Linux server. I remind you that there is no perfect system, in this tutorial we have applied a basic security scheme at the operating system level, but to ensure the integrity of your system you must also properly secure the applications that run on it.

I hope it has been useful to you.