Important Security Information for Your Linux Server (Part 2 of 2)
Please use the “Print” function at the bottom of the page to create a PDF.
For Cloud Servers, VPS, Virtual Server, Dedicated Servers and Server Power Deals
This series of articles explains some important security recommendations and security measures that can help increase the security level of your Linux server.
This article provides specific security recommendations to configure your Linux server securely and to ensure its safe operation.
Please Note
These security recommendations apply only to servers with root access.
Deactivate the SSH Root Login
By default, the root user is created as the first user on every Linux system. The root user has the highest rights. With the root user, you have access to all commands and files and full read, write and executable permissions. If this user account is used improperly or inappropriately, it may have a significant impact on your server. Therefore, you should only use this user account to configure the server after its creation.
As the root username is used as the default username for the root user, root is often a target for attacks. For this reason, it is recommended to you set up another user account. Then you can deactivate the SSH root login. When setting up the user account, make sure that it can obtain root user rights by entering the sudo command. Alternatively, you can deactivate password authentication for the root user in the /etc/ssh/sshd_config file using the PermitRootLogin prohibit-password entry. In this case, the root user can only log on to the server using SSH public-key authentication.
Further information can be found in the following article:
Change the SSH Port
By default, port 22 is used to establish an SSH connection. This port is automatically configured during the installation of your operating system.
To reduce the number of brute force attacks, you can configure another port for SSH access.
Please Note
Before changing the port, make sure that the applications and services installed on the server can be configured without the default port 22. Otherwise, changing the default port may cause these applications and services to stop working.
Further information can be found in the following article:
Set up an Email Notification to Report SSH Logins
To monitor remote activity, you should set up an email notification to report SSH logins. This email notification can be used to determine if an unauthorized access to the server occurs. A simple shell script that automatically sends an email notification to you each time you successfully log on to your server remotely is sufficient.
Please Note
The script described here will not send an email if a user establishes an SSH connection using a program such as WinSCP that does not perform a full login!
Protect the SSH Login from Brute Force Attacks with fail2ban
Fail2Ban is software that scans log files such as /var/log/pwdfail or /var/log/apache/error_log and temporarily bans IP addresses that make too many failed login attempts. Run this way, Fail2Ban can detect and repel brute force attacks.
You can download Fail2Ban here.
Install an Intrusion Detection System
An intrusion detection system is a system which is used to detect attacks on servers or networks at an early stage. Known intrusion detection systems are Tripwire, Aide and Psad.
Check Your Server for Open Ports with Nmap
Nmap is open-source software that allows you to perform security checks. With it, you can determine which hosts are available on the network. In addition, you can use Nmap to identify a host's open ports and the services that respond to these open ports.
More information about Nmap can be found on the following page:
Consult Additional Hardening Guides
To harden the operating system of your server against attacks in an optimal way, we recommend you to consult the hardening guides, which are offered by the distribution providers.
CentOS 7
https://wiki.centos.org/HowTos/OS_Protection
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/index
Ubuntu
https://ubuntu.com/security?_ga=2.263273356.1615448989.1569829053-453270342.1569829053
Debian
Check Suspicious Processes
If you suspect that your server is compromised despite all security measures, you should check the running processes. To check your server for suspicious processes, proceed as follows:
Ubuntu
Log on to the server as an administrator.
To display a list of running processes, enter the following command:
root@localhost:~# ps aux
Alternatively, you can redirect the running processes to a file using the following command:
ps aux > processes.txt
less processes.txt
CentOS 7
Log on to the server as an administrator.
To display a list of running processes, enter the following command:
root@localhost:~# ps aux
Alternatively, you can redirect the running processes to a file using the following command:
ps aux > processes.txt
less processes.txt
Pay attention to programs that are located in unusual directories. Examples:
/usr/local/bin
/var/www
/tmp
If you see a process that you cannot identify, we recommend that you first investigate whether the process may be running by default by your operating system or by an installed application.
In addition, scan your server for malware and viruses using a malware scanner and an anti-virus program.
Security Tips for Applications and Databases
Protect or rename subdirectories of applications
Hackers often scan for certain subdirectories of applications, such as /phpmyadmin. When they find such a directory, they try out all the security holes to get access. If you cannot protect these subdirectories, you should rename them.
If you do not need these applications, you should uninstall them for security reasons.
Back up your databases
If you are using a database such as MySQL or MariaDB, you should make sure to back it up. Some important safety measures are listed below:
Make sure that the local "root" user must authenticate.
Use the strongest available hashing algorithms for authentication.
Check, if your backup strategy is properly implemented and test the database recovery. A normal file backup may be insufficient. Instead, create a database export with tools like mysqldump or pg_dump.
More articles from this series
You can find the first article of this article series here:
Important Security Information for Your Linux Server (Part 1 of 2)
Content
- Deactivate the SSH Root Login
- Change the SSH Port
- Set up an Email Notification to Report SSH Logins
- Protect the SSH Login from Brute Force Attacks with fail2ban
- Install an Intrusion Detection System
- Check Your Server for Open Ports with Nmap
- Consult Additional Hardening Guides
- Check Suspicious Processes
- Security Tips for Applications and Databases
- More articles from this series
- To top