Any serious systems can’t ignore server security, especially in public Cloud. No doubt there’re tons of tips and tutorials available on the Internet. Let’s focus on fundamental and general best practices first.
A List Of Security Improvements I Enforce After OS Provisioning.
Here we use Ubuntu 16.04 for instance.
Certainly no blind update for prod envs. But for newly installed servers, it’s usually harmless and can guarantee a higher level of security.
One common suggestion is disabling unused services. But I choose to trust my distros provider. Generally speaking, I believe they might make right choices to have what installed and enabled by default.
apt-get -y update
We need that to access web console of VMs. This happens when ssh doesn’t work. e.g. problematic iptables rules block you, OS runs into kernel panic, or machine reboot mysteriously stucks.
root_pwd="DevOpsDennyChangeMe1" echo "root:$root_pwd" | chpasswd
apt-get install -y wget curl # vim for quick editing apt-get install -y vim # tmux is useful to persist sessions apt-get install -y tmux # lsof for checking tcp ports apt-get install -y lsof
wget -qO- https://get.docker.com/ | sh
echo "my-hostname" > /etc/hostname hostname -F /etc/hostname
Never never share the same ssh key pair across servers!
exec ssh-agent bash # General new key pair ssh-keygen # Load key pair ssh-add
Only allow ssh by keyfile, thus hackers can’t easily break-in by guessing your password. Use another ssh listening port other than 22, which can avoid annoying ssh login attempts.
mkdir -p /root/.ssh/ echo "ssh-rsa AAA... denny@dennyzhang.com" \ >> ~/.ssh/authorized_keys
# Disable ssh by password sed -i 's/^#PasswordAuthentication yes/PasswordAuthentication no/g' \ /etc/ssh/sshd_config sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/g' \ /etc/ssh/sshd_config grep PasswordAuthentication /etc/ssh/sshd_config # Use another ssh port sshd_port="2702" sed -i "s/^Port 22/Port $sshd_port/g" /etc/ssh/sshd_config grep "^Port " /etc/ssh/sshd_config # Restart sshd to take effect service ssh restart
This might be the most important security improvement you shall do.
# Have a clean start with iptables iptables -F; iptables -X echo 'y' | ufw reset echo 'y' | ufw enable ufw default deny incoming ufw default deny forward # Allow traffic of safe ports ufw allow 22/tcp ufw allow 80,443/tcp # Allow traffic from certain port ufw allow 2702/tcp # Allow traffic from given ethernet nic ufw allow in on docker0 # Allow traffic from trusted ip ufw allow from 52.74.151.55
It allows us to review what commands has been issued, and when.
echo export HISTTIMEFORMAT=\"%h %d %H:%M:%S \" >> /root/.bashrc
Use logwatch to automate the check and analysis. It’s a userful parsing perl script that analyzes and generates daily reports on your system’s log activity. Major log files:
apt-get install -y logwatch # Full check. Takes several minutes logwatch --range ALL # Only check log of Today logwatch --range Today # Check log for last week logwatch --range "between -7 days and -1 days"
Not everyone can or will be a security expert. Better try reliable and versatile tools. lynis is quite handy and straight-forward. Just a single bash file.
apt-get install -y lynis # Run lynis to check security issues lynis -c
Always has plan B. As the last resort, make it’s feasible to do a quick system restore in new servers.
Special thanks to this reddit discussion.
More Reading: Detect Suspicious Linux Processes
This site uses Akismet to reduce spam. Learn how your comment data is processed.
[…] Securing Your Server OS Hardening To Better Secure Linux Server My First 5 Minutes On A Server; Or, Essential Security for Linux […]
[…] Personally I have migrated my blog to Linode for 3 months. The overall experience is good. Since security model of Linode is pretty primitive, I highly recommend you to enforce this: 9 Useful Tips For Linux Server Security. […]
Thanks for publishing your blog, your blog is very good and full of knowledge. Support Wala is here to serve you Linux Server Security service all over world. Our services are very cheaper and secure from hackers.