DEV Community

Cover image for Securing Linux Servers for DevOps And Admins
Milan Leon
Milan Leon

Posted on

Securing Linux Servers for DevOps And Admins

This knowledge helped me personally in some situations that happened to me, where clients were practically helpless when the system infrastructure was compromised.
I truly hope that some of these tips help you.

So let's begin with securing Linux servers.

It's always recommended to have an incident response plan in case of a security breach.
Additionally, you should have regular security audits to identify and fix any vulnerabilities.

1. Keep the Operating System and software up to date: Make sure to install all security updates and patches as soon as they become available.

As a Linux admin, it is crucial to keep the operating system and all software up to date.
This ensures all security vulnerabilities that have been discovered and patched by the software vendors are addressed on my server.
To do this, we can use package managers such as apt or yum to update the operating system and installed software.
Also, we'll configure the system to automatically check for and install updates regularly.
Additionally, I make sure to research and apply any important security patches that may not be included in the standard package updates.
By keeping the operating system and software up to date, I am proactively addressing known security issues and reducing the potential attack surface on my server.

# update the package list
sudo apt update

# upgrade all installed packages
sudo apt upgrade -y

# install security updates
sudo apt dist-upgrade -y

# install any important security patches
sudo apt install --only-upgrade <package_name>

# configure automatic updates
sudo apt install -y unattended-upgrades
sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

This script first updates the package list, then upgrades all installed packages, and finally installs security updates. It also installs any important security patches for specific packages that may not be included in the standard package updates. Finally, it configures automatic updates using the package unattended upgrades. The last command is optional, depending on your needs.

You can also use yum instead of apt on other distributions.

Please note that this is just an example and you should test it on your local environment before using it in production. I will repeat this after each script.

2. Use strong and unique passwords for all user accounts and make sure to change them regularly.

Next... it is essential to use strong and unique passwords for all user accounts. This helps to prevent unauthorized access to the server, whether by brute force attacks or by someone guessing a weak password. I use a password manager to generate strong and unique passwords for each account and make sure to change them regularly. I also encourage my users to use strong and unique passwords for their accounts and to change them frequently. Additionally, I can use PAM modules such as pam_cracklib or pam_pwquality to enforce password policies such as minimum length, complexity, and expiration.

Here is an example script that can be used to set and enforce strong and unique passwords on a Linux server:

# Install pam_cracklib
sudo apt install libpam-cracklib

# Configure pam_cracklib
sudo nano /etc/pam.d/common-password

# Add the following line to the file
password required pam_cracklib.so retry=3 minlen=15 difok=5

# Change all user's passwords to strong and unique password
for user in $(cut -f1 -d: /etc/passwd); do
echo "$user:new_password" | chpasswd
done

# Schedule password expiration
sudo nano /etc/login.defs

# Change the following line
PASS_MAX_DAYS 90

This script first installs pam_cracklib, a PAM module that enforces password policies such as minimum length, complexity and expiration. Then it configures the pam_cracklib module, by adding the password required pam_cracklib.so retry=3 minlen=15 difok=5 line to the /etc/pam.d/common-password file, which sets the minimum length of the password to 15 and requires at least 5 different characters. Then, it changes all user's passwords to strong and unique passwords, this could be changed to a specific user or group. Lastly, it schedules password expiration, by changing the PASS_MAX_DAYS value in the /etc/login.defs file to 90 days.

This is just an example and you should test it on your local environment before using it in production.
Also, you can use other PAM modules such as pam_pwquality for more advanced password policies.

3. Use a firewall to block unwanted incoming and outgoing traffic.

Ok let's move on to check firewalls.. It is very important to use a firewall to protect my server from unwanted incoming and outgoing traffic. I use a firewall software such as iptables or firewalld, to configure rules that allow or block traffic based on various criteria such as IP addresses, ports, and protocols. I also make sure that the firewall is configured to deny all incoming traffic by default, only allowing traffic that is explicitly allowed. Additionally, I regularly check the firewall logs for any suspicious activity and adjust the rules accordingly.
Using a firewall helps me to protect my server from various types of cyber-attacks such as DDoS, port scanning, and malware injection.

Here is an example script that can be used to set up and configure a firewall on a Linux server using iptables:

# Install iptables
sudo apt install iptables

# Flush all existing rules
sudo iptables -F

# Set default policy to drop all incoming traffic
sudo iptables -P INPUT DROP

# Allow incoming traffic on port 22 (SSH)
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# Allow incoming traffic on port 80 (HTTP)
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT

# Allow incoming traffic on port 443 (HTTPS)
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Save iptables rules
sudo sh -c "iptables-save > /etc/iptables.rules"

# Configure iptables to start at boot
sudo nano /etc/network/interfaces

# Add the following line
pre-up iptables-restore < /etc/iptables.rules

This script first installs iptables, a firewall software for Linux. Then it flushes all existing rules and sets the default policy to drop all incoming traffic. It then allows incoming traffic on port 22 (SSH), 80 (HTTP) and 443 (HTTPS) using the -A INPUT -p tcp --dport [port number] -j ACCEPT command. Then it saves the iptables rules to /etc/iptables.rules, and configures iptables to start at boot by adding the pre-up iptables-restore < /etc/iptables.rules line to the /etc/network/interfaces file.

You can also use firewalld instead of iptables on other distributions.
Also, you can check this link on Linode documentation for firewall

You should adjust the ports and protocols as per your needs and also, you should regularly check the firewall logs for any suspicious activity and adjust the rules accordingly.

4. Limit access to the server to only necessary personnel and use secure authentication methods such as public-key authentication.

Now let's see SSH. As you may know, it is important to limit access to the server to only necessary personnel. This helps to prevent unauthorized access to the server and reduce the potential attack surface. I use secure authentication methods such as public-key authentication for SSH instead of using passwords. This provides an additional layer of security since a password can be guessed or cracked, but a private key must be physically possessed. I also make sure to disable or remove any unnecessary accounts and remove any unnecessary services or protocols that are not needed. Additionally, I can use access control mechanisms such as SELinux or AppArmor to restrict the access to the resources and files by the users and applications.

This is a script that can be used to limit access to a Linux server and use secure authentication methods:

# Disable password-based authentication
sudo nano /etc/ssh/sshd_config
# Change the following line
PasswordAuthentication no

# Configure public-key authentication
sudo mkdir /home/username/.ssh
sudo nano /home/username/.ssh/authorized_keys
# Add the public key of the user

# install SELinux
sudo apt-get install selinux-basics

# configure SELinux
sudo nano /etc/selinux/config
# Change the following line
SELINUX=enforcing

# configure AppArmor
sudo apt-get install apparmor-utils
sudo nano /etc/apparmor.d/usr.sbin.sshd

This script first disables password-based authentication and enables public-key authentication for SSH by changing the PasswordAuthentication option in /etc/ssh/sshd_config to no, and adding the public key of the user to /home/username/.ssh/authorized_keys.
Then, it installs SELinux, a security extension for Linux that can be used to restrict the access to the resources and files by the users and applications.
It configures SELinux, by changing the SELINUX option in /etc/selinux/config to enforcing. Then, it installs and configures AppArmor, another security extension for Linux that can be used to restrict the access to the resources and files by the users and applications.

Also, you should make sure to disable or remove any unnecessary accounts, remove any unnecessary services or protocols that are not needed, and limit access to the server to only necessary personnel.
Test it on your specific local before using it in production.

5. Use intrusion detection systems (IDS) and security information and event management (SIEM) tools: Use intrusion detection systems and SIEM tools to monitor and detect suspicious activity on your server.

I use IDS software such as Snort or Suricata to monitor network traffic and detect any malicious activity. Additionally, I use SIEM tools such as ELK stack or Splunk, to collect and analyze log data from various sources such as firewall logs, system logs, and application logs. This allows me to detect any suspicious activity or patterns of behavior that could indicate a security breach. I also configure the tools to send me alerts in case of any suspicious activity.

By following these best practices and regularly checking my server's security status, I can help to protect my Linux server from various types of cyber-attacks, and be prepared to respond quickly in case of a security breach.

Set up and configure IDS and SIEM tools on a Linux server:

# Install Snort
sudo apt-get install snort

# Configure Snort
sudo nano /etc/snort/snort.conf

# Add the following line to the file
include $RULE_PATH/local.rules

# Create a local.rules file
sudo nano /etc/snort/rules/local.rules

# Add the necessary rules to the file

# Install ELK stack
sudo apt-get install elasticsearch logstash kibana

# Configure ELK stack
sudo nano /etc/logstash/conf.d/logstash.conf

# Add the necessary input, filter and output configurations

# Start ELK stack
sudo service elasticsearch start
sudo service logstash start
sudo service kibana start

This script first installs Snort, an open-source IDS software, and configures it by adding the necessary rules to the /etc/snort/rules/local.rules file. Then it installs the ELK stack (Elasticsearch, Logstash, and Kibana), open-source SIEM tools, and configures it by adding the necessary input, filter, and output configurations to the /etc/logstash/conf.d/logstash.conf file. Lastly, it starts the ELK stack services.

You can use other IDS software such as Suricata and other SIEM tools such as Splunk.
It is important to configure the tools to send you alerts in case of any suspicious activity and regularly checking your server's security status.

6. Secure remote access to the Linux server by using secure protocols such as SSH and VPN, and disabling unnecessary services and ports.

Ok so now as an admin I ensure that remote access to the server is secure.
I use secure protocols such as SSH for remote access and VPN for remote networks connection.
I also make sure to disable or remove any unnecessary services or ports that may be open on the server, as these can be potential attack vectors.
To further secure remote access, I can implement measures such as two-factor authentication, IP whitelisting, and regular monitoring of authentication logs.
I also make sure to use strong and unique credentials for all remote access accounts, and change them regularly.

Secure remote access to a Linux server:

# Install OpenVPN
sudo apt-get install openvpn

# Configure OpenVPN
sudo nano /etc/openvpn/server.conf

# Add the necessary configurations

# Enable SSH
sudo systemctl enable ssh
sudo systemctl start ssh

# Disable unnecessary services and ports
sudo systemctl disable <service_name>
sudo ufw deny <port_number>

# Enable two-factor authentication
sudo apt-get install libpam-google-authenticator

# Configure IP whitelisting
sudo ufw allow from <ip_address>

# Monitor authentication logs
sudo nano /etc/rsyslog.conf
# Add the following line
auth,authpriv.* /var/log/auth.log

This script first installs OpenVPN, a secure protocol for remote networks connection and configures it by adding the necessary configurations to the /etc/openvpn/server.conf file.
Then it enables SSH, a secure protocol for remote access, and disables unnecessary services and ports by running the sudo systemctl disable <service_name> and sudo ufw deny <port_number> commands.
It enables two-factor authentication by installing the libpam-google-authenticator package, configures IP whitelisting by allowing connections from specific IP addresses using sudo ufw allow from <ip_address>. Lastly, it monitors authentication logs by adding the auth,authpriv.* /var/log/auth.log line to /etc/rsyslog.conf file.

You should make sure to use strong and unique credentials for all remote access accounts and change them regularly.

securing linux servers

7. Securely configure services: Configure services such as web servers, databases, and SSH securely to prevent unauthorized access.

Then I have to make sure to configure services such as web servers, databases, and SSH securely to prevent unauthorized access. I use best practices such as using non-root user accounts to run services, limiting the listening interfaces and ports, and configuring access controls. I also make sure to use the latest versions of the software and configure them with the latest security settings. Additionally, I regularly check the service logs for any suspicious activity and take appropriate action if necessary.

Securing Linux servers configuration of services:

# Create non-root user account for service
sudo adduser <username>

# Grant permissions to the user account
sudo usermod -aG <group_name> <username>

# Configure service to run as non-root user
sudo nano /etc/<service_name>/<service_name>.conf

# Change the user and group options to the non-root user account created above

# Limit listening interfaces and ports
sudo nano /etc/<service_name>/<service_name>.conf

# Add the following line
ListenAddress <IP_address>

# Configure access controls
sudo nano /etc/<service_name>/<service_name>.conf

# Add the necessary access controls

# Check service logs for suspicious activity
sudo tail -f /var/log/<service_name>/<service_name>.log

This script creates a non-root user account for a service, grants the necessary permissions to the user account, configures the service to run as the non-root user account, limits the listening interfaces and ports by adding the ListenAddress <IP_address> line to the configuration file, configures access controls by adding the necessary access controls to the configuration file, and checks the service logs for suspicious activity by running the sudo tail -f /var/log/<service_name>/<service_name>.log command.

You should make sure to use the latest versions of the software and configure them with the latest security settings, and regularly check the service logs for any suspicious activity and take appropriate action if necessary.

8. Use file integrity monitoring to detect any changes to important system files and configuration files.

In addition to Grafana and Prometheus as essential monitoring software in DevOps, I have to use some others to monitor other things on the server.
I use file integrity monitoring to detect any changes to important system files and configuration files. This helps me to detect any unauthorized modifications to the server such as by malware or a malicious actor.
I use tools such as Tripwire, AIDE, or OSSEC to monitor the file system and alert me of any changes.

These are some of the key security best practices that I follow as a Linux server administrator.
Continuously monitoring and updating these practices help me to keep my server secure and protect it from potential cyber threats.

continue on my website https://milanmaximo.com/securing-linux-servers-for-devops-and-admins/

Top comments (0)