In spite of the fact that Linux viewed as secure, it is advisable to follow some of the business best strategy to secure your server. For instance, you need to update the software applications regularly, use strong passwords and install a strong firewall to safeguard your system from hackers.
There are a few quick steps you can take to ensure your platform is more secure.
-
Secure Shared Memory
One of the main things you ought to do is secure the shared memory used on the system. In case you’re not aware a shared memory is utilized in an attack against a running service. Along these lines you will need to secure that portion of system memory. You can do this by modifying the /etc/fstab file.
First you must open the file for editing by issuing the command:
Sudo nano /etc/fstab
Next, add this line in the bottom of that file:
tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0
Save and close the file. In order for changes to take effect you must reboot the server.
-
Enable SSH Login for Specific Users
Secure Shell (SSH) is the tool you’ll use to log into your remote Linux servers. Despite the fact that SSH is genuinely secure, as a matter of course, you can make it considerably more along these lines, by enabling SSH login only for specific users. Suppose you need to just permit SSH entry for the user Neil, from IP address 192.168.1.162. Here’s how you would do this.
- Open a terminal window.
- Open the SSH config. file for editing with the command sudo nano/etc/ssh/sshd_config.
- At the bottom of the file, add the line AllowUsers [email protected].
- Save and close the file & Restart sshd with the command sudo service ssh restart.
Secure Shell will now only allow user Neil, from IP address 192.168.1.162. If another user attempts to SSH into the server, it will prompt for a password, but the password won’t get accepted.
You can have wild cards, where in the users from a particular IP address gets access. To allow all users on your local network you will have to add the following line:
AllowUsers *@192.168.1.*
Then restart the ssh server, and you’re good to go.
-
Add a Security Login Banner
Adding a security login banner may appear as though it would have zero impact on your serve, but if an unwanted user gains access to your server, and in the event, they see you’ve set up a login banner warning them of consequences. This is an easy step and shouldn’t be over looked. Here’s how you can manage this.
Create your new banner by following these steps.
- Open a terminal window.
- Issue the command sudo nano/etc/issue.net.
- Edit the file to add a suitable warning.
- Save and close the file.
Next, disable the banner message from Message of The Day (motd). Open a terminal and issue this command:
Sudo nano/etc/pam.d/sshd
With this file open for editing, comment on the following two lines by adding a # to the beginning of each line:
session optional pam_motd.so
motd=/run/motd.dynamic
session optional pam_motd.so noupdate
Now open /etc/ssh/sshd_config in your text editor and comment:
Banner /etc/issue.net
Save and close that file. Restart the ssh server with the command:
sudo service ssh restart
Anytime someone logs into your server they will see your added banner to warn them you’re watching.
-
Restrict SU Access
Linux users get to use the su command to change different user. When done, they gain privileges granted to other users. To avoid this, you’ll want to disable access to the su command.
First thing to do is to create a new admin group on the server with the command:
sudo groupadd admin
Next, add users to this group. Say you want to add Neil to the group. The command is:
sudo usermod -a -G admin Neil
Next, we grant access to su command to the admin group with command:
sudo dpkg-statoverride –update –add root admin 4750 /bin/su
-
Install fail2ban
It is an intrusion prevention system that monitors log files and searches for patterns that relates to failed login attempt. If too many incorrect logins are detected it will block access from that IP address.
To Conclude:
The above-mentioned tips are best practices for hardening your Ubuntu and provide an upgrade to your server’s security.