That’s a nice new Linux server you got there… it would be a shame if something were to happen to it. It might run okay out of the box, but before you put it in production, there are 10 steps you need to take to make sure it’s configured securely.
2. User Configuration
● To change the root password: log in as root, run passwd, enter the new password, then again to confirm
● Setting up a password policy is fairly complex, full details are here, but essentially:
+ Install pam_cracklib
+ Edit the /etc/pam.d/common-password (Debian, Ubuntu, Mint) or /etc/pam.d/system-auth
(RHEL, Fedora, CentOS) file
+ Modify the various attributes in that file for
length, complexity, history
+ Edit the /etc/login.defs file and modify the
attributes there for expiration settings
● To create a new user: run useradd [username] as root,
then run passwd [username] to set the password for
that account.
● To give a user sudo access: run visudo as root, find
“root ALL=(ALL) ALL” in the sudoers file, add a new line
next to it and add “[username] ALL=(ALL) ALL” Save and close.
● To disable root: run sudo passwd -l root
1.
UpGuard.com | @UpGuard
3. ● To set the hostname and gateway: edit the
/etc/sysconfig/network file
● To set the IP, netmask and broadcast: edit
the /etc/sysconfig/network-scripts/ifcfg-
eth0 file (Must restart the network service
for changes to take effect)
● To set DNS servers: edit /etc/resolv.conf
● To disable IPv6: edit /etc/sysctl.conf and
add “net.ipv6.conf.all.disable_ipv6 = 1”
Network Configuration2.
UpGuard.com | @UpGuard
4. ● To list current packages: run yum list
installed or dpkg -l
● To install a package: run yum install
[package name] or apt-get install [package
name]
● To remove a package: run yum remove
[package name] or apt-get remove [package
name]
Package Management3.
UpGuard.com | @UpGuard
5. ● To update everything: run yum update or
apt-get upgrade
● To set up automatic updates: install and
use yum-cron or unattended-upgrades
(apt)
Update Installation and Configuration4.
UpGuard.com | @UpGuard
6. ● To sync with an NTP server:
edit the /etc/ntp.conf file
NTP and Time Drift5.
UpGuard.com | @UpGuard
7. ● -To show your iptables: run iptables --
list
● -To delete an existing entry: run
iptables --delete [chain] [rule number]
● -To insert a new entry: run iptables --
insert [chain] [rule number]
● -Full details can be found here: http:
//linux.die.net/man/8/iptables
Firewalls and iptables6.
UpGuard.com | @UpGuard
8. ● To disable ssh access for root: edit /etc/ssh/sshd_config, find “#PermitRootLogin
no” and remove the comment “#” symbol so the directive takes effect. Restart
ssh.
● To restrict ssh by IP: edit the sshd_config file and modify the AllowUsers directive
like so: AllowUsers user1@10.10.10.1 user2@10.10.10.2 etc.
● Moving from password authentication to
certificate based authentication is fairly
involved, requiring the generation of a key
pair and several configuration changes.
See a detailed guide for your distribution.
Securing SSH7.
UpGuard.com | @UpGuard
9. ● To list all services and their status: run
systemctl list-unit-files --type=service or
chkconfig --list
● To prevent a service from
automatically starting: run systemctl
disable [service] or chkconfig [service]
off
● To set a service to start automatically:
run systemctl enable [service] or
chkconfig [service] on
Systemctl and Service Configuration8.
UpGuard.com | @UpGuard
10. ● To see if SELinux is running (RHEL,
CentOS, Fedora): run getenforce or
sestatus
● To enable, disable or modify SELinux,
edit the /etc/selinux/config file
● Try AppArmor as an SELinux
alternative
SELinux and Further Hardening9.
UpGuard.com | @UpGuard
11. ● Logs are usually stored in /var/log
● Check the documentation and
configuration files of your applications
to see what log levels they allow and
set the one that is appropriate for your
needs.
● Consider a centralized syslog server if
your environment warrants one
Logging10.
UpGuard.com | @UpGuard
12. Want more tips?
Visit UpGuard.com for more technical and how-to articles.
UpGuard.com | @UpGuard