Securing Linux Servers
It is important when installing and maintaining a Linux server to perform initial and maintenance security checks on the server. Below is a checklist of basic tasks that should be performed on each server on initial setup and monthly to ensure continued security of the server. Please note that adding additional services like MySQL or Apache requires additional tasks to be performed routinely.
Choosing a Distro - Linux servers come in many flavors (distributions) and you should choose one that you are familiar with and suits your needs. When choosing a distribution, you should note at what point in its life cycle your current distribution lies. Distributions will typically state how long they will provide updates for their product and if you plan on using the server for longer than the time listed, you should schedule time to upgrade the system before the cutoff date or possibly look for a distribution with a longer life cycle. Larger, more popular distributions are also recommended as distros with small developer lists and user bases are more likely to end-prematurely due to lack of funding or interest.
Installing Linux - When installing linux in a production environment, it is recommended that you only install the services and applications that are required to accomplish the task the server needs to provide. Choose a custom installation if possible as “default installs” may install many extra programs and services that will not be used. Vulnerabilities in these applications and services could be used to make your server vulnerable to attack. ‘Server’ or ‘Minimal’ installs may be available depending on distro and should be leveraged for maximum benefit.
Software Update - One of the most important steps after installing a new Linux server is to bring your server up to date by performing a software update. The software update process differs between linux distributions, so please acquaint yourself with the update program that your particular distro uses. For reference, ‘apt’ and ‘yum’ are two popular package managers that are commonly used among current distributions. If the distribution you are installing from isn’t up to date, make sure to check that your firewall is set properly before updating to disallow access to your computer’s services as your updates are being installed. Regularly schedule a time to run software updates to the system.
Firewall - Ensure that your server’s firewall is turned on and that only the services and ports necessary are allowed for inbound and outbound traffic. Check this often and close ports that are no longer needed. If possible, limit access to services by subnet or IP.
SELinux – If not installed by your distro by default, install SELinux and set it to ‘enforcing’ mode. You can disable individual policies as needed for your system but do not completely disable or set to permissive mode to bypass the SELinux rulesets.
Restricting Services by Subnet/IP - If possible through service configuration, limit access to your services by subnet or IP address.
Limit sudo use – Sudo is convenient, but requiring root login can make it more difficult for someone to get full access to the system.
Set Administrator password to something difficult - For auditing and security purposes it is best to set user and the root passwords to something using upper and lower case characters, numbers, special characters and a length greater than 8. Do not use the same password for multiple users (including root), and refrain from using words that can be found in a dictionary.
Set Password Expiration - To ensure the continued security of the server over time, set passwords to expire after a year to force users to set new passwords.
Disable/Remove Guest Accounts - Always ensure that all "guest" accounts (if any) are disabled or removed.
Service Accounts - Check out the shadow and password file to verify that accounts created for services cannot be used to login to the system.
Minimal Services - make sure that only the services that you need are running on each server, and check that only the services you want are scheduled to be turned on at server reboot.
Patch 3rd party software - Make sure that all 3rd party software installed on the system are patched regularly.
Logging - Turn on logging for services and applications. Review logs at least monthly for unauthorized activity. Many distributions have logwatching programs available that email log sumarries daily to the administrator.
Unused Accounts - Verify that all usused accounts have either been removed or disabled.