Linux Server Security Checklist

Had this sitting around in my Google Docs for some time. Good idea to share these Linux security tips to help others secure their boxes. So here it is peeps.

Linux security – paranoid check-list

  1. For direct access to your box, only use ssh. SSH is the most secure standard for both authentication (both host and user) and data protection (everything strongly encrypted, end-to-end).
  2. Enable key-pairs as the only way to access your box. Don’t allow passworded logins. Most passwords are too short and sit (even if in hashed form) on many databases: your bank, your favorite retailer etc. My guide on SSH setup will guide you through this by setting in sshd_config.
    PasswordAuthentication no
  3. Run ssh on a high port. The reason is that a lot of security scanners will only scan the standard known-service ports or the lower range (1-1024 are privileged ports that only superuser can bind/listen to, so they are more attractive to hackers) So running on 43256 (there are 2^16 =~ 65k ports) is much safer.
  4. In the firewall rules, limit access to your (and your customers) IP blocks, i.e. instead of 0.0.0.0/0 (all the internet) allow only from (say) 12.167.110.0/24 (specific block)
  5. Control the users who are allowed entry to your server.
    sudo nano /etc/ssh/sshd_config
    AllowUsers username1 username2
  6. Never ever permit root logins:
    sudo nano /etc/ssh/sshd_config
    PermitRootLogin no
  7. All administrative stuff is done as a known user (accountability) which used ‘sudo’ after you have authenticated in via SSH.
  8. Use a second layer firewall (software firewall) in case the first goes down. On Linux you can use iptables with Gufw, one of the easiest firewall in the world, to manage the iptables.
    sudo apt-get install gufw
  9. Run logcheck, a periodic system log scanning that will email you any unusual event. logcheck comes with a very large rule-set of what can be safely ignored so it only emails when something really new and different shows up in the logs.
    sudo apt-get install logcheck
    sudo nano /etc/logcheck/logcheck.conf
    # Add your email to SENDMAILTO
    sudo -u logcheck logcheck # run a test
  10. Run tripwire, a service that scans all the executables on the system, and alerts when a signature has changed (i.e. the file has been replaced). There is also a good post here on Setting up Tripwire in Ubuntu 11.10 – Intrusion Detection System.
    sudo apt-get install tripwire

And that’s a wrap! Are there any others you would recommend?

~ Ernest