Securing Your Linux Server - A Walk-through & Explanation
I want to explain further why these steps are needed, since I see many people running Linux servers in a very insecure way.
Update and Upgrade
First make sure to check for updates and upgrade your server. You may think this is unnecessary since you just installed Linux but there may some packages (applications) that need the latest version.
apt-get update && apt-get upgrade
Install a Firewall:
Why? This allows you to close off all the ports your server does not need to run. By doing this you lower the chance that an attacker finds a way into your server to destroy it or steal you keys. UFW is the easiest to use and I am glad to see the official Witness document using this firewall tool.
- Install UFW
apt-get install ufw - Allow SSH and deny HTTP services
ufw allow ssh
ufw deny http<- this blocks all incoming traffic from a web browser. You may also deny https. - Set default to block incoming and allow outgoing traffic.
ufw default deny incoming
ufw default allow outgoing - Prevent brute force password attacks:
ufw limit OpenSSH - Enable firewall
ufw enable - Check the status of the firewall
ufw status verbose
Something I tend to do is change the SSH port from the default to something above 10,000. The reason is to add entropy to an attackers attempt. If you choose to do this make sure you do not forget the port number or you will lock yourself out. The only difference to the steps above is step 3:
ufw deny ssh
ufw deny http
ufw allow port_number
where port_number is the number you chose.
After you run through those six steps it is a good idea to open another terminal (or putty session on Windows) and login a second time to make sure you are still able to gain access. If you can not use the original session to make changes. The last thing you want is to be locked out of the server you just bought.
Create a New User:
Now you need to create a new user. This adds much more security to your server by limiting the amount of actions the user can run without a password. That way if someone does get in by an exploit they will have minimal access and thus can cause minimal damage. Having two accounts will also allow you to use Root if an attack happens to clean up the mess.
- Create user (the -m creates home directory for new user)
adduser -m new_username - Add your new_username to the SUDO group
usermod -a -G sudo new_username - Create a password for the new user:
passwd new_user
I do not think creating an admin group that has root access is needed since the user we create has SUDO access. This is just my opinion.
After you create the new user open a new terminal (or putty) session and log in to make sure you set everything up correctly and that the password works. If there are any issues use the original Root session to make changes.
Change Root Password:
Trust no one. Even your hosting service.
As Root run the following.
passwd
source
Disable Root Login:
Do this after you verified that you can log in with the new user you created. This will help a lot and you can still use Root if needed by runing su in the console.
- Modify the file sshd_config by typing the following command:
sudo nano /etc/ssh/sshd_config - Change PermitRootLogin to
no.
Now that everything is set and working for the new user we will use that user from here on out.
Update Your Shared Memory:
- Edit /etc/fstab:
sudo nano /etc/fstab - At the bottom add:
tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0 - Save the file.
- Reboot.
sudo reboot now
What I shared here is the most important parts in my opinion for any Linux server not just witness servers.
If you have any questions please feel free to ask either in the comments below or DM me on Discord.
Thanks For Reading!
If you have any topics that you would like me to cover please feel free to comment them below and I'll add them all to my list!
All images came from royalty and attribution free sources unless specified.
Click here to vote with SteemConnect
Or go to https://steemit.com/~witnesses
and type
jrswab in the box at the bottom.