💾 Archived View for cuppajoe.xyz › tutorials › hardening_linux.gmi captured on 2023-01-29 at 15:51:43. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2021-11-30)
-=-=-=-=-=-=-
08-19-2021
In this article, I will be showing you some quick and easy changes you can make on your Linux server to make it more secure. This is especially important if you are exposing it to the internet, but these are good practices regardless.
The first thing thing to secure is your login and authentication method. While you can login to your server with just a password, it is generally more secure to use SSH keys. You create an SSH key pair on your computer and then copy the public key to your server. After disabling password-based authentication in /etc/sshd_config, only your computer with the proper private key will be able to log in. Additionally, while you are editing /etc/sshd_config, you may want to disable the ability to log in as root. This requires everyone to log in as an unprivileged user.
It would also be wise to install the unattended-upgrades package, so that all of the software on your server (excluding docker images) will have the latest security patches.
Next, I recommend you check your network security. Start by getting a list of the ports that are currently listening to the internet. You can achieve this with the following command:
$ sudo netstat -tunlp
Take a look at this list and make sure you know what each port is being used for. If a port that isn't necessary for any of the services you are using, you can block it with Uncomplicated FireWall or ufw. I would also recommend using a program called Fail2Ban. Fail2Ban will temporarily block IP addresses that are making repeated failed login attempts. This step will make it more difficult to brute force your server with login attempts and it will fend off most bots. Install the package, then enable and start the service. Use the command `fail2ban-client status` to ensure that it is running.
I am sure there are many other ways that you can harden your Linux server, but at least you now have the bare minimum, and most glaring security holes have been taken care of. I recommend cross-referencing this article with other guides and tutorials as well, to get a clearer picture of what good Linux security looks like. Any programs and methods mentioned in this article have many tutorials available elsewhere on the Internet, so you should have no issue finding more detailed information.