For a long time, Linux has had a reputation of security through obscurity. Users had the advantage of not being the primary target of hackers and didn’t need to worry. This fact is no longer valid, and in 2017 and 2018, we saw large swaths of hackers exploiting Linux bugs and glitches, finding tricky ways to install malware, viruses, rootkits and more.
Because of the recent flood of exploits, malware and other bad things hurting Linux users, the open source community has responded by beefing up security features. Still, this isn’t enough, and if you’re using Linux on a server, it’s a good idea to look at our list and learn ways you can improve the security of a Linux server.
1. Make use of SELinux
SELinux, AKA Security-Enhanced Linux is a security tool that is built into the Linux kernel. Once enabled, it can easily enforce a security policy of your choosing, which is a must for a rock-solid Linux server.
Many RedHat-based server operating systems come with SELinux enabled and configured with pretty good defaults. That said, not every OS out there supports SELinux by default, so we’ll show you how to turn it on.
Note: Snap packages require AppArmor, an alternative to SELinux. If you choose to use SELinux, on certain Linux operating systems, you may not be able to use Snaps.
CentOS and RedHat Enterprise Linux both ship with the SELinux security system. It is pre-configured for good security, so no further instructions are needed.
Ever since Karmic Koala, Ubuntu has made it very easy to enable the SELinux security tool. To set it up, enter the following commands.
sudo apt install selinux
Just like on Ubuntu, Debian makes it very easy to set up SELinux. To do it, enter the following commands.
sudo apt-get install selinux-basics selinux-policy-default auditd
After you’re done installing SELinux on Debian, check out the Wiki entry on the software. It covers a lot of need-to-know information for using it on the operating system.
Once you’ve got SELinux working, do yourself a favor and read up on SELinux manual. Learn how it works. Your server will thank you!
To access the SELinux manual, enter the following command in a terminal session.
2. Disable the Root account
One of the smartest things you can do to secure your Linux server is to shut off the Root account, and only use Sudoer privileges to accomplish system tasks. By shutting access off to this account, you’ll be able to ensure that bad actors cannot get full access to the system files, install problematic software (like malware), etc.
Locking the Root account on Linux is easy, and in fact, on many Linux server operating systems (like Ubuntu) it’s already shut off as a precaution. For more information about disabling Root access, check out this guide. In it, we talk all about how to lock Root account.
3. Secure your SSH server
SSH is often a serious weak point on many Linux servers, as many Linux admins prefer to go with the default SSH settings, as they’re easier to spin up, rather than taking the time to lock everything down.
Taking small steps to secure the SSH server on your Linux system can mitigate a good chunk of unauthorized users, malware attacks, data theft and a lot more.
In the past on Addictivetips, I wrote an in-depth post all about how to secure a Linux SSH server. For more information about how to lock down your SSH server, check out the post here.
4. Always install updates
This seems like an obvious point, but you’d be surprised to learn how many Linux server operators forgo updates on their system. The choice is understandable, as every update has the potential to screw up running applications, but by choosing to avoid system updates, you miss out on security patches which fix exploits and bugs that hackers use to breech Linux systems.
It’s true that updating on a production Linux server is a lot more annoying it will ever be on the Desktop. The simple fact is that you can’t just stop everything to install patches. To get around this, consider setting up a planned update schedule.
To be clear there’s no set science on update schedules. They can vary depending on your use case, but, it’s best to install patches weekly, or bi-weekly for maximum security.
6. No third-party software repositories
The great thing about using Linux is that if you need a program, so long as you’re using the right distribution, there’s a third-party software repository available. The problem is that a lot of these software repos have the potential to mess with your system, and malware regularly shows up in them. The fact is, if you’re running a Linux installation dependent on software coming from unverified, third-party sources, problems are going to happen.
If you must have access to software that your Linux operating system doesn’t distribute by default, skip the third-party software repositories for Snap packages. There are dozens of server-grade applications in the store. Best of all, each of the apps on the Snap store receives security audits regularly.
Want to learn more about Snap? Check out our post on the subject to learn how you can get it going on your Linux server!
7. Make use of a firewall
On a server, having an effective Firewall system is everything. If you have one set up, you’ll avoid a lot of the pesky intruders that you’d otherwise come into contact with. On the other hand, if you fail to set up an effective Firewall system, your Linux server will suffer severely.
There are quite a few different firewall solutions on Linux. With that in mind, some are easier to understand than others. By far, one of the simplest (and most effective) firewalls on Linux is FirewallD
Note: to use FirewallD, you must be using a server OS that has the SystemD init system.
To enable FirewallD, you’ll first need to install it. Launch a terminal window and enter the commands that correspond with your Linux operating system.
sudo systemctl disable ufw sudo systemctl stop ufw sudo apt install firewalld
sudo apt-get install firewalld
sudo yum install firewalld
With the software installed on the system, enable it with Systemd.
sudo systemctl enable firewalld sudo systemctl start firewalld
Security issues are more and more common on Linux servers. Sadly, as Linux continues to get more and more popular in the enterprise space, these issues are only going to be more prevalent. If you follow the security tips on this list, you’ll be able to prevent a majority of these attacks.