The issue of safety is always relevant. Consider the basics of protecting a server running Linux.
System updates
Installing updates for the OS in a timely manner is a good habit. Of course, there are times when the update entails negative consequences, but this happens extremely rarely. This process can be simplified by using system auto-updates.
Different distributions do this differently:
- Debian/Ubuntu use unattended upgrades package for automatic upgrades
- CentOS uses yum-cron
- The Fedora distribution uses dnf-automatic
If the server is under critical load, then regular tools should be used.
Ubuntu/Debian:
sudo apt-get update
sudo apt-get upgrade
Fedora/Centos:
yum update
Important! The update will affect only those packages and applications that were not installed by compiling and received as executable files.
System users with limited rights.
Connecting to the server under the root superuser account is not secure. In addition, we recommend changing any non-root user present in the system by default. Yes, at least even the password.
The password is changed with the command:
passwd
The command will change the password for the user it is run as. If you want to change the password for another user, you should run the command as follows.
Debian.
passwd
If you have only the root user, then it is reasonable to create a user with limited rights.
To create a user, use the command:
adduser
In the course of its work, the program will ask for a password for the account, information about the user, which can be skipped by pressing Enter.
Upon completion of filling in the data, the program will ask for confirmation of the correctness of the information.
Grant the user administrator rights. To do this, add the user to the sudo group:
adduser
In the case of CentOS/Fedora, the user is created differently:
useradd
Add a user to the wheel group:
usermod -aG wheel
Secure connection via SSH
By default, access to the Linux server is carried out via a login-password pair on TCP port 22. According to the latest security standards, it is recommended to change the server port address, and connect using a login-key pair.
Important! This example is suitable for Linux and MacOS.
First, we check whether the keys for this account were previously generated:
ls ~/.ssh/id_rsa*
If the result is not empty, then you should skip the key creation step. We are empty – we create with the command:
ssh-keygen -t rsa
During program execution, a passphrase and its confirmation may be requested. A kind of password protection.
To generate a key in Windows, the PuTTY-Gen program is suitable, which can be downloaded from the official website .
After starting the program, select the RSA key type and click on the Generate button.
Actively move the mouse in the window field. At the end of the procedure, we get the following:
Copy the public key and save the private key to a file.
Adding a key to a remote server.
linux:
ssh-copy-id remoteuser@10.10.0.1
For MacOS in 2 steps:
mkdir -p ~/.ssh && sudo chmod -R 700 ~/.ssh/
scp ~/.ssh/id_rsa.pub remoteuser@10.10.0.1:~/.ssh/authorized_keys
For Windows:
There are two options for solving the problem.
1 option. Upload the public key, which is written to a file named authorized_keys using the WinSCP program along the path /home/remoteuser/.ssh/authorized_keys.
To do this, after starting the WinSCP program, fill in the corresponding fields Address, Login and Password.
Option 2. Connect to the server using the putty utility, run the command in the terminal:
mkdir ~/.ssh; nano ~/.ssh/authorized_keys
An empty authorized_keys file will be opened for editing. Insert the previously generated public(!) key. It is one line.
Save the file and run the command:
sudo chmod 700 -R ~/.ssh && chmod 600 ~/.ssh/authorized_keys
Setting up the SSH service
We prohibit authorization from the root user. Your account must be in the sudo or wheel group (depending on the OS) in order to execute commands as root, as described above. To directly execute commands, use the sudo service command before the command.
sudo reboot
You can also use one of two commands to switch to superuser mode:
su
or
sudo su
In all cases, the system will ask for a password.
Now let’s disable authorization under the root user.
Open the sshd_config file for editing. On Debian/Ubuntu it looks like this:
sudo nano /etc/ssh/sshd_config
We find the line:
PermitRootLogin and change its value to no.
Disable password authentication. It is important to do this if you are already successfully connecting by key.
Open the same file sshd_config.
sudo nano /etc/ssh/sshd_config
Find the line:
PasswordAuthentication yes
Replaceable value “yes” with “no”.
The line can be commented out (i.e. preceded by the “#” symbol), in which case it must be uncommented.
Important! You can leave authorization both by password and by key.
After completing the settings of any of the items, restart the server.
sudo /etc/init.d/ssh restart
Or
sudo service ssh restart
Or
sudo systemctl restart sshd
Securing SSH Connections with Fail2Ban
Fail2Ban is an application that allows you to block SSH connections from a specific IP address when the limit is reached. It is reasonable to assume that if the user knows the password to the server, but makes a mistake when entering it, then 3-5 attempts will be enough. In the case of authorization by key, 1-2 attempts are enough. Otherwise, it’s brute force.
Fail2Ban is capable of monitoring other protocols such as HTTP, HTTPS, FTP and others. Using the default settings, only SSH monitoring is performed.
More details about configuring Fail2Ban can be found at the link .
Firewall setting
It’s a good habit to use a firewall. This is the main security tool of any server and / or network behind it. Traffic filtering allows you to avoid various kinds of intrusion. We recommend that you only allow access to the TCP/UDP ports that are actually needed. For critical ports, either close access to them, or restrict access to them – only from certain IP addresses.
IPTables is a command-line utility, the standard interface for managing the operation of the netfilter firewall in Linux. Superuser rights are required to use IPTables. There are also alternative solutions UFW and ShoreWall for Debian/Ubuntu and FirewallD for CentOS and Fedora.
We will consider setting up IPTables directly.
Use the following commands to view the active filtering rules.
IPv4:
sudo iptables -L
IPv6:
sudo ip6tables -L
The standard output looks like this:
This means that the default mode of operation allows all incoming, outgoing, and forwarded traffic.
Configuring a firewall and its operation policy depends on the operation of your services, as well as local network services (port forwarding for RDP is a special case). Before applying them, check if our examples match your needs.
For IPv4 (file /tmp/v4):
*filter
# Allow all loopback (lo0) traffic and reject traffic
# to localhost that does not originate from lo0.
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT
# Allow ping.
-A INPUT -p icmp -m state –state NEW –icmp-type 8 -j ACCEPT
# Allow SSH connections.
-A INPUT -p tcp –dport 22 -m state –state NEW -j ACCEPT
# Allow HTTP and HTTPS connections from anywhere
# (the normal ports for web servers).
-A INPUT -p tcp –dport 80 -m state –state NEW -j ACCEPT
-A INPUT -p tcp –dport 443 -m state –state NEW -j ACCEPT
# Allow inbound traffic from established connections.
# This includes ICMP error returns.
-A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
# Log what was incoming but denied (optional but useful).
-A INPUT -m limit –limit 5/min -j LOG –log-prefix “iptables_INPUT_denied: ” –log-level 7
# Reject all other inbound.
-A INPUT -j REJECT
# Log any traffic that was sent to you
# for forwarding (optional but useful).
-A FORWARD -m limit –limit 5/min -j LOG –log-prefix “iptables_FORWARD_denied: ” –log-level 7
# Reject all traffic forwarding.
-A FORWARD -j REJECT
COMMIT
For IPv6 (/tmp/v6):
*filter
# Allow all loopback (lo0) traffic and reject traffic
# to localhost that does not originate from lo0.
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s ::1/128 -j REJECT
# Allow ICMP
-A INPUT -p icmpv6 -j ACCEPT
# Allow HTTP and HTTPS connections from anywhere
# (the normal ports for web servers).
-A INPUT -p tcp –dport 80 -m state –state NEW -j ACCEPT
-A INPUT -p tcp –dport 443 -m state –state NEW -j ACCEPT
# Allow inbound traffic from established connections.
-A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
# Log what was incoming but denied (optional but useful).
-A INPUT -m limit –limit 5/min -j LOG –log-prefix “ip6tables_INPUT_denied: ” –log-level 7
# Reject all other inbound.
-A INPUT -j REJECT
# Log any traffic that was sent to you
# for forwarding (optional but useful).
-A FORWARD -m limit –limit 5/min -j LOG –log-prefix “ip6tables_FORWARD_denied: ” –log-level 7
# Reject all traffic forwarding.
-A FORWARD -j REJECT
COMMIT
Application of the above rules.
For Arch Linux:
- Create files /etc/iptables/iptables.rules and /etc/iptables/ip6tables.rules .We insert the rules from the examples above (/tmp/v4 and /tmp/v6) into the created files, respectively.
- Import these rules to use iptables:
sudo iptables-restore
sudo ip6tables-restore
- On Arch Linux, by default, iptables is not running.We launch:
sudo systemctl start iptables && sudo systemctl start ip6tables
sudo systemctl enable iptables && sudo systemctl enable ip6tables
- To start iptables automatically, use the pre-network.conf configuration material fromArchWiki. The firewall will start before the server connects to the network.
For CentOS / Fedora:
On these distributions, the applicable rules are stored in the /etc/sysconfig/iptables and /etc/sysconfig/ip6tables files.
It is proposed to use FirewallD to manage firewall rules, instead of directly administering iptables.
As in the case of Arch Linux, we create the files /tmp/v4 and /tmp/v6. We insert the example above into them, or adapted by you to fit your needs.
Import rules:
sudo iptables-restore
sudo ip6tables-restore
Save settings:
sudo service iptables save
sudo service ip6tables save
Для Debian/Ubuntu:
In Debian and Ubuntu distributions, rules can be written either manually or using the UFW utility. Consider the manual option.
- Create files /tmp/v4 and /tmp/v6.We insert the example above into them, or adapted by you to fit your needs.
- Import rules from files:
sudo iptables-restore
sudo ip6tables-restore
- You can use the iptables-persistent package to automate and simplify the loading of iptables rules at server startup.Install from the repository.
sudo apt-get install iptables-persistent
Check the iptables rules:
To check, run the following commands in sequence:
sudo iptables -vL
sudo ip6tables -vL
The result will be something like this:
Restarting the server:
sudo reboot
After restarting, we check the rules. Rules must be present in the same quantity.
Adding, changing and removing iptables rules
The logic of iptables is such that the rules work sequentially from the first to the last. For this reason, it is impossible to add rules with the usual commands:
iptables -A
ip6tables -A
To add rules in this case, use:
iptables -I
ip6tables -I
Important! The added rules must be arranged in a certain sequence, taking into account other rules in the chain. To display a numbered list, there is a command:
sudo iptables -L -line-numbers
For example, you need to add a new allow rule for connections on port 8080 to the existing ones from our example above. We execute the command:
sudo iptables -I INPUT 9 -p tcp –dport 8080 -j ACCEPT
Change of rules.
Replacing rules is done with the “-R” key:
iptables -R
For example:
sudo iptables -R INPUT 11 -m limit –limit 3/min -j LOG –log-prefix “iptables_INPUT_denied: ” –log-level 7
Deleting rules
As an example, let’s remove the rule we added earlier:
sudo iptables -D INPUT 9
Those. the rule in which we allowed connection to port 8080 will be deleted.
Important! Applied rules are not automatically applied. To do this, you need to follow the steps applicable only to your distribution, which we discussed above.
Database
Equally important is the protection of data stored in a certain DBMS. Let’s take MariaDB as an example.
After successful installation, you need to run one command:
sudo mysql_secure_installation
After that, the program will ask a few security questions.
| Change the root password? [Y/n] | Change root user password? |
| Remove anonymous users? [Y/n] | Remove anonymous users? |
| Disallow root login remotely? [Y/n] | Deny remote connection as root? |
| Remove test database and access to it? [Y/n] | Delete test database and access to it? |
| Reload privilege tables now? [Y/n] | Reload privilege table now? |
The result will be something like this:
It is also not recommended to connect as root. It is better to create one user and with limited rights. The following rights will be sufficient for the site to execute requests of the form:
SELECT – selection from the database
UPDATE – Update records
INSERT – adding new records.
DELETE – deleting records (sometimes, but it’s better not to use it).
It is not recommended to grant rights:
ALTER – changing the structure of tables
DROP – drop databases and database tables
It is also quite reasonable that one user be for one database.
General credential requirements
To protect the server and databases, even if you do not use key authentication, it is logical to use a well-crafted username and password.
Since the selection of names and passwords (brute force) occurs according to the dictionary, it would be logical to use a username that is least likely to be in the dictionary. For example, xd11rn and the like. Do not use too short usernames. The main thing is not to forget the username later.
There are a number of general requirements for passwords:
- do not use passwords shorter than 10 characters;
- use uppercase and lowercase letters, as well as numbers;
- use special characters, but only where possible.
Welcome to the world of DomainRooster, where roosters (and hens) rule the roost! We're a one-stop shop for all your entrepreneurial needs, bringing together domain names and website hosting, and all the tools you need to bring your ideas to life. With our help, you'll soar to new heights and hatch great success. Think of us as your trusty sidekick, always there to lend a wing and help you navigate the sometimes-complex world of domain names and web hosting. Our team of roosters are experts in their fields and are always on hand to answer any questions and provide guidance. So why wait? Sign up today and join the ranks of the world's greatest entrepreneurs. With DomainRooster, the sky's the limit! And remember, as the saying goes, "Successful people do what unsuccessful people are not willing to do." So don't be afraid to take that leap of faith - DomainRooster is here to help you reach for the stars. Caw on!
