Because so much of our personal and professional data is available online today, it is important for everyone—from professionals to general internet users—to learn the basics of security and privacy. As a student, I've been able to gain experience in this area through my school's CyberPatriot initiative, where I've had the opportunity to interact with industry experts to learn about cyber breaches and the basic steps to establish a system's security.
This article details six simple steps to improve the security of your Linux environment for personal use, based on what I have learned thus far as a beginner. Throughout my journey, I have utilized open source tools to accelerate my learning process and familiarize myself with higher-level concepts related to securing my Linux server.
I have tested these steps using Ubuntu 18.04, the version I am most familiar with, but these steps will also work for other Linux distributions.
1. Run updates
Developers are constantly finding ways to make servers more stable, fast, and secure by patching known vulnerabilities. Running updates regularly is a good habit to get into to maximize security. Run them with:
sudo apt-get update && apt-get upgrade2. Enable firewall protection
Enabling a firewall makes it easier to control incoming and outgoing traffic on your server. There are many firewall applications you can use on Linux, including firewall-cmd and Uncomplicated Firewall (UFW). I use UFW, so my examples are specific to it, but these principles apply to any interface you choose.
Install UFW:
sudo apt-get install ufwIf you want to secure your server even more, you can deny incoming and outgoing connections. Be warned: This cuts your server off from the world, so once you've blocked all traffic, you must specify which outgoing connections are allowed from your system:
sudo ufw default deny incoming
sudo ufw default allow outgoingYou can also write rules for allowing incoming connections you need for personal use:
ufw allow <service>For example, to allow SSH connections:
ufw allow sshFinally, enable your firewall with:
sudo ufw enable3. Strengthen password protection
Implementing a strong password policy is an important aspect of keeping a server secure from cyberattacks and data breaches. Some best practices for password policies include enforcing a minimum length and specifying password age. I use the libpam-cracklib package to accomplish these tasks.
Install the libpam-cracklib package:
sudo apt-get install libpam-cracklibTo enforce password length:
- Open the
/etc/pam.d/common-passwordfile. - Change the minimum character length of all passwords by changing the
minlen=12line to however many characters you want.
To prevent password reuse:
- In the same file (
/etc/pam.d/common-password), add the lineremember=x. - For example, if you want to prevent a user from reusing one of their last five passwords, use:
remember=5.
To enforce password age:
- Find the following lines in the
/etc/login.defsfile and replace them with your preferred amount of time (days). For example:
PASS_MIN_AGE: 3 PASS_MAX_AGE: 90 PASS_WARN_AGE: 14
To enforce character specifications:
- The four parameters to enforce character specifications in passwords are
lcredit(lowercase),ucredit(uppercase),dcredit(digit), andocredit(other characters). - In the same file (
/etc/pam.d/common-password), locate the line containingpam_cracklib.so.- Add the following to the end of this line:
lcredit=-a ucredit=-b dcredit=-c ocredit=-d - For example, the following line requires passwords to contain one of each parameter. You can change the numbers based on your preferred level of password security:
lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1
- Add the following to the end of this line:
4. Disable nonessential services that are prone to exploitation
It's a best practice to disable unnecessary services. This allows fewer ports to be open for exploitation.
Install the systemd package:
sudo apt-get install systemdSee which services are running:
systemctl list-unitsRecognize which services could cause potential vulnerabilities to your system. For each service:
- Stop the service if it's currently running:
systemctl stop <service> - Disable the service from starting on boot:
systemctl disable <service> - After running these commands, check the status of the service:
systemctl status <service>
5. Check for listening ports
Open ports might pose security risks, so it's important to check for ports that are listening on your server. I use the netstat command to show all network connections:
netstat -tulpnLook at the address columns to determine the port number. Once you've found open ports, review them to make sure they're all necessary. If they aren't, adjust what services you have running, or adjust your firewall settings (or let fail2ban adjust it for you).
6. Scan for malware
Antivirus scanning software can be useful to keep viruses out of your system. Using them is a simple way to keep your server free from malware. My preferred tool is the open source software ClamAV.
Install ClamAV:
sudo apt-get install clamavUpdate virus signatures:
sudo freshclamScan all files and print out infected files, ringing a bell when one is found:
sudo clamscan -r --bell -i /You can and should automate scans so that you don't have to remember or spend time doing them manually. For simple automation like this, you can use systemd timers or your favorite cron.
Keep your server safe
We cannot leave the responsibility for securing servers to a single person or organization. As the threat landscape continues to expand rapidly, it is up to each of us to be aware of the importance of server security and to employ some simple, effective security best practices.
These are just a few of the many steps you can take to keep your Linux server safe. Of course, prevention is only part of the solution. These policies should be combined with rigorous monitoring for denial of service attacks, doing system analysis with Lynis, and creating frequent backups.
What open source tools do you use to keep your server safe? Tell us about them in the comments.
5 Comments