How to Secure a Linux Server

Step-by-Step Guide

1. 1

   Step 1: Learn to use Linux from the shell (command line).

   Every layer of software added on to make your system administration "easier" actually adds more methods for crackers to gain access to your machine and also reduces performance.
   
   All the further steps will assume your familiarity with using a shell.
2. 2

   Step 2: Using lsof or a similar tool

   , Shut down any unknown or unneeded services, using the appropriate tools for your Linux distribution, such as update-rc.d on Debian systems, or in some cases editing the /etc/inetd.conf or /etc/xinetd.d/* files.
   
   Along with this, get rid of any tools your server provider added for system administration, such as Plesk. , Set up a secondary port for root access that only works by shared keys, disallowing passwords:
   Copy the sshd_config file to root_sshd_config, and change the following items in the new file:
   Port from 22 to some other number, say 8899 (don't use this! make up your own!) PermitRootLogin from "no" (you were supposed to set it to "no" for port 22, remember?) to "yes" AllowUsers root add this line, or if it exists, change it to allow only root logins on this port Challenge Response Authentication no uncomment this line if it's commented out, and make sure it says "no" instead of "yes" Test this command: sshd
   -D
   -f /etc/ssh/root_sshd_config and see if it works correctly
   -- try logging in from another computer (you must have already set up shared-key authentication between the two computers) using: ssh
   -p8899 [email protected] if so, control-C at the above (sshd) command to stop the sshd daemon, then add this to the end of /etc/inittab: rssh:2345:respawn:sshd
   -D
   -f /etc/ssh/root_sshd_config Restart the init task: # init q This will run your "root ssh daemon" as a background task, automatically restarting it in case of failure.
3. 3

   Step 3: find out on which ports your computer is listening for connections: ns003:~# lsof -i COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME named 17829 root 4u IPv6 12689530 UDP *:34327 named 17829 root 6u IPv4 12689531 UDP *:34329 named 17829 root 20u IPv4 12689526 UDP ns003.unternet.net:domain named 17829 root 21u IPv4 12689527 TCP ns003.unternet.net:domain (LISTEN) named 17829 root 22u IPv4 12689528 UDP 209.40.205.146:domain named 17829 root 23u IPv4 12689529 TCP 209.40.205.146:domain (LISTEN) lighttpd 17841 www-data 4u IPv4 12689564 TCP *:www (LISTEN) sshd 17860 root 3u IPv6 12689580 TCP *:ssh (LISTEN) sshd 17880 root 3u IPv6 12689629 TCP *:8899 (LISTEN) sshd 30435 root 4u IPv6 74368139 TCP 209.40.205.146:8899->dsl-189-130-12-20.prod-infinitum.com.mx:3262 (ESTABLISHED)

4. 4

   Step 4: If in doubt

5. 5

   Step 5: hack it out!

6. 6

   Step 6: Don't allow root logins on your primary sshd port 22 (set PermitRootLogin to "no"); many automated tools run brute-force attacks on that.

Detailed Guide

About the Author