If you have ever maintained a Linux server with ports accessible to the Internet, you have no doubt had attacks on your server. With so many tools to scan servers, as well as insecure programs and vulnerabilities, no server administrator can take the risk of being complacent. Routine security checks and maintenance are essential to server safety.
There are numerous blogs, books, and websites that offer guidance on server security as well as resources known for their extensiveness and effectiveness. Though these are robust and detailed, take care to not apply these guidelines blindly, ensure you have a backup, and assert that you have a plan for rollback.
The following list are some of the best resources you should refer to to harden the security of your Linux server.
1. CIS benchmarks
CIS benchmarks provide the best practice configuration guidelines utilized in various areas including academia and government. They contain extensive guidelines across most every operating system and are highly detailed with best-practice security configuration guides. The benchmarks are available for free, but do take note that you need to ensure that you understand what you are applying and have a safe plan for rolling back, if needed.
2. STIG viewer
The Security Technical Implementation Guides, also known as STIGs, are guidelines that are utilized by the department of defense and other government institutions. Similar to the CIS benchmarks, STIGs provide guidelines for security across multiple platforms and systems. STIGs can be easily applied to desktop computers, as the higher severity level entries should usually be applied to almost all systems. STIGs are available for free.
Lynis is an auditing tool available for Linux, macOS, and Unix servers.
To use it on your Linux server, you will need to install the Lynis package.
In Ubuntu, use the following command:
From there, run the following command to audit your system:
This will run a system-wide security audit which will let you know of items that you may want to fix in order to harden your server. Once completed, your results will be saved to the file “/var/log/lynis.log.”
One of the benefits using Lynis is that it will check against various benchmarks, including CIS. There are also a number of plugins available that will allow you to add checks that are not included by default.
Another strength of Lynis is the ability to monitor remote servers.
The benefit to this is that you can monitor systems you have access to, store the information to a log, and notify those who need to know.
Ultimately, you may want to create a cron job that will run this script on a regular basis and store the results in a manner that is best for you to review. If this is done, it is suggested that you run the script and enable it to show warnings only:
In general, apply guidelines liberally, but sensibly. Evaluate each aspect to your needs and those who utilize your servers. Finally, be sure to document what has been completed, how to duplicate what was done, and how to review the anticipated remedy. Always stay up to date with common standards and keep notified of emerging exploits.
Applying all of the guidelines can help in protecting your system, but with new programs, users, updates, and configurations, server hardening is an ongoing job. Never let your guard down, but stay confident in the fact that you are protecting your server against most known threats. You are, in essence, planning to succeed.