LINUX SERVER SECURITY ESSENTIAL
Very first moments on a new server
With great power comes great responsibility. Computers that are connected to the Internet and provide data or applications are called servers. There are 1000 and more different types of servers.
Web server, time server, file server, email server, keyserver, my own server. Most servers connected to the Internet run a Linux-based operating system. When you run your own server and provide services to other Internet users, you have a responsibility to the security of these machines. In this article I will give details on the first moments of setting up a server and the steps it takes to create a secure environment in under 10 minutes.
First of all, you need to know what services you want to provide and what hardware is needed to provide them. A dedicated server is a machine that is connected to the Internet. This machine has hard disks, RAM memory and CPU power. You are able to configure the machine freely. Here we speak of bare-metal servers. Cloud computing or virtual machines are small fragments of a whole bare-metal server. Through virtualization software it is nowadays possible to divide the hardware power of a server into small parts. A separate environment can be simulated in each of these fragments. The operation of virtual based servers and bare-metal servers is almost identical. The only difference is the security of the data processed on the computers. In a commercially distributed VM we share RAM memory and disk space with other customers of the cloud computing provider. It is difficult to ensure full encryption of the data here. By reading the RAM memory at runtime of a VM, it is possible to extract data from the virtual environment. With a bare-metal server, it is only possible to access data from the machine by directly accessing it.
The following commands show how to configure a server under Debian / Ubuntu with the package manager "apt" in the first minutes of its existence. The operation is done with the command line.
Often when you set up a server you are in need to controll it headless via the SSH protocol. SSH stands for Secure Shell.
Lets get started
Your server provider unlocks a machine for you and usually you get an email with the root-password.
When setting up a cloud server, you also have the option of directly transmitting an SSH key. More about this later.
With your rootpassword you open a terminal window. Under Windows the program PowerShell is suitable for this.
We connect to the machine via SSH with the root account of the running Debian GNU/Linux Server with the provided IP-Adress of the machine.
ENTER ROOT PASSWORD:
Once logged in first thing is to change the root password. Use a strong one with EverYTH1Ng!in_IT
Next step is to bring the system up-to-date. The package manager "apt" is used for this.
On fresh machines often the command sudo doesnt work. So we install it.
apt install sudo
We create a new user for the system, create a user directory and a hidden ssh folder. Thats the dot before .ssh. Remove the brackets  in the following commands. We give special access to the .ssh directory with chmod (change modus).
// follow all the steps and set a password
chmod 700 /home/[your-user-id]/.ssh
The text editor nano is used to edit the first file of the system. We edit the file "sudoers" in the directory /etc
Here we add a line
to the file. After this is done we press ctrl + x and hit enter to safe the file and exit the editor
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
[your-user-id] ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
After this is done. We have a second user with superuser (sudo) privilegies on the linux server. To change it just use the su command. You will need the password from the step above.
PASSWORD FOR YOUR [your-user-id]:
To verify it, try to run the following command
With the command su you are able to chage to the root user. In some cases the root user is necassary to perform some tasks.
PASSWORD: dont forget your passwords!
We install a software firewall called ufw. Because we are not the superuser anymore we need to execute the command with super user rights sudo.
sudo apt-get install ufw
sudo ufw enable 80
sudo ufw allow 443
sudo allow ssh
sudo ufw enable
Because now we opened the port 22. Thats the standard port for SSH. It wont take long until this is recognized by automatic port scanners that are present all around the internet. Fail2ban identifies IP addresses in the server's log files that stand out due to unusual behavior, for example by repeatedly attempting to log in with an incorrect password.
The programm fail2ban limits the attempts to log in via SSH.
sudo apt-get install fail2ban
Start the programm fail2ban
sudo service fail2ban start
To list all the ssh connections to the server just hit the following command. Netstat is a networking command line tool. It also lists all the suspicious connections that dont try to hit a password. With fail2ban brute-force attacks are limited very well. But connections that just idle will not be recognized by default.
To give only exclusive access to your server you will need a ssh-key. Thats a key that is seperated by two files. One is a private one and should be stored secure on your remote computer that you are using for SSH. The other part of the key, the public key needs to be copied to your server.
We create the key pair on a linux system and use the password option with the command:
//go to .ssh directory
ssh-keygen -t rsa
Please note that on windows the programm PUTTY performs the same task. Create the keypair with PUTTY. A window based tutorial will direct you through the next steps.
On a linux remote computer you need to copy the public part of the key to your server.
ssh-copy-id -i ~/.ssh/mykey.public [your-user-id]@[your-ip]
Test the keys
ssh -i ~/.ssh/mykey.public [your-user-id]@[your-ip]
When the ssh-key connection is working we can deactivate login per password in the SSH configs.
We open the file with sudo privilegs and the text editor nano
sudo nano /etc/ssh/sshd_config
Seek for the following lines and change it. We deactivate login via the user and the root user.
Restart the ssh-deamon on your server
sudo service ssh restart
We are done!
The server is now a secure place. Of cource there is always a way to compromise a system, but with the first basics is is already difficult to do so.
It is mostly always a user error that causes break-ins, so make sure you keep those passwords long, diverse and safe!
In the future i will edit this article from time to time.