Sometimes it is necessary to highly secure a Linux Server which keeps sensitive data. I want to provide a list of best practice tips, which are a good starting point if you want to keep your data and Server secure.
The steps below, applied to a server which is in a secured LAN Network, will increase the systems and data security once more for the Server.
1. Operating System
CentOS Linux is a good point to start, because CentOS Linux uses a security layer which is called Security-Enhanced Linux (SELinux). This layer is very restrictive and a lot of operations, for example in the Files system, are denied by default. CentOS is maintained by Redhat and the newest variant is “CentOS Stream” which is a rolling release.
The following steps assume that CentOS is used.
LUKS storage encryption of the Server is another good approach. LUKS Version 2 is the current today. I the case the Server is accessible physically by an unauthorized person, the data would be easily accessible. But if LUKS is used then the data is only accessible with the LUKS passphrase. The LUKS passphrase need to be provided when the LUKS encrypted volume is mounted.
Alternatively the ZFS and ZFS encryption could be used for storage encryption. ZFS RAIDz (RAID 5) and ZFS Mirror (RAID 1) also provide data corruption prevention and keeps the data integrity. As well it prevents data loss if a single disk fails.
3. Isolate the Server with a Firewall Appliance
Put the server behind a Firewall Appliance and isolate it from an already secured LAN Network. The Firewall Appliance could set up with OpnSense which provides a good traffic analysis feature. Only publish the SSH port to the rest of the LAN Network. Later on only tunnel all other protocols through an encrypted SSH tunnel and the SSH Port.
Firewall Rules should be applied which allow only connections from the LAN or other necessary network sources.
4. Google Authenticator or other 2FA for SSH
Nowadays 2 Factor Authentication is best practice and a sufficient good provider is Google with the “Google Authenticator“. The one who wants to connect to the server has to install the “Google Authenticator” app from Google on the mobile phone. The app is synced with the Server and provides a time based key.
After applying 2FA, Username, Password and the time based key are then necessary to connect to the SSH Port.
5. Updates and strong Passwords
Always install CentOS Updates if there are any available. It’s a must and it’s a trivial knowledge. Use super strong passwords – this is also well known in professional circles. Strong passwords can be mandatory by applying a password policy. Cracklib can be used to force strong passwords to users.
yum install cracklib
Install “Cracklib” on CentOS and set complex and strong passwords which could mean: 16 positions, digits, numbers, symbols.
6. Harden SSH Daemon
Set SSH Daemon configuration restrictive. Directives like “PermitEmptyPasswords” (set to “no”), “AllowUsers”, “PermitRootLogin” (set to “no”),… should be evaluated and adjusted.
Also Google Authenticator, used for 2FA, needs an adjustment in the SSH Daemon Configuration file.
7. Harden Host Firewall
CentOS brings it’s own firewall package with it which is called “firewalld“. This command can be used to get a first impressions:
sudo firewall-cmd --list-all
Firewall Rules could be applied which allow only connections from the LAN or only allow specific IP addresses to connect to the server.
8. Brute Force Prevention
Password guessing is a problem for IT systems in general but it can be easily prevented on Linux and for the SSH Daemon. Just install and configure the Linux package called “fail2ban“. It can be configured to block automatically a single source IP address for a specific time period if there came too many login attempts from it.
9. Tunnel Services through SSH
Since SSH is now 2FA and fail2ban secured and hardened, we can use it to connect to other services like “https” on the server.
Simply use a command similar to this:
The Servers https port will be accessible on my Notebook with a browser on:
ssh MyUser@192.168.0.1 -L 9000:localhost:443
Sysadmins swear on SSH Public Key Authentication implemented with a strong passphrase. This is also good to implement and can be integrated in the concept.
The steps above, applied to a server which is isolated from an already secured LAN Network, will increase the systems and data security for the specific server.
Feel free to comment this Article.