The following is a helpful guide on how to get a brand new Linux server setup securely and ready for operation.
Table of Contents
- Adding a non-root user
- Setting strong passwords
- Enabling sudo for your non-root account
- Applying updates / Enable automatic updates
- Disabling root login via SSH
- Moving SSH off default port 22
- Disabling passwords for SSH login (Use public/private keys)
- Enabling 2-Factor Authentication with SSH
- Disabling the root account
- Ban Malicious IP Addresses (Fail2ban)
- Disabling IPv6
- Enabling the firewall
- Hardening the Linux kernel
- Disabling public internet connectivity
- Securing connection between two servers
Who is this guide for?
This guide is meant for folks that are not Linux or Security experts and have just fired up a dedicated or virtual server on Amazon, Azure, Digital Ocean, Linode or anywhere else and aren’t entirely sure what they should do before trusting the machine in production.
This guide is written in a friendly, accessible way and is meant to hand-hold you through the process of locking things down.
The information in this guide was all developed on Ubuntu 20.04 LTS. The tips should transfer as-is to any other Debian-based distro and for any other distro, the tips should get you 90% of the way there and you merely need to Google for the specific file location or command particular to your distro of choice.
It is strongly recommended you start this Guide with a clean, “first login” install of your Linux machine and not on one that has been running in production for a while that might already be compromised.
Is this the ultimate guide on Linux security?
Not quite.
As mentioned, this guide is written in a friendly/accessible way to help non-experts dial the security of their servers in and not have them sitting out on the internet like a delicious pot of honey.
The security tips in this guide are HUGELY beneficial for locking down a server – but as with real life, no matter how much security you employ there is always more security tips you can follow.
Note: I have gone out of my way to include the biggest “bang for the buck” tips while omitting complex/esoteric ones that might cripple you if setup incorrectly.
This guide is NOT a replacement for things like the official RedHat Hardening Guide, NSA Guide on Hardening Linux or even many of the excellent community driven hardening guides out there.
All these things are meant to compliment each other – just like jogging doesn’t replace weight lifting for fitness and pie doesn’t replace cake for desert.
Remember: The unfortunate reality of security is that it is only as strong as the weakest link.
You could implement EVERY tip from EVERY guide on the most secure server in history and then open up a stray port for a random service (like a log visualizer) that has a known vulnerability in it and your server is compromised.
Similarly, you could follow all the best practices and then store your keys or passwords insecurely on a personal computer.
Server security is similar to physical security in real life; it’s a collection of following best practices, always being aware and preparing proactive monitoring & responses in case something does happen.
Is my server safe after using this guide?
Yes! About 9000% more than it was before you started the guide.
The real-life equivalency of this is guide is something along the lines of going from a house with no doors or windows to one with 8″ steel security doors/windows with biometric locks on them and locks on each of the interior doors between rooms so if someone gets into a bedroom, they are stuck there and can’t ransack the house.
We just don’t go down the rabbit hole of having roaming automated death-robots in the house scanning for odd behavior and poison dart guns in the walls wired to tiles in the floor; Indiana Jones style 🙂
Thanks
As with all things, this guide was made possible by me taking a spotty couple of decades of experience and filling in many blanks with guides from much smarter people than myself.
These are some of the guides I went through in addition to 100s of other pages – I’ve tried to link the best ones on the individual tip pages.