This knowledge helped me personally in some situations that happened to me, where clients were practically helpless when the system infrastructure was compromised.
I truly hope that some of these tips help you.
I want to say that this guide is for the Debian 10 distro and that there are some differences when it comes to Ubuntu.
Thanks to my colleague, I have added some things and they can be found at the end of this post.
So let’s begin with securing Linux servers.
It’s always recommended to have an incident response plan in case of a security breach.
Additionally, you should have regular security audits to identify and fix any vulnerabilities.
1. Keep the Operating System and software up to date: Make sure to install all security updates and patches as soon as they become available.
As a Linux admin, it is crucial to keep the operating system and all software up to date.
This ensures all security vulnerabilities that have been discovered and patched by the software vendors are addressed on my server.
To do this, we can use package managers such as apt or yum to update the operating system and installed software.
Also, we’ll configure the system to automatically check for and install updates regularly.
Additionally, I make sure to research and apply any important security patches that may not be included in the standard package updates.
By keeping the operating system and software up to date, I am proactively addressing known security issues and reducing the potential attack surface on my server.
# update the package list
sudo apt update
# upgrade all installed packages
sudo apt upgrade -y
# install security updates
sudo apt dist-upgrade -y
# install any important security patches
sudo apt install --only-upgrade <package_name>
# configure automatic updates
sudo apt install -y unattended-upgrades
sudo nano /etc/apt/apt.conf.d/50unattended-upgrades
This script first updates the package list, then upgrades all installed packages, and finally installs security updates. It also installs any important security patches for specific packages that may not be included in the standard package updates. Finally, it configures automatic updates using the package unattended upgrades. The last command is optional, depending on your needs.
You can also use yum instead of apt on other distributions.
Please note that this is just an example and you should test it on your local environment before using it in production. I will repeat this after each script.
2. Use strong and unique passwords for all user accounts and make sure to change them regularly.
Next… it is essential to use strong and unique passwords for all user accounts. This helps to prevent unauthorized access to the server, whether by brute force attacks or by someone guessing a weak password. I use a password manager to generate strong and unique passwords for each account and make sure to change them regularly. I also encourage my users to use strong and unique passwords for their accounts and to change them frequently. Additionally, I can use PAM modules such as pam_cracklib or pam_pwquality to enforce password policies such as minimum length, complexity, and expiration.
Here is an example script that can be used to set and enforce strong and unique passwords on a Linux server:
# Install pam_cracklib
sudo apt install libpam-cracklib
# Configure pam_cracklib
sudo nano /etc/pam.d/common-password
# Add the following line to the file
password required pam_cracklib.so retry=3 minlen=15 difok=5
# Change all user's passwords to strong and unique password
for user in $(cut -f1 -d: /etc/passwd); do
echo "$user:new_password" | chpasswd
done
# Schedule password expiration
sudo nano /etc/login.defs
# Change the following line
PASS_MAX_DAYS 90
This script first installs pam_cracklib, a PAM module that enforces password policies such as minimum length, complexity and expiration. Then it configures the pam_cracklib module, by adding the password required pam_cracklib.so retry=3 minlen=15 difok=5
line to the /etc/pam.d/common-password
file, which sets the minimum length of the password to 15 and requires at least 5 different characters. Then, it changes all user’s passwords to strong and unique passwords, this could be changed to a specific user or group. Lastly, it schedules password expiration, by changing the PASS_MAX_DAYS value in the /etc/login.defs
file to 90 days.
This is just an example and you should test it on your local environment before using it in production.
Also, you can use other PAM modules such as pam_pwquality
for more advanced password policies.
3. Use a firewall to block unwanted incoming and outgoing traffic.
Ok let’s move on to check firewalls.. It is very important to use a firewall to protect my server from unwanted incoming and outgoing traffic. I use a firewall software such as iptables or firewalld, to configure rules that allow or block traffic based on various criteria such as IP addresses, ports, and protocols. I also make sure that the firewall is configured to deny all incoming traffic by default, only allowing traffic that is explicitly allowed. Additionally, I regularly check the firewall logs for any suspicious activity and adjust the rules accordingly.
Using a firewall helps me to protect my server from various types of cyber-attacks such as DDoS, port scanning, and malware injection.
Here is an example script that can be used to set up and configure a firewall on a Linux server using iptables:
# Install iptables
sudo apt install iptables
# Flush all existing rules
sudo iptables -F
# Set default policy to drop all incoming traffic
sudo iptables -P INPUT DROP
# Allow incoming traffic on port 22 (SSH)
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Allow incoming traffic on port 80 (HTTP)
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# Allow incoming traffic on port 443 (HTTPS)
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# Save iptables rules
sudo sh -c "iptables-save > /etc/iptables.rules"
# Configure iptables to start at boot
sudo nano /etc/network/interfaces
# Add the following line
pre-up iptables-restore < /etc/iptables.rules
This script first installs iptables, a firewall software for Linux. Then it flushes all existing rules and sets the default policy to drop all incoming traffic. It then allows incoming traffic on port 22 (SSH), 80 (HTTP) and 443 (HTTPS) using the -A INPUT -p tcp --dport [port number] -j ACCEPT
command. Then it saves the iptables rules to /etc/iptables.rules
, and configures iptables to start at boot by adding the pre-up iptables-restore < /etc/iptables.rules
line to the /etc/network/interfaces
file.
You can also use firewalld
instead of iptables
on other distributions.
Also, you can check this link on Linode documentation for firewall
You should adjust the ports and protocols as per your needs and also, you should regularly check the firewall logs for any suspicious activity and adjust the rules accordingly.
- Also, you can install
iptables-persistent
package which runs as a systemd daemon and allows to use different rules file for ipv4 and ipv6 tables.
4. Limit access to the server to only necessary personnel and use secure authentication methods such as public-key authentication.
Now let’s see SSH. As you may know, it is important to limit access to the server to only necessary personnel. This helps to prevent unauthorized access to the server and reduce the potential attack surface. I use secure authentication methods such as public-key authentication for SSH instead of using passwords. This provides an additional layer of security since a password can be guessed or cracked, but a private key must be physically possessed. I also make sure to disable or remove any unnecessary accounts and remove any unnecessary services or protocols that are not needed. Additionally, I can use access control mechanisms such as SELinux or AppArmor to restrict the access to the resources and files by the users and applications.
This is a script that can be used to limit access to a Linux server and use secure authentication methods:
# Disable password-based authentication
sudo nano /etc/ssh/sshd_config
# Change the following line
PasswordAuthentication no
# Configure public-key authentication
sudo mkdir /home/username/.ssh
sudo nano /home/username/.ssh/authorized_keys
# Add the public key of the user
# install SELinux
sudo apt-get install selinux-basics
# configure SELinux
sudo nano /etc/selinux/config
# Change the following line
SELINUX=enforcing
# configure AppArmor
sudo apt-get install apparmor-utils
sudo nano /etc/apparmor.d/usr.sbin.sshd
This script first disables password-based authentication and enables public-key authentication for SSH by changing the PasswordAuthentication
option in /etc/ssh/sshd_config
to no
, and adding the public key of the user to /home/username/.ssh/authorized_keys
.
Then, it installs SELinux, a security extension for Linux that can be used to restrict the access to the resources and files by the users and applications.
It configures SELinux, by changing the SELINUX option in /etc/selinux/config
to enforcing
. Then, it installs and configures AppArmor, another security extension for Linux that can be used to restrict the access to the resources and files by the users and applications.
Also, you should make sure to disable or remove any unnecessary accounts, remove any unnecessary services or protocols that are not needed, and limit access to the server to only necessary personnel.
Test it on your specific local before using it in production.
- “Saving keys in one directory can be more comfortable some admins: /etc/ssh/authorized_keys or
AuthorizedKeysFile /etc/ssh/authorized_keys/%u"
5. Use intrusion detection systems (IDS) and security information and event management (SIEM) tools: Use intrusion detection systems and SIEM tools to monitor and detect suspicious activity on your server.
I use IDS software such as Snort or Suricata to monitor network traffic and detect any malicious activity. Additionally, I use SIEM tools such as ELK stack or Splunk, to collect and analyze log data from various sources such as firewall logs, system logs, and application logs. This allows me to detect any suspicious activity or patterns of behavior that could indicate a security breach. I also configure the tools to send me alerts in case of any suspicious activity.
By following these best practices and regularly checking my server’s security status, I can help to protect my Linux server from various types of cyber-attacks, and be prepared to respond quickly in case of a security breach.
Set up and configure IDS and SIEM tools on a Linux server:
# Install Snort
sudo apt-get install snort
# Configure Snort
sudo nano /etc/snort/snort.conf
# Add the following line to the file
include $RULE_PATH/local.rules
# Create a local.rules file
sudo nano /etc/snort/rules/local.rules
# Add the necessary rules to the file
# Install ELK stack
sudo apt-get install elasticsearch logstash kibana
# Configure ELK stack
sudo nano /etc/logstash/conf.d/logstash.conf
# Add the necessary input, filter and output configurations
# Start ELK stack
sudo service elasticsearch start
sudo service logstash start
sudo service kibana start
This script first installs Snort, an open-source IDS software, and configures it by adding the necessary rules to the /etc/snort/rules/local.rules
file. Then it installs the ELK stack (Elasticsearch, Logstash, and Kibana), open-source SIEM tools, and configures it by adding the necessary input, filter, and output configurations to the /etc/logstash/conf.d/logstash.conf
file. Lastly, it starts the ELK stack services.
You can use other IDS software such as Suricata and other SIEM tools such as Splunk.
It is important to configure the tools to send you alerts in case of any suspicious activity and regularly checking your server’s security status.
6. Secure remote access to the Linux server by using secure protocols such as SSH and VPN, and disabling unnecessary services and ports.
Ok so now as an admin I ensure that remote access to the server is secure.
I use secure protocols such as SSH for remote access and VPN for remote networks connection.
I also make sure to disable or remove any unnecessary services or ports that may be open on the server, as these can be potential attack vectors.
To further secure remote access, I can implement measures such as two-factor authentication, IP whitelisting, and regular monitoring of authentication logs.
I also make sure to use strong and unique credentials for all remote access accounts, and change them regularly.
Secure remote access to a Linux server:
# Install OpenVPN
sudo apt-get install openvpn
# Configure OpenVPN
sudo nano /etc/openvpn/server.conf
# Add the necessary configurations
# Enable SSH
sudo systemctl enable ssh
sudo systemctl start ssh
# Disable unnecessary services and ports
sudo systemctl disable <service_name>
sudo ufw deny <port_number>
# Enable two-factor authentication
sudo apt-get install libpam-google-authenticator
# Configure IP whitelisting
sudo ufw allow from <ip_address>
# Monitor authentication logs
sudo nano /etc/rsyslog.conf
# Add the following line
auth,authpriv.* /var/log/auth.log
This script first installs OpenVPN, a secure protocol for remote networks connection and configures it by adding the necessary configurations to the /etc/openvpn/server.conf
file.
Then it enables SSH, a secure protocol for remote access, and disables unnecessary services and ports by running the sudo systemctl disable <service_name>
and sudo ufw deny <port_number>
commands.
It enables two-factor authentication by installing the libpam-google-authenticator
package, configures IP whitelisting by allowing connections from specific IP addresses using sudo ufw allow from <ip_address>
. Lastly, it monitors authentication logs by adding the auth,authpriv.* /var/log/auth.log
line to /etc/rsyslog.conf
file.
You should make sure to use strong and unique credentials for all remote access accounts and change them regularly.
7. Securely configure services: Configure services such as web servers, databases, and SSH securely to prevent unauthorized access.
Then I have to make sure to configure services such as web servers, databases, and SSH securely to prevent unauthorized access. I use best practices such as using non-root user accounts to run services, limiting the listening interfaces and ports, and configuring access controls. I also make sure to use the latest versions of the software and configure them with the latest security settings. Additionally, I regularly check the service logs for any suspicious activity and take appropriate action if necessary.
Securing Linux servers configuration of services:
# Create non-root user account for service
sudo adduser <username>
# Grant permissions to the user account
sudo usermod -aG <group_name> <username>
# Configure service to run as non-root user
sudo nano /etc/<service_name>/<service_name>.conf
# Change the user and group options to the non-root user account created above
# Limit listening interfaces and ports
sudo nano /etc/<service_name>/<service_name>.conf
# Add the following line
ListenAddress <IP_address>
# Configure access controls
sudo nano /etc/<service_name>/<service_name>.conf
# Add the necessary access controls
# Check service logs for suspicious activity
sudo tail -f /var/log/<service_name>/<service_name>.log
This script creates a non-root user account for a service, grants the necessary permissions to the user account, configures the service to run as the non-root user account, limits the listening interfaces and ports by adding the ListenAddress <IP_address>
line to the configuration file, configures access controls by adding the necessary access controls to the configuration file, and checks the service logs for suspicious activity by running the sudo tail -f /var/log/<service_name>/<service_name>.log
command.
You should make sure to use the latest versions of the software and configure them with the latest security settings, and regularly check the service logs for any suspicious activity and take appropriate action if necessary.
8. Use file integrity monitoring to detect any changes to important system files and configuration files.
In addition to Grafana and Prometheus as essential monitoring software in DevOps, I have to use some others to monitor other things on the server.
I use file integrity monitoring to detect any changes to important system files and configuration files. This helps me to detect any unauthorized modifications to the server such as by malware or a malicious actor.
I use tools such as Tripwire, AIDE, or OSSEC to monitor the file system and alert me of any changes.
These are some of the key security best practices that I follow as a Linux server administrator.
Continuously monitoring and updating these practices help me to keep my server secure and protect it from potential cyber threats.
Set up file integrity monitoring on a Linux server using Tripwire:
# Install Tripwire
sudo apt-get install tripwire
# Initialize the Tripwire database
sudo tripwire --init
# Edit the Tripwire configuration file
sudo nano /etc/tripwire/twcfg.txt
# Add the necessary file and directories to be monitored
# Create a policy file
sudo nano /etc/tripwire/twpol.txt
# Add the necessary policies
# Generate a new Tripwire policy file
sudo tripwire --create-polfile
# Update the Tripwire database
sudo tripwire --update-db
# Check the integrity of the files
sudo tripwire --check
# Keep a secure backup of all important files and configurations
sudo tar -cvzf /backup/tripwire.tar.gz /etc/tripwire
This script installs Tripwire, a tool for file integrity monitoring, initializes the Tripwire database, edits the Tripwire configuration file to add the necessary files and directories to be monitored, creates a policy file, adds the necessary policies to it, generates a new Tripwire policy file, updates the Tripwire database, and runs the check command to check the integrity of the files. Lastly, it creates a secure backup of all important files and configurations by creating a tar file of the /etc/tripwire
directory.
You can use other file integrity monitoring tools such as AIDE, or OSSEC. It is important to keep a secure backup of all important files and configurations, in case you need to restore them.
Continuously monitoring and updating these practices help to keep your server secure and protect it from potential cyber threats.
9. Monitor system logs for suspicious activity and use tools such as logwatch or syslog-ng to analyze and store logs.
Monitoring system logs is an important aspect of maintaining server security. I need to check for any suspicious activity such as failed login attempts, unexpected process starts, or other abnormal activities.
The tools such as logwatch or syslog-ng can analyze and store the logs, making it easier to identify patterns and trends. I also configure the system to send me alerts if any suspicious activity is detected. This allows me to quickly identify and respond to any security threats.
Nonitor system logs on a Linux server using logwatch:
# Install logwatch
sudo apt-get install logwatch
# Configure logwatch
sudo nano /usr/share/logwatch/default.conf/logwatch.conf
# Add the necessary configurations
# Run logwatch
sudo logwatch
# Configure the system to send alerts
sudo nano /etc/logwatch/conf/logwatch.conf
# Add the necessary alert configurations
# Store logs
sudo nano /etc/logwatch/conf/logwatch.conf
# Add the necessary configurations for storing logs
This script installs logwatch, a tool for monitoring and analyzing system logs, configures it by adding the necessary configurations to the /usr/share/logwatch/default.conf/logwatch.conf
file. Then it runs logwatch command to analyze the logs, and configures the system to send alerts by adding the necessary alert configurations to the /etc/logwatch/conf/logwatch.conf
file.
Lastly, it configures the system to store logs by adding the necessary configurations to the /etc/logwatch/conf/logwatch.conf
file.
You can use other tools such as syslog-ng to analyze and store the logs.
Regularly monitoring and analyzing the logs, and configuring the system to send alerts in case of any suspicious activity, allows you to quickly identify and respond to any security threats.
10. Backup important data: Regularly backup important data and test the backups to ensure they can be restored in case of an incident.
Backing up important data is essential in case of a security incident or data loss. Be sure to backup all important data regularly and store it in a secure location.
Do the tests of backups to ensure they can be restored in case of an incident.
This would help you quickly recover any lost data and minimize the impact of a security incident.
Backup important data on a Linux server:
# Create a backup directory
sudo mkdir /backup
# Backup important data
sudo tar -cvzf /backup/important_data.tar.gz /path/to/important/data
# Set a cron job for regular backups
sudo crontab -e
# Add the following line to schedule a daily backup at 2:00 am
0 2 * * * sudo tar -cvzf /backup/important_data.tar.gz /path/to/important/data
# Test the backups
sudo tar -xvzf /backup/important_data.tar.gz -C /tmp
# Compare the files in /tmp with the original files
diff -r /path/to/important/data /tmp/important_data
# Store the backups in a secure location
sudo scp /backup/important_data.tar.gz user@remote_server:/path/to/secure/location
This script creates a backup directory, backs up important data using the tar
command and stores it in the /backup
directory, sets a cron job to schedule a daily backup of the important data at 2:00 am, and tests the backups by extracting the files and comparing them with the original files. It stores the backups in a secure location by using the scp
command to copy the backup file to a remote server.
You can use other tools and methods for backup and restore such as rsync
, dd
or backup software. Regularly
11. Use endpoint protection software to detect and prevent malware and other malicious software.
Endpoint protection software can help to detect and prevent malware and other malicious software on the server. So we have to use endpoint protection software to scan all files and network traffic and block any malicious activity. Also, we have to make a configuration of software to regularly update its malware definitions and perform scheduled scans to ensure the server is not compromised. This will help us to detect and prevent any malware or malicious software that might have managed to bypass other security measures.
Linux endpoint protection tools include:
- ClamAV – an open-source antivirus software that can be used to scan and detect malware on Linux systems.
- Rkhunter – a rootkit detection tool that can be used to scan for and detect malicious software that may be running on a Linux system.
- AIDE – an advanced intrusion detection environment that can be used to monitor and detect any changes to important system files and configurations.
- OSSEC – an open-source intrusion detection system that can be used to monitor and detect suspicious activity on Linux systems.
- Tripwire – a file integrity monitoring tool that can be used to detect any changes to important system files and configurations.
- SELinux – a security-enhanced Linux distribution that can be used to restrict access to resources and files by users and applications.
- AppArmor – a Linux security module that can be used to restrict the access to resources and files by users and applications.
- chkrootkit – a tool that can be used to check the system for known rootkits.
- Malware Scanner – a command-line tool that can be used to scan the system for malware.
- LMD – Linux Malware Detect is a malware scanner for Linux that uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection.
12. Train employees on security best practices and make them aware of the risks and how to detect and report suspicious activity.
Let’s assume you are communicative, and if so then do this and make your life easier. Еducate employees on security best practices and the risks that are associated with them.
In the former companies where I worked, I made sure to always provide a minimum of training to employees.
Тhe topics like as strong password management, phishing scams, and how to detect and report suspicious activity. This helps to create a security-aware culture within the organization and reduce the risk of human error leading to a security incident.
Train employees on security best practices securing Linux servers:
# Create a security training schedule
sudo nano /etc/security/training_schedule.txt
# Add the necessary training sessions and schedule
# Send out email reminders to employees
echo "Don't forget about the upcoming security training session on [topic] at [time]" | mail -s "Security Training Reminder" [email protected]
# Provide training materials
sudo cp /etc/security/training_materials /mnt/shared/training_materials
# Conduct training sessions
sudo nano /etc/security/training_sessions.txt
# Add the necessary training sessions
# Follow up with employees to ensure they understand the material
sudo echo "It's important to understand the material covered in the training. Do you have any questions or concerns?" | mail -s "Security Training Follow-up" [email protected]
This script creates a security training schedule, sends out email reminders to employees about upcoming training sessions, provides training materials for employees to review, conducts training sessions, and follows up with employees to ensure they understand the material.
Also, you can use other methods such as online training modules, videos, and interactive sessions. Educating employees on security best practices and making them aware of the risks helps to create a security-aware culture within the organization and reduce the risk of human error leading to a security incident. Regular security audits and incident response plan will also help in identifying and mitigating any vulnerabilities.
13. Use containerization technology such as Docker or Kubernetes to isolate and secure applications.
As you already know using containerization technology such as Docker or Kubernetes is an effective way to isolate and secure applications. This can help to reduce the attack surface by isolating applications from each other and from the host operating system. Additionally, containers can be configured with minimal permissions, reducing the impact of a compromise. Personally, I use container orchestration tools such as Kubernetes to manage and scale my containers and ensure that all the containers are running in a secure environment.
Here is an example script that can be used to install and use Docker to containerize an application:
# Install Docker
sudo apt-get install docker
# Create a Dockerfile
sudo nano Dockerfile
# Add the necessary instructions to build the image
# Build the image
sudo docker build -t myapp:latest .
# Run the container
sudo docker run -it -d --name myapp -p 80:80 myapp:latest
# Configure minimal permissions for the container
sudo docker run --cap-drop=ALL --cap-add=NET_BIND_SERVICE myapp:latest
# Install Kubernetes
sudo apt-get install kubeadm kubectl kubelet
# Create a deployment for the container
sudo kubectl create deployment myapp --image=myapp:latest
# Expose the deployment as a service
sudo kubectl expose deployment myapp --type=LoadBalancer --port=80 --target-port=80
This script installs Docker, creates a Dockerfile with the necessary instructions to build an image, builds the image, runs the container and configure minimal permissions for the container. It also installs Kubernetes, creates a deployment for the container, and exposes the deployment as a service.
You can use other container orchestration tools such as Kubernetes.
Using containerization technology such as Docker or Kubernetes can help to isolate and secure applications, reduce the attack surface by isolating applications from each other and from the host operating system, and can be configured with minimal permissions, reducing the impact of a compromise.
14. Implement Network Segmentation: Implement network segmentation to separate different types of traffic and isolate sensitive data.
In this example, I can reduce the attack surface and minimize the impact of a compromise. I use network segmentation techniques such as VLANs or VPNs to separate different types of traffic and restrict access to sensitive data. I also use firewalls and other security devices to control the flow of network traffic, making it harder for an attacker to move laterally through the network.
By following these best practices, I can help to harden the security of my Linux server and reduce the risk of a security incident. However, it is important to note that the security landscape is constantly changing, so it’s crucial to keep up to date with the latest threats and update security measures accordingly.
Implement network segmentation in securing Linux servers:
# Configure VLANs
sudo nano /etc/network/interfaces
# Add the necessary VLAN configurations
# Restart the network service
sudo service networking restart
# Configure VPN
sudo apt-get install openvpn
# Create a VPN configuration file
sudo nano /etc/openvpn/server.conf
# Add the necessary VPN configurations
# Start the VPN service
sudo service openvpn start
# Configure firewall
sudo apt-get install ufw
# Enable the firewall
sudo ufw enable
# Add the necessary firewall rules
sudo ufw allow from <IP address> to any port <port number>
# Configure access controls
sudo nano /etc/ufw/before.rules
# Add the necessary access control configurations
# Restart the firewall service
sudo service ufw restart
Or this one
#!/bin/bash
# Configure VLANs to separate different types of traffic
vconfig add eth0 10
vconfig add eth0 20
# Assign IP addresses to the VLANs
ip addr add 192.168.10.1/24 dev eth0.10
ip addr add 192.168.20.1/24 dev eth0.20
# Enable the VLAN interfaces
ip link set eth0.10 up
ip link set eth0.20 up
# Configure firewall rules to restrict access to sensitive data
iptables -A INPUT -i eth0.10 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0.20 -p tcp --dport 22 -j DROP
# Save the firewall rules
iptables-save > /etc/iptables.rules
# Configure the firewall to load the rules on boot
echo iptables-restore < /etc/iptables.rules >> /etc/rc.local
# Enable the VPN for secure remote access
apt-get install -y openvpn
# Configure the VPN server
cd /etc/openvpn
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 .
cd easy-rsa/2.0
source vars
./clean-all
./build-ca
./build-key-server server
./build-dh
openvpn --genkey --secret keys/ta.key
cd ../../
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf .
# Configure the VPN server settings
sed -i 's/;local a.b.c.d/local 192.168.10.1/' server.conf
This script configures VLANs by adding the necessary configurations to the network interfaces file, and restarting the network service. It also configures VPN by installing openvpn and adding the necessary configurations to the configuration file and starting the VPN service. It also configures firewall by installing ufw, enabling it, adding the necessary firewall rules, configuring access controls and restarting the firewall service.
Please note that this is just an example and you should test it on your local before using it in production. Also, you can use other methods such as implementing DMZ and using other tools such as IPtables and other VPN software. Implementing network segmentation by separating different types of traffic and isolating sensitive data can help to reduce the attack surface and minimize the impact of a compromise. It is important to keep up to date with the latest threats and update security measures accordingly.
15. Implement security automation to automatically detect and respond to security incidents.
Implementing security automation is an important aspect of maintaining server security. By automating security processes, we can detect and respond to security incidents more quickly and efficiently. For example, we can use security tools such as Ansible or Chef to automatically apply security updates and configurations, or we can use security automation tools such as Security Onion or OSSEC to automatically detect and respond to security incidents. Additionally, we can use bash scripts to automate routine tasks such as log analysis, vulnerability scanning, and monitoring.
Implement security automation on a Linux server:
# Install Ansible
sudo apt-get install ansible
# Create an Ansible playbook
nano security_playbook.yml
# Add the necessary tasks to the playbook
- name: Install security updates
apt:
name: '*'
state: latest
update_cache: yes
- name: Configure firewall
ufw:
rule: allow
port: 22
# Run the playbook
ansible-playbook security_playbook.yml
# Install OSSEC
wget -q -O - https://updates.atomicorp.com/installers/atomic | sh
# Configure OSSEC
/var/ossec/bin/ossec-control start
# Create a bash script to automate log analysis
nano log_analysis.sh
# Add the necessary commands to the script
grep -i "error" /var/log/syslog
grep -i "failed" /var/log/auth.log
# Schedule the script to run regularly
crontab -e
0 0 * * * /root/log_analysis.sh > /var/log/log_analysis.log
This script installs Ansible and creates a playbook to automatically install security updates and configure the firewall.
It also installs OSSEC and configures it to detect and respond to security incidents. Additionally, it creates a bash script to automate log analysis and schedules it to run regularly.
You can use other methods such as using other automation tools like Puppet and other security automation tools like Elastalert. Implementing security automation can help to detect and respond to security incidents more quickly and efficiently.
16. This script checks for failed login attempts in the /var/log/auth.log file
#!/bin/bash
# Store the failed login attempts in a variable
failed_logins=$(grep "Failed password" /var/log/auth.log)
# Check if there are any failed login attempts
if [ -n "$failed_logins" ]; then
# Print the failed login attempts
echo "Failed login attempts found:"
echo "$failed_logins"
else
# Print a message if no failed login attempts are found
echo "No failed login attempts found in /var/log/auth.log"
fi
This script checks for failed login attempts in the /var/log/auth.log file, and compares the number of failed logins to a threshold set at the beginning of the script. If the number of failed login attempts exceeds the threshold, an alert email is sent to the specified email address (in this example, [email protected]). This script can be run regularly using cron to continuously monitor for failed login attempts and alert the administrator if necessary.
- I also recommend you to add configuring timezone and NTP client, and MFA (for example, DUO allows 10 users for free)
Configuring the time zone and NTP client can help ensure that the system’s clock is accurate, which is important for many types of operations. Multi-factor authentication (MFA) can add an additional layer of security to user accounts by requiring a second form of verification, such as a fingerprint or code sent to a phone, in addition to a password. DUO is one example of a provider that offers MFA services, and some plans, including a free plan for 10 users, may be available.
I would add some friendly advice to my DevOps fellows for securing Linux servers
Perhaps at times, such security may not be part of your everyday work, but trust me, it is good to know these things because you really can’t be 100% sure what can go wrong during a day.
The guide that I just wrote provides a comprehensive overview of the best practices and steps you can take to secure Linux servers. I would recommend starting by reviewing your current security measures and identifying any areas that might need improvement.
Keep your operating system and software up-to-date, use strong and unique passwords and implement a firewall to block unwanted incoming and outgoing traffic.
Additionally, it is important to limit access to the server only to necessary personnel and use secure authentication methods such as public-key authentication.
Furthermore, it is important to use intrusion detection systems and security information and event management tools to monitor and detect suspicious activity on your servers.
Secure remote access by using secure protocols such as SSH and VPN and disabling unnecessary services and ports. Securely configure services such as web servers, databases and SSH to prevent unauthorized access. Use file integrity monitoring to detect any changes to important system files and configuration files.
As a DevOps engineer, you should also take security into consideration throughout the software development lifecycle.
This includes applying secure coding practices, conducting regular security testing and implementing security controls in the continuous integration and continuous deployment (CI/CD) pipeline. By incorporating security into the DevOps process, you can ensure that all applications and services deployed on the server are secure and that any vulnerabilities are identified and quickly resolved. It is important to regularly check the security status of your server and stay up-to-date with the latest threats and make updates accordingly.
I would like to thank to Andrei Andriushin for bringing to my attention several things that needed to be added to this blog post.
I have done so and I hope you will find these tips useful