A brief introduction to best-practices when securing and hardening your Linux server.
Joey Miller • Last updated May 04, 2023
Although you might assume that your server is already secure, there are some simple practices you should be following to harden your server. In the event of a compromise, these practices will allow you to limit the damage that can be done by attackers.
Although this guide was written for Ubuntu Server 20.04 LTS
(focal) this guide should be mostly transferable to other Linux distributions.
root
accountIn some scenarios, you are first given access to a Linux server via the root
account. The first thing you should do is disable this account. You should be using sudo
from another user account to execute privileged commands.
There are several reasons why this is beneficial, such as allowing for better auditing and accountability (since users now have to use sudo
). Doing so also provides more safeguards and (in some cases) better protects you in the event of account compromises (since the user password will be required even if using private-key authentication over SSH).
First, we will create a new sudo
-level user: ubuntu
.
adduser ubuntu
usermod -aG sudo ubuntu
passwd --delete root
From our host computer, let's generate a key-pair, copy it to the server, and remove the temporary password:
Host computer
ssh-keygen -t ed25519 -f hostname-ubuntu-key.pem ssh-copy-id -i ./hostname-ubuntu-key.pem.pub [email protected] rm hostname-ubuntu-key.pem.pub
You can now log in to your server as the ubuntu
user with our new private key:
ssh -i hostname-ubuntu-key.pem [email protected]
From now on we will be making all changes as the ubuntu
user.
Ensuring your system is up-to-date is an important way of preventing vulnerabilities that allow attackers access to your server.
On Ubuntu apt
is used to manage packages.
sudo apt update
sudo apt upgrade
sudo reboot
SSH
securityUsing SSH key authentication offers convenience (password-less login), while also offering better security than most passwords.
By making some changes to the SSH configuration we can disallow password authentication; empty or otherwise. This makes us rely on using the key we set up in Step 1. At the same time, we will disable root login over SSH. Since we deleted the root password earlier this is redundant, but doing so will ensure root login is never allowed should it return.
Use sudo
to edit /etc/ssh/sshd_config
and make sure the following are set:
PasswordAuthentication no
PermitEmptyPasswords no
PermitRootLogin no
PubkeyAuthentication yes
Lastly, we need to restart the SSH daemon:
sudo systemctl reload sshd
Running a firewall on your server is an additional line of defense that can help prevent illegitimate services from communicating with the outside world.
This is very simple thanks to ufw
(Uncomplicated Firewall). We need to start by allowing OpenSSH (before enabling) or we will restrict ourselves from being able to access the server!
sudo ufw allow OpenSSH
sudo ufw enable
Nginx
through the firewallWe can define additional custom applications to allow them through the firewall.
To create the application profile for Nginx, use sudo
to create the file /etc/ufw/applications.d/nginx-service
containing:
[Nginx HTTP]
title=Web Server
description=Enable NGINX HTTP traffic
ports=80/tcp
[Nginx HTTPS] \
title=Web Server (HTTPS) \
description=Enable NGINX HTTPS traffic
ports=443/tcp
[Nginx Full]
title=Web Server (HTTP,HTTPS)
description=Enable NGINX HTTP and HTTPS traffic
ports=80,443/tcp
Then enable the application profile that you need (either Nginx HTTP
, Nginx HTTPS
, or Nginx Full
). In most cases this will be Nginx Full
:
sudo ufw allow Nginx\ Full
rootless
(optional)By default, Docker runs as the root user. Since the Docker containers and the Docker daemon are running as root, this can be a security risk. We wouldn't want to expose ourselves to any potential vulnerabilities that could allow attackers to break out of the containers (into the host system).
It is possible to run Docker daemon and containers as a non-root user.
First, let's install docker:
sudo apt install ca-certificates curl gnupg lsb-release
sudo mkdir -m 0755 -p /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt update
sudo apt install docker-ce
Then, let's set up the Docker daemon to run as a non-root user
Note: Sometimes necessary
XDG_RUNTIME_DIR
andDBUS_SESSION_BUS_ADDRESS
environment variables are not set properly in some cases, such as when usingsu
to set up rootless docker for a different user. Make sure to set them as follows export XDG_RUNTIME_DIR=/run/user/$UID export DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/$UID/bus
sudo apt install uidmap dbus-user-session
# Disable the system-wide Docker daemon (optional)
sudo systemctl disable --now docker.service docker.socket
dockerd-rootless-setuptool.sh install
# Enable the rootless docker daemon on startup (optional)
systemctl --user enable docker
sudo loginctl enable-linger $(whoami)
As reported the dockerd-rootless-setuptool.sh
script, add the following to the bottom of your .bashrc
:
export PATH=/usr/bin:$PATH
export DOCKER_HOST=unix:///run/user/$UID/docker.sock
When running some services, like Nginx over HTTP/HTTPS, you will want to expose privileged ports (< 1024) on the host.
To enable privileged ports for the rootless docker running on the user, run the following commands:
sudo setcap cap_net_bind_service=ep $(which rootlesskit)
systemctl --user restart docker
This guide is in no way comprehensive. This guide serves as a very brief introduction to the topic. There are endless guides and resources on the topic, including The Practical Linux Hardening Guide.
Tags
If you found this post helpful, please share it around: