Before deploying a Linux server it's imperative you take time to think about security. The following article helps provide a basic foundation from which to start when first provisioning your linux server. This guidance is agnostic to most distributions.
Before getting into the practical recommendations, we want to take a moment to focus on two very important programmatic concepts:
|Functional Isolation||Single Purpose Server.Is this server single purpose? Do not run a mail server with a web server (different purposes), for example. Or a web server with a DNS server. Do not mix purposes as it increases the chance of a mass scale compromise.|
|Security Levels||Do not mix security levels. If you are running a web server with multiple web sites and some of them are non-business critical, while others are very critical. Run them into different servers.|
Immediately after configuring your server, we recommend enabling and starting your firewall. Research show that attacks are often automated and start within minutes, if not hours, of a server coming online. A great example of a free firewall is IPTables (built in with most Linux distributions). Some of the more modern distributions have switched to using UFW.
Quickly check the status of IPTables with a command like htis:
# iptables -nvL
Don't forget IPv6
Do not forget about ip6tables (iptables for ipv6). Most servers now come with IPv6 by default, so make sure the rules are configured to account for it. You can verify your ip6tables rules by running:
# ip6tables -nvL
Depending on your distribution, your instance could be loading with a lot of stuff you don't need or even know exists. It's imperative that when you first boot the server you take the time to identify what is, and is not, running. Disable all services that should not be running.
A quick way to see all the ports open and the associated services is with netstat:
# netstat -tanep |grep LIST
No, when you first load your Linux instance it is not the most current version. Take the time to run an update according to your distribution and apply it. An example of what that update might look like with Ubuntu derivatives is:
# apt-get update
While this checks for updates, you still have to apply the updates and you do that like this:
# apt-get upgrade
Perhaps the number one issue we see when working with hacked organizations - no backups. Take the time when you're first getting started to establish a backup sequence. Most linux hosts will offer backups in their offering, or allow you to add it to your plan. Do it! We understand the argument that you'll get to it later, when it's in production, but the reality is somewhere along the line it will be forgotten until it's too late.
Do it early!
Every system will record activity by default. They do this is in the form of logs. How are you accounting for your logs? We use Trunc for our log collection and retention. It provides us a remote service to collect all our logs and gives us one centralized platform to monitor and analyze. We encourage you to think a minute to think about how you plan to account for your own logs.
Logs are by far one of the most undervalued resources on a server. You never realize how important they are, until you need them. Second only to backups.
Availability is a critical piece of security. The minute the server comes online, it's imperative you understand how it's performing. We encourage you to take the time to configure some form of uptime monitoring
Once you have made the changes, be sure to reboot the server to make sure all changes have been applied. Most updates will notify you of a required restart, but there may be instances where you decide to do it after you make other changes. Always remember to go back and apply the change.