Most users believe that Linux is secure enough and by default, in this article, we will learn you more about Linux security tips and tricks.
Linux security tips and tricks
As one of the most important challenges for a system administrator is the hackers and crackers, We are pleased to explain 8 useful tips and tricks to help you secure your Linux system. Join us to review security keys.
How to make Linux more secure
1. Keep System updated
Easy and important! Try to keep the system updated, observe all new releases patches, security fixes, and kernel by running below command.
CentOS
# yum updates # yum check-updateUbuntu and Debian
sudo apt-get update2. Use unauthorized, complex and unpredictable passwords
First, you should check for any empty password. An empty password is one of the security risks because it makes the accounts hack-able easily. so make sure no one has any authorized access to any account. To check any probably accounts with empty password, use the following command.
# cat /etc/shadow | awk -F: '($2==""){print $1} The second way is to use and choose a strong and complex password. as hackers try to break your password by attacking Brutus Force, this step is so important.
Here are some tips to help you choose a complex password.
The numbers of characters should not be less than 8. use a combination of uppercase and lowercase letters and also put numbers between the letters. use non-numeric and letter characters. If you need to change your password, you can use the following command.
passwd username If you want to change the root user password follow this command.
passwd root 3.Disable login with root user
Disabling the login with root user means that you cannot use root user while logging in to the Linux terminal. Follow the steps below to disable the login with the root user.
Open etc / ssh / sshd_config / with a file editor.
nano /etc/ssh/sshd_config
Find “yes” in below command and change it to “no”
# Prevent root logins:PermitRootLogin noRestart the SSH service file after applying the changes and saving.
service ssh restartNow if you need a root user, use the su command to switch between users after logging in with other users.
4.Restrict user login
You may have many usernames on your server, but only a few need to be logged in. For example, you have 10 users on your Linux, but only Jona and Ruth users can connect to the server remotely. To restrict Linux users, open the sshd_config file with an editor.
nano /etc/ssh/sshd_config When you opened the file, find the phrase “AllowUsers” and enter the users according to the following command.
AllowUsers Jona RuthFinally, restart the SSH service.
Service ssh restart 5.Disable Protocol 1
The SSH service works with two protocols, protocol 1 and protocol 2, and protocol 1 is less secure due to its age. So it’s best to use Protocol 2 in your communications. To disable Protocol 1, reopen the sshd_config file with the editor.
nano /etc/ssh/sshd_configFind the following phrase and change it to Protocol 2.
# Protocol 2,1 Protocol 2In the second line, change the protocol to 2 and restart the SSH service.
service ssh restart 6. Use non-standard ports for SSH
The default SSH service port is set to 22, but hackers prioritize to scan. In some cases, admins have changed the SSH port to 2222 to make it easier to remember, but you should know that hackers will certainly be able to scan port 22 if they don’t get results. Their second choice is port 2222. So we suggest you use ports with high numbers so that your input port is not easily identified and at the same time it is better not to choose ports that are in the reservation of other services. The best choice is between 10,000 and 65,000, most of them are free.
7. Filter SSH connections with Firewall
If you are always connected to your server remotely and use a specific IP, use the following command to isolate your connection to the SSH service.
iptables –A INPUT –p tcp –s 98.56.233.9 –dport 22 –j –ACCEPTNote: By entering the above command, you can only connect to the server from a system that has the 98.56.233.9 IP address. But if you want the server to be accessible from all points. Use the following commands.
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name ssh --rsource iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent ! --rcheck --seconds 60 --hitcount 4 --name ssh --rsource -j ACCEPT In the first command, you open access to port 22 for all IPs. The second command provides intelligent settings that automatically block the applicant’s IP firewall if several requests are sent simultaneously in less than 60 seconds. To run the second command correctly, you must add the default DROP policies.
Note: that if you change the SSH service port, enter your desired port in the commands.
8. Use security keys to identify
You will face two main benefits if you use security keys.
1- You can access your terminal without entering the password.
2- You can completely disable entry with password, then no password is required to log in to the system terminal. This feature protects you from possible attacks such as Brutus Force.
