Want to subscribe to topics you're interested in?
Become a Member

Hardening Server Steps

Discussion in 'System Administration' started by dooma, Nov 30, 2023.

  1. dooma

    dooma Active Member

    326
    34
    28
    Oct 15, 2016
    Cairo
    Ratings:
    +49
    Local Time:
    9:13 PM
    Hi guys,


    This is what I do to harden a Linux server - do you think this is enough to secure the server 100% or More important steps should be done?
    • Adding a wheel user with a strong password
    • Creating very strong passwords for the root and the user
    • Disabling Password Authentication
    • Changing the default port number
    • Allowing only the specific created user to log in using ssh.
    • Disabling root login
    • Make sure that the sudo user is working with SSH
    • Activating Google Authenticator for the sudo user and the server admin panel.
    • Installing Centminmod and then adding the vhost with its ssl.
    • Activating the auto-updates and keeping everything up-to-date.
    • Using cloudflare with full SSL.
    Thank you
     
    Last edited: Nov 30, 2023
  2. eva2000

    eva2000 Administrator Staff Member

    52,657
    12,071
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,597
    Local Time:
    5:13 AM
    Nginx 1.25.x
    MariaDB 10.x
    Looks comprehensive.

    A few notes

    1. sudo user can use Centmin Mod tools/addsudouser.sh https://community.centminmod.com/th...do-superuser-on-centmin-mod.11528/#post-49053 which makes sure sudo user works better with Centmin Mod - though not perfect but better than normal sudo user setups. FYI you can inspect Centmin Mod 130.00beta01 code for tools/addsudousers.sh code at https://github.com/centminmod/centminmod/blob/130.00beta01/tools/addsudousers.sh to see what I'm doing for sudo user setup
    Code (Text):
    cd /usr/local/src/centminmod
    tools/addsudousers.sh desiredsudousername
    

    Centmin Mod operation assumes full root user, so if you do sudo, you'd have to switch to root to run Centmin Mod

    2. For ssh key pair logins, keep in mind you want to know how to regain access if you loose ssh keys and how you regain access can be web host dependent i.e. https://blog.centminmod.com/2020/11...er-being-locked-out-by-iptables-csf-firewall/

    3. 2FA and/or hardware security keys like Yubikey on all online service accounts that support them - i.e. web host, email providers, Cloudflare. I use Authy for 2FA which is synced to primary mobile + backup mobile phone + tablet and desktop Authy. So loosing one device won't prevent me from logging in :)
     
  3. dooma

    dooma Active Member

    326
    34
    28
    Oct 15, 2016
    Cairo
    Ratings:
    +49
    Local Time:
    9:13 PM
    Thanks a lot sir for your reply!

    This is first time to know Authy, I read about it now and it seems that it's better than Google 2FA.

    Thank you :)
     
  4. buik

    buik “The best traveler is one without a camera.”

    1,979
    517
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,643
    Local Time:
    9:13 PM
    I don't read anything about a backup strategy of the files with this step list. Very essential. After all, should someone slip in (exploit, leaked passwords, stolen private keys, critroni ransomware etc). Which can always happen despite the measures and hardening steps you take. You can no longer assume the server is correct. And you will have to go back to an oak point where you can say with (some) certainty that the situation was good.
     
  5. dooma

    dooma Active Member

    326
    34
    28
    Oct 15, 2016
    Cairo
    Ratings:
    +49
    Local Time:
    9:13 PM
    thanks so much for your feedback. I already installed acronics backup.. what do you suggest please?? Thank you
     
  6. buik

    buik “The best traveler is one without a camera.”

    1,979
    517
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,643
    Local Time:
    9:13 PM
    Pfoe that's down to a lot of things. What you need and think is important. I don't know the business case otherwise. If you have been able to successfully restore multiple servers with Acronis Backup before. Since you explicitly mention dir product, there is little reason to change.
     
  7. eva2000

    eva2000 Administrator Staff Member

    52,657
    12,071
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,597
    Local Time:
    5:13 AM
    Nginx 1.25.x
    MariaDB 10.x
    Indeed. There are ways to check if files have been touched, like with Auitd https://community.centminmod.com/th...td-support-added-in-latest-123-09beta01.9071/ though that doesn't say how it was possibly altered.

    For instance with Auditd enabled via Centmin Mod tools/auditd.sh script, there's an Auditd rule named mycnf_changes to monitor /etc/my.cnf MySQL config file and
    Code (Text):
    ausearch -k mycnf_changes | aureport -f -i
    File Report
    ===============================================
    # date time file syscall success exe auid event
    ===============================================
    1. 12/04/2023 09:22:21 /etc/ sendto yes /usr/sbin/auditctl unset 135387
    2. 12/04/2023 09:22:22 /etc/ sendto yes /usr/sbin/auditctl almalinux 135559
    3. 12/04/2023 09:53:32 /etc/my.cnf openat yes /usr/bin/nano almalinux 135688
    

    first 2 the initial audit rule setup and 3rd entry is my sudo user = almalinux used nano editor to open /etc/my.cnf

    and an example of using tools/auditd.sh to track sudo users

    But Auditd is reactive and not proactive measure.

    However, measures and tools are only as good as the person using them and their understanding of the tools. Auditd won't be useful, if you don't know to use it :)
     
    Last edited: Dec 4, 2023