The trend of online businesses is increasing day by day and facilitating users to buy services or products at their doorsteps by making online payments without visiting banks. It is most important to secure the data because hackers are actively trying to breach the confidential and private information. In this article, you will learn about servers configurations and different ways to protect your server machines.
You just need to follow these 10 steps for setting up a server securely before putting it in the production environment. The following details may vary from distribution to distribution but the same concept is used for any flavor of the Linux. Once you have done all these sever configurations, it means you have added basic protection against the common attacks.
Quick Overview of Servers configurations and how you can configure proactively.
|User Configurations||Change Root password|
|Network Configurations||Assign your servers a static IP and Hostname|
|Package Management||Install the packages that are not part of the distribution|
|Update installation and Configuration||Update kernel and packages|
|NTP Configuration||Prevent clock drift|
|Firewalls and iptables||Only open those ports necessary for services|
|Securing SSH||Disable root’s ability to SSH in remotely and strict certain IP addresses|
|Daemon Configurations||Turn off any daemons you don’t need|
|SELinux and Further Hardening||Protect against unauthorized use and resources access|
|Logging||Build a logging structure and solve your problems quickly|
Changing the root password is the basic thing you need to do before performing anything else in the server configuration. Try to use complex passwords using the combination of numbers, symbols, upper and lowercase letters. Prevent hackers by setting up a password policy that specifies the history, locking, and complexity requirements in case of using local accounts and make sure your password has a minimum length of 8 characters. Disable the root user completely and create other non-privileged accounts with sudo access for those users requiring elevated rights.
You need to enable the network connectivity that is possible by assigning the IP address and the hostname. It is essential for network servers to assign static IP addresses so that the users can always find this network resource at the same address. In case of VLAN (Virtual Local Area Network), consider the basic things including how isolated the server’s segment is and where it will be more suitable. If you are not using the IPV6 then there is no need to turn it ON. Set any hostname, domain (if you don’t have then register any domain name) and information of DNS server. Moreover, multiple DNS servers can be used for redundancy and check the resolution is working properly by testing nslookup.
Setting up a server might have any particular purpose, so make sure you have installed the required packages that are not included in the distribution. There are different most widely used application packages including PHP, NGINX, MongoDB and other supporting packages such as pear. Keep in mind, remove the extra packages to shrink the server footprint because you don’t need to keep them for further use. In the near future if you need to get their particular services then you can easily install them again by simply going to your distribution’s package management solution.
Now, you have installed the required packages on the server but make sure all are updated. It is also necessary to keep the kernel and default packages up to date. In case you need an older version then you can use but I would like to recommend you use the latest versions for security purposes. The package manager will provide the information about the latest supported versions with the option of automatic updates.
Servers setup or server configuration is once properly done with the help of the required level of security will help you to provide peace of mind with minimum risk factors. The NTP servers can be internal or external time servers that are available for everyone. Why it is more important to prevent clock drift because it can cause a lot of problems such as authentication problems because time skew between the computing machine (server) and authenticating infrastructure is measured before granting access. So, it is mandatory to prevent clock skew issues for proper working.
In this digital world, it is compulsory to implement the required level of security. Once you got hacked it will be impossible to gain the trust of your clients and stable the business again. According to the distribution type, the iptables may be locked or require you to open what you need but don’t leave it as by default. Change the configurations of the server according to your particular needs and always use the principle of least privilege.
Open only those ports that are highly required and compulsory for the working of different services. It is a good approach to use the dedicated firewall behind the server and make sure your iptables/firewall IS restrictive by default.
It is the same like the command-line interface used in the Windows operating systems. SSH is the access method of Linux distributions and used to perform administrative-level operations. Disable the root’s ability to SSH in remotely so that if root gets enabled on the server machine then it will not be exploitable remotely.
Moreover, you have another option to restrict certain IP addresses in case you have a fixed set of users or client IPs that connect with your server. You have the option to change your default SSH port number but it is not as secure as you think because a simple scan can show your open port who want to perform any illegal or hacking activity. Servers configuration is not as difficult as you think, it requires attention to details for the highest level of security. You should implement the certificate-based authentication and disable the password authentication in order to reduce the chances of SSH exploitation.
Now, you have configured servers but there are also a few things you need to implement for better security. Setup the right applications to auto-start on reboot and turn off the daemons that are not is use. It is a proactive approach to reduce the active footprints so that only the surface areas required by the applications will be available for attack. After completing this task, try to hardened other remaining services as much as possible and enjoy the highest level of security and resiliency.
SELinux (Security-Enhanced Linux) is a kernel hardening tool or security architecture that is used to protect the server machine from different operations and allows the administrators to have more control over who can access. In other words, SELinux is the practical implementation of
In order to make sure SELinux is enabled or not, you can run the sestatus. If you get the status with a message enforcing you are being protected by SELinux. If you get the permissive message then it means SELinux is enabled but it is not protecting you and “disable” indicates you are completely disabled.
MAC (Mandatory Access Controls) on Linux based distributions. It is a great tool used to protect unauthorized access to system resources. It is recommended to test your configurations with the help of SELinux enabled so that you can make sure nothing legitimate is being blocked with the help of logs. You may also check the different ways to hardening your other applications like MySQL, Apache and others.
At the final stage, make sure the level of logging you required is enabled or not and you have sufficient resources for it. If you have built a logging structure then it will be more useful for you to solve the problems within a short time period. Now, troubleshoot the server to get more information or go to the software that has configurable logging structure to understand the balance between not enough data and too much information. Moreover, there are also third-party tools available to help you from the aggregation to visualization but it is mandatory to understand the needs of every environment. Then you can choose the right tool or set of tools to fill them properly.
Most importantly, failure to take these steps of servers configurations can be more dangerous if your server is the target of an attack. If you follow all these steps it is not the guarantee of safety but it does make it a difficult or time-consuming process for malicious actors and require a higher level of skills to overcome. Data breaches happen, so you can understand all the things to prevent data breaches and don’t leave any loophole to provide an opportunity for hackers.