I would like to tell you that I’m not prefessional in security, but i would like to show you article about basic security of linux server. Sources for this article is my own experinces and literature search.
With distribution of single-board computers as Raspberry Pi, Banana Pi, Cubieboard was created possibility to have own server at the home. Yes, it’s amazing and if you have public IP address, you can connect from anywhere. You have to think for possible dangerous and these dangerous aren’t negligible. In the world of internet exists a lot of robots which want to give access to your server.
Other atackers can be neighbors. Yes, student of primary school or high school want be hacker – they want hack everything 🙂
We have a model situation (It will be easier to explain).
We have server with Raspberry Pi (Banana Pi, BeagleBone, Cubieboard etc.) with OS Raspbian (Cubian, Debian, Ubuntu, arcOS etc.). The security of websites is one security problem, the second security problem is access to the server.
1.) Password
Password is the most important security from all. The attacker give access to the server for first, but finally he will try to use it for access to on other websites and other services. The password has to be long as you will remeber 🙂 with a lot of “features”. Don’t forget, you can use also small and high letters, interpunction (, ! @ .) and numbers. Password type: password1234 isn’t so strong as you thing. But password type: ThisIsMyServer!2000 is better. Czech, Poland, Italy or other unengland languages have advantage. Sometimes words probably will not in hackers dictionary (this is list of passwords which is used for attacks to other services – e-mail etc.) .
2.) Keep actually version of programs – UPDATE & UPGRADE
Updates are really important. In repaired packages are “bug” solutions and security fixes.
3.)Sometimes less is more, than you think.
A lot of security problems are caused third-party software. Don’t use a lot of unnecessary softwares.
4.) Forget for protocol of telnet, rlogin, rsh or something else
No way. Primary is crypted connection. These programs don’t provide good protection between client and server.
Use SSH (Secure Shell). A linux distributions have SSH protocol. You can use a lot of settings for better security.
Change SSH port. Yes, it’s not the best protection, but it helps you. Default port is 22 and this change through /etc/ssh/sshd_config at the line Port 22. For example the Cubian uses default port 36000.
Use SSH protocol version 2. At the line Protocol 2.
Forbid root login to access through SSH. In /etc/ssh/sshd_config at the line PermitRootLogin yes change to no.
Enable only someone users: AllowUsers UserName
SSH server can be set to listen only some IP address. ListenAddress
Or, you can set /etc/hosts.allow and /etc/hosts.deny specific IP address which have access to specific services.
/etc/hosts.allow:
ALL: localhost #enable access to all services for localhost
ALL: 192.168.100.101 #enable access to all services for this IP address
sshd: 110.120.130.140 #enable access to the SSH server only from this IP address
/etc/hosts.deny:
ALL: 10.13.14.15 #forbid access to all services for this IP address
sshd: 100.101.102.103 #forbid access to the SSH server from this IP address
Will be your server only webserver? Forbid X mode. X11Forwarding yes change to no.
You can use SSH key instead of password. How to do: http://www.cyberciti.biz/faq/how-to-set-up-ssh-keys-on-linux-unix/.
Use crypted connection SSH instead of telnet or rlogin. STFP instead of FTP.
5.) Make your own user and remove default login: pi, cubie etc
How to do: http://www.tecmint.com/add-users-in-linux/
6.) Only one user can do everything
Don’t add every user to the sudoers (sudo visudo).
7.) Waiting doesn’t kill you
If you have set waiting in the sudo mcedit /etc/login.defs after failed login attempts, it’s really good. Time for cracking will be several times larger. It’s same as number of failed login attempts. Set some good values. For example: waiting time is 60 (60s) and number of failed attempts is 3.
8.) Information about password
Do you know how long is your password active? No? You can find with chage -l UserName. You can change it through terminal chage –help. The new settings of user account will be saved in /etc/shadow.
9.) Reduce devices
You can use permission what the device can with automatic mount in /etc/fstab.
noexec – znemo?n? spou?t?t soubory na tomto m?diu
nodev – nepovol? speci?ln? znak za??zen? na partition
nosuid – nenastav? p??stup na partition
example: /dev/sda5 ext3 defaults,noexec,nosuid,nodev 1 2
device-spec | mount-point | fs-type | options | dump | pass
Do you have other ideas how to improve secure in linux server? Did you find mistake/error/bug in the articles? Write me e-mail: chiptron(a)seznam(dot)cz
sources: czech: http://www.linuxexpres.cz/praxe/sprava-linuxoveho-serveru-prakticke-rady-pro-zabezpeceni
czech: http://www.linuxexpres.cz/praxe/sprava-linuxoveho-serveru-prakticke-rady-pro-zabezpeceni-ssh
http://en.wikipedia.org/wiki/Fstab
http://www.cyberciti.biz/tips/linux-security.html
http://www.tecmint.com/linux-server-hardening-security-tips/
