How To Secure Your Linux Server

Linux is still a mystery to most Windows and Mac OS users. But to those who have taken the time to use and understand Linux, they have experienced one of the most enjoyable operating systems out there. Often finding themselves never wanting to return to their former operating systems. While the operating system of Linux is generally the same, there are a variety of different versions of Linux like CentOS, CoreOS, Debian, Fedora, FreeBSD, OpenBSD, RedHat, and Ubuntu. Each of these versions has pros and cons and their own fan bases.

This article will not get into any of them specifically, rather it will discuss securing your server and focus on Ubuntu.

Since Linux is an open-source software, the source code is available for anyone and everyone to see. Making it less prone to viruses and malware. With a technology-based community of software developers, and designers, Linux comes with daily updates and upgrades, to patch bugs and vulnerabilities in the source code. With the minds and eyes constantly in the source code, Linux is generally considered the best and safest operating system. Linux distributions are all generally free, with some specialized possibly being distributed for a small fee, usually on disc.

Microsoft Windows and Mac OS X come with some of the top paid programmers in the world but Linux is a global community of volunteers who want the best and continue making the best. Hence the reason for so many versions of Linux as well as sub versions, like Arch, Bodhi, Elementary, Kubuntu, Mandriva, Mint, openSUSE, and NixOS. What makes each version different often ranges from what they are focused on.

Some Linux versions focus more on security, while others focus more on speed and performance. Others might be more specialized in processing scientific formulas or mathematical equations.

When it comes to security, however, all Linux distributions are primarily concerned with ensuring their security and sustainability and often come with a decent to large-sized community to continue supporting these operating systems. Thus, automatically, if you did nothing with your Linux install, you would likely be fine. However, there are still other things you can do to strengthen the security of your Linux server.

If you are using a service like RunCloud on your server, than you may have noticed it too, has its own security measures in place, for additional protection. RunCloud automatically closes and blocks every unused port from external access. In addition, a well-known program known as Fail2Ban is installed which usually blocks most hacking and unwanted attempts to your server. FirewallD, a dynamically managed firewall with support for network/firewall zones, and is included by default on multiple other Linux distributions, is also installed on the Ubuntu Linux server. A wonderful thing about using the RunCloud service is that it logs banned IP addresses within the dashboard, making it easy to unban false positives, as well as your own IP address, which is sometimes a problem, if your server bans you, which can and does happen.

With the understanding that Linux OS itself is secure and the RunCloud services adds even more security to the server, we can now understand some of the manual things that can be done to optimally secure your Linux server. This is an extensive, but not exhaustive list of all the things we will be doing to secure the server. To apply these, you will need SSH access. 

WARNING: RunCloud support cannot help you with any of these steps and you acknowledge that you proceed at your own risk. All of these scripts are safe to install. RunCloud must be installed first. 

1. Install RunCloud Software 

After launching an instance, before you install anything, you must open up ports 22/tcp (SSH), 80/tcp (HTTP), 443/tcp (HTTPS), and 34210/tcp (RunCloud Communication Port). Paste the code RunCloud gives you into the desired SSH location and sit back while the software installs.

2. Install UFW Firewall

Although RunCloud installs its own firewall, it will not hurt to install additional security by installing the Uncomplicated Firewall, or UFW Firewall. This firewall is strictly command line, so enabling or disabling ports need to be entered via SSH.

Here are the commands that should be entered:

sudo apt-get install ufw
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow 443
sudo ufw allow 34210
sudo ufw enable

We are telling the firewall to allow ports 22, 443, 80, and 34210 which are required by RunCloud.

3. Secure Shared Memory

Log into this file by typing in:

sudo vi /etc/fstab

Add this line:

tmpfs     /run/shm     tmpfs     defaults,noexec,nosuid     0     0

After you’ve added the line, you will need to reboot the server.

Finally, test to ensure it is secure by entering in: 

sudo mount -a

Shared Memory is mounted as read/write by default. When memory is shared between applications, it is vulnerable and can easily be exploited by using the write command. The code above will ensure it is read-only and ensure that other applications cannot write or overwrite to memory that other applications are using.

4. Prevent Source Routing of Incoming Packets

Enter in code:

sudo vi /etc/sysctl.conf

You may add or un-comment the following lines:

# IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0

# Ignore send redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# Block SYN attacks
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5

# Log Martians
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

# Ignore Directed pings
net.ipv4.icmp_echo_ignore_all = 1

To get these to actually work, you will need to reload the changes by typing:

sudo sysctl -p

In a nutshell, we adjusted some settings for a better flow of incoming and outgoing traffic.

5. Prevent IP Spoofing

IP Spoofing is the creation of Internet Protocol packets with a false source IP address, for the purpose of impersonating another computing system.

Type in this command:

sudo vi /etc/host.conf

Add or edit these lines: 

order bind,hosts
nospoof on

6. Install ModSecurity and Dependencies

sudo apt-get install libxml2 libxml2-dev libxml2-utils
sudo apt-get install libaprutil1 libaprutil1-dev
ln -s /usr/lib/x86_64-linux-gnu/libxml2.so.2 /usr/lib/libxml2.so.2
sudo apt-get install libapache2-mod-security2
sudo mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

After this is done, we need to activate the rules.

sudo vi /etc/modsecurity/modsecurity.conf

Change:

SecRuleEngine DetectionOnly

To:

SecRuleEngine On

Add this line:

SecServerSignature FreeOSHTTP

Edit the following lines to:

SecRequestBodyLimit 16384000
SecRequestBodyInMemoryLimit 16384000

Download and install the latest OWASP (Open Web Application Security Project) Core Rule Set.

cd /tmp
sudo wget -O SpiderLabs-owasp-modsecurity-crs.tar.gz https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master
sudo tar -zxvf SpiderLabs-owasp-modsecurity-crs.tar.gz
sudo cp -R SpiderLabs-owasp-modsecurity-crs-*/* /etc/modsecurity/
sudo rm SpiderLabs-owasp-modsecurity-crs.tar.gz
sudo rm -R SpiderLabs-owasp-modsecurity-crs-*
sudo mv /etc/modsecurity/modsecurity_crs_10_setup.conf.example /etc/modsecurity/modsecurity_crs_10_setup.conf

Next is a bit of a lengthy process, but we need to create symbiotic links to activate all these rules.

cd /etc/modsecurity/base_rules
for f in * ; do sudo ln -s /etc/modsecurity/base_rules/$f /etc/modsecurity/activated_rules/$f ; done
cd /etc/modsecurity/optional_rules
for f in * ; do sudo ln -s /etc/modsecurity/optional_rules/$f /etc/modsecurity/activated_rules/$f ; done

Next we need to update Apache2 to understand the new rules, but first, we will make everything align with RunCloud.

mv /etc/apache2/mods-available /etc/apache2-rc/mods-available
rm -rf /etc/apache2
sudo vi /etc/apache2-rc/mods-available/mod-security.conf

Add this line:

Include "/etc/modsecurity/activated_rules/*.conf"

We are getting there, but there are just a few more steps! We need to check if what we did is actually working. You first need to ensure you have set a ServerName.

sudo vi/etc/apache2-rc/httpd.conf

Add this line:

ServerName localhost

Next run the following command:

httpd -M | grep sec

If no error occurs, than you did everything just fine and ModSecurity is loaded.

6. Install ModEvasive and Dependencies

This will add additional protection agaisnt DDoS attacks.

Type in the following command and hit Y if asked.

sudo apt-get install libapache2-mod-evasive
sudo mkdir /var/log/mod_evasive
sudo vi /etc/apache2-rc/mods-available/mod-evasive.conf

Add this code:

<ifmodule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSLogDir /var/log/mod_evasive
DOSEmailNotify EMAIL@DOMAIN.com
DOSWhitelist 127.0.0.1
</ifmodule>

Finally, run this command to restart Apache2.

systemctl restart apache2-rc

7. Install DenyHosts

If you left RunCloud alone with just Fail2Ban, you would be just fine. Fail2Ban will do its job and ban IP addresses and other hosts that attempt to brute-force or attack your server. However, an underestimated, but powerful software program that compliments Fail2Ban is DenyHosts.

sudo apt-get install denyhosts

DenyHosts will automatically do its job.

8. PSAD Intrusion Detection

sudo apt-get install psad
sudo vi /etc/psad/psad.conf

Add the following:

iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG
ip6tables -A INPUT -j LOG
ip6tables -A FORWARD -j LOG

Next we will update and reload PSAD.

psad -R
psad --sig-update
psad -H
psad --Status

9. Checking For Rootkits

There are two software programs here that basically do the same thing, but check for a variety of different signatures. A rootkit is a set of tools that hide the presence of an attacker. These programs will expose them to you. Running the last command may take up to 5 minutes depending on your system.

sudo apt-get install rkhunter chkrootkit
sudo chkrootkit
sudo rkhunter --propupd
sudo rkhunter --check

10. Scanning For Open Ports

NMap is security auditing software that scans open ports. The only ports that should be in use are 22/tcp (SSH), 80/tcp (HTTP), 81/tcp, 443/tcp (HTTPS), and 34210/tcp (RunCloud Communication Port), and 3306 (sql) if you have installed a database.

sudo apt-get install nmap
nmap -v -sT localhost
sudo nmap -v -sS localhost

11. Log Watch

If you like to receive daily updates about your server beyond the scope of RunCloud services, you will want to install this useful utility which will provide you with an account of brute force attempts and login attempts on your server.

sudo apt-get install logwatch libdate-manip-perl

To view your logs:

sudo logwatch | less

To email your logs. You can change the date between when logs are sent to you, which below, is set to one week between reports, in HTML format.

sudo logwatch --mailto mail@mydomain.com --output mail --format html --range 'between -7 days and today'

12. Install AppArmor

AppArmor is a Mandatory Access Control (MAC) system which is a kernel (LSM) enhancement to confine programs to a limited set of resources. AppArmor’s security model is to bind access control attributes to programs rather than to users.

sudo apt-get install apparmor apparmor-profiles
sudo apparmor_status

13. Tiger 

Tiger is a security tool that can be used as a security audit and intrusion detection system. 

sudo apt-get install tiger
sudo tiger
sudo less /var/log/tiger/security.report.*

Running Tiger will take several minutes for the security audit to complete.

We are nearly complete with our complete security audit of the Linux server. The remaining items will require the RunCloud dashboard.

14. Generate and Add SSH Keys

The way to generate and add SSH keys can be found within the RunCloud documentation.

15. Create A Superuser — that is not Root

You will want to create a superuser with the same privelages as root, but is not root, followed by checking off Passwordless Login in the settings, and finally, you will want to Prevent Root Login which can also be found in the settings.

16. Use Hard-To-Guess Passwords

RunCloud itself has a very powerful password generator that lets you choose from 5 to 60 characters. When you go to the Database section, choose Add New Database User and click on Generate Password. You can leave it on the default, which is 32 characters, or you can go more or less. It is highly recommended that your password is at least 16 characters long. 

Utilizing this powerful password tool provided by RunCloud for your RunCloud login, your WordPress login, any other CMS you use, your database password, along with anything else you can think of will guarantee the absolute hardened security of your server. Using the RunCloud password generator will guarantee that your password will take a computer working everyday, 24/7, without rest, a few million years just to crack the password.

While every step listed above will help toughen the security of your server, a weak password is like providing a hacker with the key to open the front door, so ensure that your passwords are not written down in a public email and you store it in a safe place.

The steps involved in this article were carefully chosen and tested with a new RunCloud installation. Installing or using any other tools to secure your server may risk breaking the RunCloud installation and you do so at your own risk. RunCloud support cannot help you. It is highly advised that you follow all of these steps on a new installation, and not currently on an existing server, unless you feel comfortable, or have made several backups of your existing data.

RunCloud nor the author of this blog post can be held responsible for any data loss that may occur, even if you have followed all the steps above.

Share This On
Share on facebook
Share on twitter
Share on linkedin
Share on reddit

11 thoughts on “How To Secure Your Linux Server”

  1. Hey Darkpollo, RunCloud will take care of all your security. This was written simply to add additional methods to secure your server. I wrote this to provide additional security methods. If you were to do nothing, you would most likely be fine. If you did add these security protocols, you would just add ‘extra’. Imagine RunCloud building a fence around your yard. Now imagine personally setting up 2 additional fences. It’s just extra security. You don’t need to do this at all. If you wanted to feel more secure, you could follow my methods.

  2. Still confused.
    There is not such thing as too much security.
    If this is recommended, then runcloud should do it. If it is not, then do not see the point of the whole post.
    Maybe it is just me.

  3. Darkpollo has got a point plus you may forgotten to mention that anything you install in addition to RunCloud’s setup will need to be kept up to date.

    Create a snapshot before attempting any of the above.

    On the other hand, it has good recommendations. I have Google Authenticator on several of my servers, works a treat.

  4. One month later and no reply from runcloud.
    That is the reason I still do not use runcloud for production sites….

  5. Matthew Gates

    My sincere apologies for my lack of response to this article, Darkpollo. This goes for you too, Girish and Bert.

    Let me better explain this article and why I wrote it. I am fascinated with security myself and love it. Sometimes I can become too obsessed with it at times, and that is why I wrote this article. There sometimes is such a thing as over-optimization, over-caching, and over-security and I’ve run into the issues myself.

    Over-optimization makes your website run too efficiently meaning that you have installed caching plugins, scripts, and optimization plugins that minify your website, scripts within your website, and even images. The issues here are that over-optimization can lead to code breaking, especially Javascript.

    Overcaching tends to work by having multiple utilities trying to cache your website. You can have Memcached, Redis, along with a CDN and more. Sometimes, your website will become so overcached that you won’t be able to see the changes.

    Finally, we’ve got over-security where your website is so secure you risk a chance of locking yourself out.

    When you install RunCloud, you get FirewallD and Fail2Ban. These two software scripts alone are more than enough to prevent anyone from hacking into your server, taking over it, and wreaking havoc. RunCloud provides you with all the security you need to run your server. If you install RunCloud, you need to do nothing else with your security.

    I wrote this as a piece for those who wanted additional security, who were obsessed and felt like they weren’t secure enough. Again: RunCloud isn’t responsible for this, as some of these methods could lead to over-security, locking you out of your server, and overprotection. RunCloud cannot be held responsible for the suggestions of this article, thus — it is not accurate to say, “RunCloud should be taking care of all this.” RunCloud already does what is necessary.

    So if I say, “the government should be taking care of all this”, I mean that if I am in trouble and I call 911 for help, I expect the police department or fire department to respond to my inquiry. However, the government IS NOT RESPONSIBLE for installing a security system around my house OR making sure I lock my door at night. That is MY RESPONSIBLITY. They are somewhat responsible for someone breaking into my house, meaning if there is crime around my neighborhood then more police officers need to be hired to patrol the surrounding areas. By doing what is necessary, RunCloud has its own police force by intsalling FirewallD and Fail2Ban.

    This is not typical of ANY service to install all of this security. It may lead to external third parties trying to connect to your website being block and is only recommended for those who know what they are doing. In most cases, for a basic website, this is too much security. If you are running a website that deals with money and things like that, you could even run into issues of those third-party payment processors being blocked. But this will secure your server beyond what is really necessary.

    This is, in its own way, Fort Knots level type of security, and isn’t recommended for everyone. It’s like putting mansion-level types of security around your small house. So this is why RunCloud does not perform this type-level of security. It’s like putting up 5 gates, a security eye scan, a hand scan, a voice scan, etc. It’s not needed and would be way too much for any basic website. If, however, you were the owner of Amazon or Facebook, you’d probably want to secure your code to the fullest extent beyond a reasonable doubt.

    FirewallD is a firewall that closes all ports by default and monitors basic connections in and out. Fail2Ban prevents servers from connecting and attempting brute force password-guessing on your server and once it detects this is happening, usually after the fifth attempt will ban the suspicious IP address forever.

    So anyone reading this article: if you are a security buff or just want to secure your house with 10 different means of getting in, this is the type of stuff you would install on your server. For my own house that I live in, I have a security lock pad on my door, several security cameras in multiple spots around my house, a bird that chirps, and a small Lhasa Apso dog that barks. I don’t need a gate or an armed guard or anything like that. That is really all the security I need. I hope this clears things up for everyone reading.

    And as I said: you add this extra security to your server AT YOUR OWN RISK. RunCloud cannot possibly be held responsible for YOU installing more than you need.

    As for RunCloud: I write articles for RunCloud but I do not work on the RunCloud core code. I DO trust RunCloud to run my LIVE websites, as thousands of users do, without any issues at all. But this specific article is for those who want to experiment with more security on their servers — and that type of level security goes beyond what ANY company will offer to you, no matter where you go or who you host with or any type of server software that you install.

  6. Matthew, You forgot to mention and most importantly that RunCloud doesn’t update the server kernel, so it is the job of the customer to do it.
    And I think this should be indicated clearly to customers as a vulnerability in a kernel can have a lot of disastrous consequences.

    1. Thank you Alex. RunCloud applies updates to general and major security updates. I did try to cover some extra security measures that most users won’t have to worry about at all for a basic website. I think if you’re a bigger business handling a lot of customer data, it never hurts to reach out to a web administrator or even RunCloud support to ensure everything is properly functioning on the server. If you choose a web host like Vultr (aff link) and start up a VPS, they do offer DDoS protection.

  7. Thank you for the reply.
    I know understand this better and I can see this is “an extra” and not something you need in your server.

Leave a Comment

Your email address will not be published. Required fields are marked *

You May Also Like

Scroll to Top