Batten down the hatches – A quick guide to harden a Linux server

With the announcement of the 512MB model and the open sourcing of the SoC the RaspberryPi is just going to get more popular. The Pi is a cheap (£26/$35) ARM computer that runs Linux and is being touted as a device to encourage kids (and hobbyists) to learn programming, mainly Python. However as it runs Linux it means that it can be used for almost anything including media centers, file servers and web servers. As more and more people are using these little devices as alternatives to free/paid for hosting I thought I would just drop a few tips on how to help keep these devices safe and under the owners control.

    Basics – Border Controls

This probably goes without saying but if you are going to host your own server then put it in the DMZ of your firewall/router. If you do need it to have access to your LAN then check your firewall/router and see if you can set rules, if so do this remembering to keep the access as tight as you can.
If you can not put it in your DMZ ( router does not support DMZ or another reason ) then only open up ports that are needed, eg http (80) https (443) and not 0-999999. If you are using PHP and a SQL server then remember only the server needs access to the SQL and not the outside world. This is still less secure than using a DMZ as if anyone does manage to gain access to your server then they can start scanning and poking at your internal network!

    Remote Access – Enemy at the Gate

Ok, so you probably want to be able to gain remote access to your server. If you want full access to the command line then you will want to install the OpenSSH Server. There are a couple of things I would suggest doing to your ssh config to make your server a bit more secure.

1. I can not stress this enought – TURN OFF ROOT LOGINS VIA SSH!!!! You should never need it and should never run as root, if you need to do anything with elevated privileges then use ‘sudo’. To turn off root login via ssh;

  • Open /etc/ssh/sshd_config with your editor of choice ( mine is vim ) e.g. sudo vim /etc/ssh/sshd_config
  • Server for ‘PermitRootLogin’, if it has a ‘#’ infront of it remove it and change the end of the line to ‘no’
  • Save the file and restart ssh ( eg sudo /etc/init.d/openssh-server restart)

2. Secondly I restrict the users that can login via ssh. For example I have accounts for ftp and mail which I do not want to be able to login, normally I set the shell for a user I do not want to login to /bin/false but with ftp accounts this is set to a chrooted environment. So to limit ssh access to just the people I want I add the ‘AllowUsers username username2‘ to end the end of my /etc/ssh/sshd_config

3. To find targets to attack most hackers/crackers/script kiddies use automated scanning software which target certain ports ( ssh, mysql, ftp, rdp ). To limit the chance of being picked up on one of these scans you can either;

    • Change the ‘Port’ option at the top of /etc/ssh/sshd_config to something other than 22. Please be aware that this option means you will need to change the open port/rules on your router/firewall.
    • Or change the NAT so that External:8456 is mapped to Internal:22. This means that LAN users can still use port 22 but WAN users will need to use port 8456.

* Tip: If you change the port then ssh will require -pPORT# and scp with require -PPort#

    Banning Remote IPs – Three strikes, your out

The chances are that if you expose your server to the outside world then someone will try to hack it. Given enough time someone could brute force your password and gain access via ssh, to help guard against brute force attacks I install DenyHosts. DenyHosts sits there and monitors /var/log/auth.log for failed logins and with the default Debian config blocks ssh access from offending hosts after 5 attempts. There are a mass of config options available in /etc/denyhosts.conf that can be set. DenyHosts is easy to use and can be installed and left with the default configuration in most cases unless you need to change a few things. A tip I would give is if you know a static IP address you will be accessing from then add it to /etc/hosts.allow to prevent locking yourself out of the server. An alternative to DenyHosts is Fail2Ban but this is a bit more complex in the setup.

    File Transfer – Secure Prisoner Transfer

Years ago the standard for copying files around used to be FTP which is an plain text protocol, in recent times people have taken to using dropbox like services. Dropbox, SkyDrive, GDrive are all good but what if you need to someone to add files to your server or would prefer to keep your data where you can control it? The answer is sFTP (Secure FTP) which is an encrypted protocol. If you want to setup a complicated sFTP server then I suggest you do some more research, if you just want a simple sFTP server then take a look at vsftpd. Vsftpd is an open source sFTP server which comes with the added benefit that chrooting users ( locking them in their home directory instead of giving them access to the whole of the servers file system) is a single configuration line ‘chroot_local_user=YES’ which immediately helps tighten the security on your server.

    In Closing – Food for thought

This guide is in no way complete, but hopefully it will aid a few people in keeping their servers from getting pwned. In brief, don’t run any services you don’t need & those you do make sure you read the config files to see if you can lock them down. Do not run as root, running as a super user is a bad habit created by windows. Install some IPS/IDS (Intrusion Prevention / Detection Software) such as DenyHosts or Fail2Ban to help harden your server. If you have comments, question or thoughts then please leave a comment below.