BIP KB:
How To Lock Down Your Linux Server For Additional Security

Introduction to Linux Security Linux Security. Most people rarely secure a freshly installed server right off the bat, but in the world we live in this is an absolute must. So if it’s so important to, why do so many people wait and do it last, if at all? I’m as guilty as the next person. It often comes down to just wanting to to start developing and doing the fun stuff. Hopefully this tutorial will show that it is far better secure your server first, and have the peace of mind that attacks are being blocked. With that said, this tutorial provides a way to lock down your linux Ubuntu/Debian and CentOS  servers to help prevent online intruders from getting in. So lets get started!

For Ubuntu/Debian Servers:

Step 1 - Connect to server shell using your favorite SSH client.

Step 2 - Create a user:

adduser username

Step 3 - Grant user sudo access:

Usermod -a -g sudo username

Step 4 - Log out of the server:

Logout

Step 5 - Login as the new user:

ssh username@hostname

CentOS, RHEL or other RPM-based distros:

Step 1 : Create user:

adduser username

Step 2 : Assign user password:

passwd username

Step 3 : Grant user sudo access:

vi sudo


Username all=(all) all

Step 4 : When finished, press ‘Esc’ and type the following:

:wq

Step 5 : Log out of server:

logout

Step 6 : Login as the new user:

ssh username@hostname

To stay even more secure, you can generate a key-pair for certificate-based authentication:

In an SSH session, apply the following steps:

Step 1: Generate key pair:

ssh-keygen

Step 2: A message will come up asking to create a filename, create the desired filename or accept defaults.

Note: Optionally, a passphrase can be generated for the key being used.

Step 3: Once the keys have been generated, they can be copied over to the host.

Scp ../id_rsa.pub username@hostname

Mkdir .ssh

Staying on top of Linux Security

After completing the Linux Security steps above you should now have a server that is locked down and ready to use. Please keep in mind that this is not the end all to server security. Always Stay on top of updates and patches and test them in a non-production environment first. Always close unused ports, and check your logs on a regular basis, and know your servers inside-and-out.