Before putting your new Linux server in function, there are 6 key steps in setting up the server you need to take. The details of these steps may vary from distribution to distribution, but conceptually they apply to any flavor of Linux. By checking these steps off on new servers, you can ensure that they have at least basic protection against the most common attacks.
1/6 User Configuration and Network Configuration for Linux
The very first thing among the 6 key steps in setting up the server is changing the root password. The password should be at least 8 characters, using a combination of upper and lowercase letters, numbers, and symbols. You should also set up a password policy that specifies aging, locking, history, and complexity requirements. In most cases, you should disable the root user entirely and create non-privileged user accounts.
One of the most basic configurations you’ll need to make is to enable network connectivity by assigning the server an IP address and hostname. If your network uses VLANs, consider how isolated the server’s segment is and where it would best fit. If you don’t use IPv6, turn it off. Set the hostname, domain, and DNS server information.
2/6 Package Management, Update Installation, and Configuration
Presumably, you’re setting up your new server for a specific purpose, so make sure you install whatever packages you might need if they aren’t part of the distribution you’re using. Likewise, any extraneous packages that are installed on your system should be removed to shrink the server footprint. All of this should be done through your distribution’s package management solution. Once you have the right packages installed on your server, you should make sure everything is updated. Not just the packages you installed, but the kernel and default packages as well. Unless you have a requirement for a specific version, you should always use the latest production release to keep your system secure. Usually, your package management solution will deliver the newest supported version. You should also consider setting up automatic updates within the package management tool if doing so works for the service(s) you’re hosting on this server.
3/6 NTP Configuration for Linux Server
Configure your Linux server to sync its time to NTP servers. These could be internal NTP servers if your environment has those, or external time servers that are available for anyone. What’s important is to prevent clock drift, where the server’s clock skews from the actual time. This can cause a lot of problems, including authentication issues where time skew between the server and the authenticating infrastructure is measured before granting access. This should be a simple tweak, but it’s a critical bit of reliable infrastructure.
4/6 Firewalls and iptables
Depending on your distribution, iptables may already be completely locked down and require you to open what you need, but regardless of the default config, you should always take a look at it and make sure it’s set up the way you want. Remember to only open those ports you absolutely need for the services on that server. Assuming your iptables/firewall IS restrictive by default, don’t forget to open up what you need for your server to do its job!
5/6 Securing SSH and Daemon Configuration
SSH is the main remote access method for Linux distributions and as such should be properly secured. You should disable the root’s ability to SSH in remotely, even if you disabled the account. Optionally, you can change the default SSH port to “obscure” it. Finally, you can disable password authentication altogether and use certificate-based authentication to reduce the chances of SSH exploitation. It’s also important to set the right applications to autostart on reboot. Be sure to turn off any daemons you don’t need. Once this is done, remaining services should be hardened as much as possible to ensure resiliency.
6/6 SELinux, Further Hardening, and Logging
If you’ve ever used a Red Hat distro, you might be familiar with SELinux, the kernel hardening tool that protects the system from various operations. SELinux is great at protecting against unauthorized use and access of system resources. It’s also great at breaking applications, so make sure you test your configuration out with SELinux enabled. Beyond this, you need to research hardening any applications like MySQL or Apache, as each one will have a suite of best practices to follow. Finally, you should make sure that the level of logging you need is enabled. Most software has configurable logging, but you’ll need some trial to find the right balance between not enough information and too much. There are a host of third-party logging tools that can help with everything from aggregation to visualization. Then you can find the tool(s) that will help you fill them.
Linux Server Setup and How Can ITAF Help You?
Each one of these 6 key steps in setting up the server can take some time to implement, especially if you are doing this for the first time. But by establishing a routine of initial server configuration and infrastructure, you can ensure that new machines in your environment will be resilient. For any query related to your server-to-server communication setup, contact us and we will be glad to help you.