Written By :

MacK Man

Category :

Ops

Posted On :

January 22, 2023

Share This :

10 Best Practices for Securing Linux: SSH Key Auth & Firewall Setup

Securing Linux

Securing Linux by Disabling SSH Password Authentication: Passwords are easily cracked and can be a major security vulnerability. Instead, use SSH keys for authentication. This can be done by editing the /etc/ssh/sshd_config file and setting PasswordAuthentication to no. To create an SSH key and use it for disabling SSH password authentication, you can follow these steps:

  • Open a terminal on your local computer and enter the following command to generate an SSH key pair:
ssh-keygen -t rsa -b 4096

https://en.wikipedia.org/wiki/Secure_Shell

This will prompt you to enter a file in which to save the key and a passphrase. You can press enter to save the key in the default location (~/.ssh/id_rsa) and leave the passphrase empty.

  • Next, copy the public key to your server using the following command:
ssh-copy-id user@server_ip
Securing Linux
Securing Linux

Make sure to replace “user” with the username of the account on your server and “server_ip” with the IP address of your server.

  • Now you can login to your server without a password by using the command
ssh user@server_ip

To disable SSH password authentication, you will need to edit the /etc/ssh/sshd_config file on your server. Open the file using your preferred text editor and find the line that says PasswordAuthentication yes. Change this line to PasswordAuthentication no and save the file.

Finally, the last step to securing Linux ssh is to restart the SSH service by running the following command:

systemctl restart ssh
  • In addition to the above steps, you can also add another layer of security by using Sentinel1, a security service that provides SSH key management, access control and auditing. With Sentinel1, you can:
    • Automatically rotate and revoke keys for users who have left your organization
    • Monitor for suspicious activity and automatically revoke keys that are being used for unauthorized access
    • Track and audit all SSH access, including user, key, and location information This service can be integrated with your ssh-keygen and ssh-copy-id commands and by following the instructions provided by the service provider.

Set up a Firewall

A firewall is an essential tool for protecting your server from unwanted traffic. There are different firewall solutions available for Linux systems, such as iptables and firewalld.

  • iptables: The most commonly used firewall on Linux systems is iptables. Configuring iptables can be done by editing the /etc/iptables.rules file. Here’s an example of how to set up a basic firewall using iptables:
# Flush all existing rules
iptables -F

# Allow all incoming traffic on the loopback interface
iptables -A INPUT -i lo -j ACCEPT

# Allow incoming traffic on port 22 (SSH)
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# Allow incoming traffic on port 80 (HTTP)
iptables -A INPUT -p tcp --dport 80 -j ACCEPT

# Allow incoming traffic on port 443 (HTTPS)
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Drop all other incoming traffic
iptables -A INPUT -j DROP

# Save the firewall rules
iptables-save > /etc/iptables.rules

This configuration allows incoming traffic on the loopback interface, port 22 (SSH), port 80 (HTTP), and port 443 (HTTPS), and drops all other incoming traffic. You can adjust the rules to match your specific needs.

  • firewalld: firewalld is a dynamic firewall daemon that is available on newer versions of Linux systems such as RedHat, Fedora and Centos. Here’s an example of how to set up a basic firewall using firewalld:
# Check the status of the firewall
firewall-cmd --state

# Enable the firewall
systemctl enable firewalld

# Start the firewall
systemctl start firewalld

# Allow incoming traffic on port 22 (SSH)
firewall-cmd --permanent --add-port=22/tcp

# Allow incoming traffic on port 80 (HTTP)
firewall-cmd --permanent --add-port=80/tcp

# Allow incoming traffic on port 443 (HTTPS)
firewall-cmd --permanent --add-port=443/tcp

# Reload the firewall
firewall-cmd --reload

This configuration allows incoming traffic on port 22 (SSH), port 80 (HTTP), and port 443 (HTTPS), and drops all other incoming traffic. You can adjust the rules to match your specific needs. You can choose either iptables or firewalld based on the version of Linux you are using and based on your personal preferences.

Use Multi-factor Authentication (MFA)

Implementing Multi-Factor Authentication (MFA) adds an additional layer of security by requiring users to provide two or more forms of authentication. There are many MFA tools available, such as DUO. DUO provides an easy way to add MFA to your ssh login process, by simply installing a client on your server and configuring it to work with your DUO account. It also supports a wide range of authentication methods such as push notifications, phone calls, and passcodes. Here’s an example of how to install and configure DUO on Ubuntu:

# Install the DUO SSH PAM module
apt-get install libpam-duo

# Edit the SSH PAM configuration file
nano /etc/pam.d/sshd

# Add the following line at the top of the file
auth required pam_duo.so

# Save the file and exit the editor

# Edit the DUO configuration file
nano /etc/duo/pam_duo.conf

# Add your DUO API host, integration key, secret key, and application key
ikey=INTEGRATION_KEY
skey=SECRET_KEY
host=API_HOST

# Save the file and exit the editor

# Restart the SSH service
systemctl restart ssh

This configuration will add MFA to your ssh login process, so every time you try to login, you will be prompted to provide an additional form of authentication, such as a push notification or a phone call, before logging in.

Keep the System Up-to-Date

It is important to keep your Linux server up-to-date with the latest security patches and software updates. One way to automate this process is by using a configuration management tool such as Ansible. Here’s an example of how to use Ansible to automate updates on Ubuntu and RedHat/CentOS servers:

# Install Ansible on your local machine
pip install ansible

# Create a new playbook called "update.yml"
nano update.yml

# Add the following tasks to the playbook
- name: Update Ubuntu servers
  apt:
    update_cache: yes
    upgrade: dist

- name: Update RedHat/CentOS servers
  yum:
    name: '*'
    state: latest

# Run the playbook on your servers
ansible-playbook update.yml -i inventory.txt

This configuration will automate updates on Ubuntu servers by running apt-get update and apt-get upgrade, and on RedHat/CentOS servers by running yum update. You can run this playbook regularly, for example, by adding it to your cron job. This way you can ensure your servers are always up-to-date with the latest security patches and software updates.

Limit User Privileges

Giving users too many privileges can lead to security breaches. It is important to limit the privileges of users to only what they need to perform their tasks. This can be done by creating a new user group with limited privileges and adding users to that group. For example, you can create a new group called “limited” and add users to that group, then use the visudo command to edit the /etc/sudoers file and give the “limited” group permissions to only run specific commands. Here’s an example of how to create a new group, add a user to that group, and give the group limited permissions:

# Create a new group
groupadd limited

# Add a user to the group
usermod -a -G limited user1

# Edit the sudoers file
visudo

# Add the following line at the bottom of the file
%limited  ALL=(ALL) /usr/bin/apt-get update, /usr/bin/apt-get upgrade

# Save the file and exit the editor

This configuration will give the “limited” group permission to run only the apt-get update and apt-get upgrade commands, and not any other commands that require higher privileges. This way you can ensure that users are not able to run potentially dangerous commands and cause security breaches.

Intrusion Detection Systems

Intrusion detection systems (IDS) can help you detect and respond to security threats. There are many open-source IDS solutions available such as Snort, Suricata, and Bro-IDS. These systems work by analyzing network traffic and alerting you when they detect suspicious activity.

Log monitoring

Log monitoring is an important aspect of security. It helps you keep track of what is happening on your server, and detect any potential security breaches. Log monitoring can be done using open-source tools such as syslog-ng, rsyslog, and logrotate.

Network Segmentation

Network segmentation is the process of dividing a network into smaller subnets, each with their own security policies and controls. This helps to limit the spread of malware and other security threats.

Security Automation

Security automation refers to using tools and scripts to automate security tasks such as updates, backups, and incident response. This can help to improve the efficiency and effectiveness of your security operations.

Incident Response

Having a clear incident response plan in place can help you quickly and effectively respond to security breaches. This includes identifying the source of the incident, containing the breach, and taking steps to prevent similar incidents from happening in the future.

Implementing these 10 strategies will help you secure your Linux server and reduce the risk of security breaches. It is important to remember that security is an ongoing process, and you should regularly review and update your security measures to ensure that your server stays protected.

Thanks for reading our post on Securing Linux!

Looking for more? Check out for DevOps and SRE section!

Securing your Linux servers will be essential when going for your SOC 2 Certification. Good luck!

Leave a Reply