How to Harden and Secure a Linux Server: Part 1

Linux powers most of the servers that make up the Internet, so keeping them secure should be one of the top priorities of every organization.

Many people assume that an “out of the box” Linux server or desktop is already secure, but this is a false assumption. Although Linux is much more secure compared to other operating systems, you should still maintain and implement a list of Linux hardening policies.

Using this list of good security practices will keep your Linux server from being hacked. By securing a Linux server based on the methods below, as well as in following articles, you can greatly reduce the attack surface of the system, and thereby lower the likelihood of data breaches and unauthorized access to the system.

What is OpenSSH?

OpenSSH is a collection of tools that provide users the ability to remotely login, control, and transfer data between a client computer and server, all while using secure encryption.

The OpenSSH server component is called sshd (the 'd' stands for 'daemon' which is just another word for a process that runs in the background). sshd listens continuously for client connections and when a connection request happens, sshd establishes the secure remote control session.

The following are methods you can take to secure the ssh daemon to keep unwanted users from accessing the server.

The sshd_config file

Firstly, we need to understand where to find the server configuration file. It is located in /etc/ssh. There are many files in this directory, but the one we are interested in is the sshd_config file. This is where you can add, edit, and remove certain variables to fit your sshd specifications.

Use a Nonstandard Port for SSH Access

By default the ssh daemon is listening for incoming connections on port 22. If you change this port to a different port, say 2244, it is less likely that someone will try to make a connection via SSH to that port. Please keep in mind that this is not secure per se, but rather can be considered "security through obscurity." Any dedicated malicious actor could find that port 2244 is open on your machine.

To change the ssh port we need to modify sshd_config:

vim /etc/ssh/sshd_config

Find this line:

Port 22

And change the number to a nonstandard port of your choice.

Disable Direct Root Login

There should be few to no occasions where anyone needs to login as root to a server unless they are an administrator performing authorized system configuration changes. All other users should only log in using their dedicated user accounts.

To disable root login, again, we are going to modify the sshd_config file. Search for the line PermitRootLogin

The default is PermitRootLogin prohibit-password. This means that root could still login, but would have to use an alternative method, such as public key authentication.

If there is a # remove this to uncomment the line and replace "prohibit-password" with the word "no":

PermitRootLogin no

Disable Password Authentication

The third step is to disable password authentication entirely. This would force users to login using another method.

Uncomment the following line:

PasswordAuthentication no

Limit SSH Access to Select Users

By default all system users can login via SSH using their password or public key. You can limit who can access the system by manually typing the allowed users by username, separated by a single space (" "). In sshd_config add the line:

AllowUsers user1 user2 ...

Filter SSH Access at the Firewall Level

Supposing you want to permit SSH access from one IP address only, you can run the following commands, which will change the IP table to only allow SSH connections coming from a given IP address. If you want to allow an entire network, use the network address.

Keep in mind to use the non-standard SSH port you configured previously. For the sake of this instructional, I’m using port 22, followed by “x.x.x.x” to represent a valid IP address:

iptables -A INPUT -p tcp —dport 22 -s x.x.x.x -j ACCEPT
iptables -A INPUT -p tcp —dport 22 -j DROP

Use SSH Protocol Version 2

This is the default for latest versions of OpenSSH, so you don’t have to do anything. Always use the latest version of SSH.

Configure an Idle Timeout Interval

An idle timeout interval is a period in seconds after which if no data has been received from the client, the SSH daemon will send a message through the encrypted channel to request a response from the client.

For example if the idle timeout interval is 300 seconds, once the interval is passed, the idle user will be automatically locked out. You will need to add these lines and include your desired intervals in minutes:

ClientAliveInterval
ClientAliveCountMax

For this second variable, I'm using man sshd_config to explain its function:

The default value is 3. If ClientAliveInterval (see below) is set to 15, and ClientAliveCountMax is left at the default, unresponsive SSH clients will be disconnected after approximately 45 seconds. This option applies to protocol version 2 only.