In this tutorial, we've covered securing and hardening your dedicated server in AlmaLinux 9.
When managing a dedicated server, it's critical to secure it against potential threats. This tutorial will guide you through essential steps to secure your dedicated server, including setting up firewalls, using SSH keys, and following best security practices to ensure the safety of your data.
Securing and Hardening Your Dedicated Server AlmaLinux
Buy Dedicated Severs New Zealand
1. Keep Your Server Software Up to Date
One of the easiest ways to protect your server is to ensure all software is up to date. Vulnerabilities in outdated software can be exploited by attackers. Here's how to update your software packages:
sudo dnf update -y
It’s recommended to automate this process by enabling automatic security updates.
sudo dnf install yum-cron
sudo systemctl enable --now yum-cron
2. Set Up a Firewall
A firewall is the first layer of defense for controlling incoming and outgoing traffic on your server. Most servers come with a built-in firewall, such firewalld.
Install firewalld:
sudo dnf install firewalld
Start and enable firewalld:
sudo systemctl start firewalld
sudo systemctl enable firewalld
Set default rules:
sudo firewall-cmd --set-default-zone=drop
Allow SSH and other necessary services:
sudo firewall-cmd --add-service=ssh --permanent
sudo firewall-cmd --add-service=http --permanent
sudo firewall-cmd --add-service=https --permanent
Reload the firewall rules:
sudo firewall-cmd --reload
3. Disable Root Login via SSH
Directly logging in as root is risky, as it gives full access to your server. To reduce this risk, disable root login over SSH.
Edit the SSH configuration file:
sudo vi /etc/ssh/sshd_config
Find the line:
PermitRootLogin yes
Change it to:
PermitRootLogin no
Save the file and restart SSH:
sudo systemctl restart sshd
4. Use SSH Keys for Authentication
SSH keys provide a more secure method of logging into your server than password authentication.
On the Client Machine:
Generate an SSH key pair:
ssh-keygen -t rsa -b 4096
Copy the public key to your server:
ssh-copy-id user@server_ip_address
On the Server:
Verify that the key was added:
cat ~/.ssh/authorized_keys
Disable password authentication by editing the SSH configuration file:
sudo vi /etc/ssh/sshd_config
Find and change the following line:
PasswordAuthentication yes
to:
PasswordAuthentication no
Save the file and restart the SSH service:
sudo systemctl restart sshd
5. Change the Default SSH Port
Changing the default SSH port (22) can help reduce the chances of automated attacks.
Open the SSH configuration file:
sudo vi /etc/ssh/sshd_config
Find the line:
#Port 22
Change it to a custom port, for example:
Port 2222
Save the file and restart SSH:
sudo systemctl restart sshd
Update your firewall to allow the new port:
sudo firewall-cmd --add-port=2222/tcp --permanent
sudo firewall-cmd --reload
6. Install and Configure Fail2ban
Fail2ban is a service that scans log files and bans IP addresses showing malicious signs such as too many failed login attempts.
Install EPEL repository:
sudo dnf install epel-release
Install Fail2ban:
sudo dnf install fail2ban
Start and enable Fail2ban:
sudo systemctl start fail2ban
sudo systemctl enable fail2ban
To configure Fail2ban, create a local configuration file:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
You can now edit /etc/fail2ban/jail.local to configure settings like banning time, retry limits, and more.
8. Monitor Server Logs
Monitoring your logs helps identify potential security threats and attacks. Use logwatch or GoAccess for log monitoring.
Installing logwatch:
sudo dnf install logwatch
Configure it to send daily log summaries via email.
9. Use Intrusion Detection Systems (IDS)
Implement an Intrusion Detection System like AIDE or Tripwire to monitor changes on your system.
sudo dnf install aide
sudo aide --init
Regularly scan the system:
sudo aide --check
10. Disable Unnecessary Services
Keep your server lean by disabling services that aren’t necessary for your setup.
List active services:
sudo systemctl list-unit-files --type=service
Disable unnecessary services:
sudo systemctl disable service_name
sudo systemctl stop service_name
11. Enforce Two-Factor Authentication (2FA) for SSH Access
Two-factor authentication (2FA) adds an extra layer of security by requiring both your password (or SSH key) and a one-time code generated by an authenticator app (such as Google Authenticator) to access your server.
Steps to Install and Configure 2FA:
Install the libpam-google-authenticator package:
sudo dnf install epel-release
sudo dnf install google-authenticator
Set up 2FA for the server by running the following command as the user you log in with (usually root or another sudo user):
google-authenticator
Follow the prompts to configure 2FA. Make sure to save the backup codes, as they will allow access if you lose your device.
Enable 2FA in the PAM configuration for SSH: Edit /etc/pam.d/sshd and add the following line at the top:
auth required pam_google_authenticator.so
Edit the SSH configuration file:
sudo vi /etc/ssh/sshd_config
Ensure the following lines are set:
ChallengeResponseAuthentication yes
Restart the SSH service:
sudo systemctl restart sshd
Now, when logging into your server, you'll be required to provide both your password (or SSH key) and the verification code from the Google Authenticator app.
12. Implement Mandatory Access Control (MAC) with SELinux or AppArmor
Mandatory Access Control (MAC) enhances security by enforcing policies that restrict the actions that programs or users can perform.
Configuring SELinux
SELinux (Security-Enhanced Linux) enforces strict security policies that limit what actions software and users can perform on the system. This is most useful in production environments to reduce attack surfaces.
Check if SELinux is installed and active:
sestatus
Enable SELinux:
If SELinux is not active, enable it by editing the configuration file:
sudo vi /etc/selinux/config
Set the following:
SELINUX=enforcing
SELINUXTYPE=targeted
Restart the system:
sudo reboot
Managing SELinux Policies: You can enforce more granular controls using SELinux policies. For example, if you're running a web server:
sudo setsebool -P httpd_can_network_connect on
13. Implement Network Security Using VPN and Port Knocking
Port Knocking for SSH
Port knocking is a technique where the server opens a specific port (like SSH) only after a secret sequence of network packets is received. This makes it harder for attackers to identify which ports are open.
Setting Up a VPN for Secure Remote Access
Using a VPN ensures that all communication between your client and the server is encrypted and secure.
Example: Install OpenVPN
Install OpenVPN:
sudo dnf install epel-release
sudo dnf install openvpn
Configure OpenVPN using a secure server certificate by generating keys and certificates, or using prebuilt solutions such as EasyRSA for simpler setup.
Open the VPN port on your firewall:
sudo firewall-cmd --add-port=1194/udp --permanent
sudo firewall-cmd --reload
Port Knocking for SSH
Port knocking is a technique where the server opens a specific port (like SSH) only after a secret sequence of network packets is received. This makes it harder for attackers to identify which ports are open.
Install knockd:
sudo dnf install knock
Configure port knocking by editing /etc/knockd.conf: Define a sequence of ports and actions:
[options]
logfile = /var/log/knockd.log
[openSSH]
sequence = 7000,8000,9000
seq_timeout = 5
command = /usr/sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
[closeSSH]
sequence = 9000,8000,7000
seq_timeout = 5
command = /usr/sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
Start and enable the service:
sudo systemctl start knockd
sudo systemctl enable knockd
To access your server, "knock" the ports from your client:
knock <server_ip> 7000 8000 9000
This technique helps hide your SSH port from automated scanners and attackers.
14. Implement DDoS Protection
Dedicated servers are often targets for Distributed Denial-of-Service (DDoS) attacks. You can mitigate this risk by setting up tools like Fail2Ban, rate-limiting with iptables, or employing cloud-based services such as Cloudflare.
Setting Up iptables Rate Limiting:
Rate-limit incoming connections: This rule allows only 10 SSH connections every minute from a single IP address:
sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
Persist the iptables rules:
sudo service iptables save
Conclusion
In this guide we have seen securing and hardening your dedicated server in AlmaLinux 9. By following these essential steps, you’ll significantly improve the security of your dedicated server. Regularly monitoring your system and staying up to date with security practices is key to maintaining the safety and integrity of your data.
These advanced topics further enhance the security of your dedicated server by implementing strong authentication, encryption, network security, and proactive defense mechanisms. By combining these methods, you greatly reduce the risk of unauthorized access and ensure the security of your data and applications.
