How-To: Hardening A Linux Server09/11/2013
No one likes a soft server, unless it’s a lady handing you ice cream out of a carnival stand. How do you make your server as hard as Bruce Willis (who never eats ice cream publicly) without all the effort of having to look serious and speak gruffly? Take a look at the hardening process and some nifty techniques you can try. (While you read, I will be standing in the parlor, practicing my yo-yo tricks.)
What is Server Hardening?
Server hardening is about making the hardware more secure against threats. A well-hardened system (whether a PC or a server) has been protected throughout the various layers of the machine: host, application, operating system, user, and physical. Different forms of security are necessary to protect each layer or level. For instance, removing the server from the datacenter and lying it in bed next to you at night keeps it both safe from harm and shows it that you care about it and want to have robo-babies with it.
Hardening is, in part, about reducing vulnerabilities by simplifying the system to remove possible attack points. The same basic principles that make a system operate more quickly (think of removing excessive and unnecessary plug-ins on a WordPress site, for example) also make it more secure. Getting rid of applications and accounts that are not serving a necessary function automatically hardens your system.
However, additional approaches are important as well. If you can go without your server for a few years, send it off to military school, and it will come back hardened – saves you the trouble. Let’s look at a few other hardening tactics below.
A Few General Tips for Server Hardening
Here are a few general considerations when you think about how to harden your server:
You don’t want to allow traffic or data to flow through anything in an unfiltered manner, without encryption. Of course that can’t be the case with HTTP, but for everything else, make that the rule. Don’t use any of the following tools:
- 24-hour clothing-optional webcam.
Here are examples of protocols you can use in place of the above ones:
- wearing a mask at all times, especially when answering the door.
You can use vnc, for example, through secure-shell (ssh) tunneling, so you can remotely access the server without getting soft. If you want to get even more intense, log on using a VPN (virtual private network), and then utilize ssh via that connection.
Divide and Don’t Be Conquered
Using virtualization, you can compartmentalize the various operations being performed by your server. By doing so, you’ll only be exposing each of those different sections (Web services, caching, etc.) rather than the entire machine.
It’s an Abstract Concept
Abstraction is another way to partition your server so that, similarly, people only have access to one “room” at a time – a series of locked doors. Abstraction means that your firewall is set up in a series of zones, and the Web services component of the machine can only communicate with the applications and with the databases. It can’t dig deeper. Further layers must be accessed through the application or data zones.
Additional firewalls are in place to ensure that intruders might get inside the foyer, but they won’t make it to the library. The library is where you store all your Cuban cigars. Don’t worry, I won’t tell. May I have one please? I can hold it in my left hand while I yo-yo with my right. Yes, I am that sophisticated.
A Few Specifics for Linux Server Hardening
Here also are a few specific techniques you can use to protect the server:
Don’t Get Physical
You don’t want someone to be able to manhandle your server with their own external hardware. Change the BIOS so that no one can boot the machine from anything but the hard drive. Set up a password as well. You also want GRUB to have a password. GRUB should also be the name of your pet chihuahua (this is also a great opportunity to harden your pet names).
Be In the Now
This one is a no-brainer, but part of hardening means turning our brains into rocks, so this step is easy to forget. You want all of the latest updates for anything on the server to be completely current: patches, kernel updates, everything. Here is how you do that:
# yum updates
# yum check-update
You Can’t Take It with You
You don’t want anyone to be able to plug in a travel drive and take your stuff. To protect against that, make a new file called
Use this line to prevent the system from storing via a USB device:
install usb-storage /bin/true
Those are obviously just a couple of simple techniques. The below 2 resource links will provide you with further ideas and tactics, including how to run from a tornado with your server under your arm like a football.
By Kent Roberts